I'm starting out studying LDAP protocol and this is an example of a possible entry that I found while reading:
dn: o=TUDelft, c=NL
o: TUDelft
objectclass: organization
Now I looked for the organization classobject in the core.schema and I found that the only one mandatory attribute is o and in the attribute definition there isn't the c attribute:
objectclass ( 2.5.6.4 NAME 'organization'
DESC 'RFC2256: an organization'
SUP top STRUCTURAL
MUST o
MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
x121Address $ registeredAddress $ destinationIndicator $
preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
telephoneNumber $ internationaliSDNNumber $
facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
So my question is: if an entry is defined as beloging to a sort of objectclass (in this case organization) can it use other attribute too?
An LDAP entry can have any attributes that are defined for any of its objectclasses. In your example, the entry has only the one objectclass organization. Thus, that entry must have an o attribute (which it does) and may have any of the other attributes listed in the MUST section of organization's schema definition. If you want the entry to have attributes not in organization's definition, you must add another objectclass that does contain that attribute.
For example, if you add the objectclass organizationalPerson you can then add organizationalPerson's attributes which include street and postalAddress. (Let's ignore the fact that it does not make much sense that an entry be both an organization and a person.)
You said "the attribute definition there isn't the c attribute". The c=NL in the dn o=TUDelft, c=NL is not an attribute, but rather, part of the entry's distinguished name.
Related
I have configured an openLDAP server for testing purposes and am trying to add a few users from the actual LDAP server. The problem is that they have some attributes that are not defined in the default object classes- top, person or organizationalPerson. So I am trying to define my own object class- user with one new attribute for start called instanceType. This is the schema file I created- object_class.schema:
attributetype ( 1.3.6.1.4.1.42.2.27.4.1.6
NAME 'instanceType'
DESC 'instanceType attribute'
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE )
objectclass ( 1.3.6.1.4.1.42.2.27.4.2.1
NAME 'user'
DESC 'user object'
SUP top
STRUCTURAL
MUST ( cn $ instanceType ) )
I also created object_class.conf:
include /ldap-data/object_class.schema
After that I am running slaptest -f /ldap-data/object_class.conf -F /ldap-data/schemas/ which produces the following file- /ldap-data/schemas/cn=config/cn=schema/cn={0}object_class.ldif
I am stopping the slapd service but when I run slapadd -l /ldap-data/schemas/cn\=config/cn\=schema/cn\=\{0\}object_class.ldif -n 0
I receive:
slapadd: line 1: database #0 (cn=config) not configured to hold "cn={0}object_class"; no database configured for that naming context
_#################### 100.00% eta none elapsed none fast!
Closing DB...
Is my schema wrong? I tried finding the attributes for the "user" data class which I thought are standard but I couldn't.
I have an existing LDAP ObjectClass of gosaAccount, used by Fusion Directory, and I am looking to add a new attribute to track the badge numbers of members with this object class. Fairly simple. I was able to use ldapmodify to add the attribute but have had no luck adding the attribute to the gosaAccount object through ldapmodify. Right now I am running into the error ldap_modify: Invalid syntax (21) additional info: objectclasses: value #0 invalid per syntax when I attempt to run ldapmodify with an LDIF file with the below contents. What am I missing that would prevent me from modifying this class?
This is the file I used to add the attribute to the schema common name (exposing it to all Schemas/Object Classes)
version: 1
dn: cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 2.16.840.1.113730.3.1.5
NAME 'badgeNumber'
DESC 'Employee Badge Number'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
SINGLE-VALUE )
And this LDIF file is the one used to add that attribute to gosaObject.
version: 1
dn: cn=schema,cn=config
changetype: modify
replace: objectclasses
objectclasses: ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount'
DESC 'Class for GOsa Accounts (v2.6.6)'
SUP top
AUXILIARY
MUST uid
MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ gosaDefaultLanguage $ academicTitle $ personalTitle $ dateOfBirth $ sambaBadPasswordCount $ sambaBadPasswordTime $ gender $ gosaLoginRestriction $ badgeNumber ) )
I'm currently implementing a pwdCheckModule library for Openldap version 2.4.14 (Version cannot be changed). During that I'd like to read some attributes from the LDAP database. One of these attributes is called pcpMinNumberLowerUpper and holds minimum number of lower and/or upper characters. The attribute should be part of an already existing objectClass called pwdPolicy located under the cn:schema which already has some other attributes like pwdMaxAge etc.
I'd like to use the ldapmodify terminal command in order to add the attribute to the already existing LDAP database. The command I'v just used looks like the following:
ldapmodify -h localhost -p 389 -D "cn=Administrator,dc=<mydc>,dc=<mydc>..." -w "<mysecret>" -x -f pcp_attribute_upgrade.ldif
The corresponding ldif-file has the following content:
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.18 NAME 'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUED USAGE userApplications )
Now, if I execute the command above it raises the following error message to the terminal output:
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: attributetypes: value #0 invalid per syntax
I already tried to use olcAttributeTypes instead of attributeTypes but it did not help. Any help would be nice :-)
Thanks in advance,
Flo
With default OpenLdap configuration, for schema modification usually you have to use external authentication from local ldap servers root account:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f pcp.ldif
and pcp.ldif should be:
dn: cn=schema,cn=config
changetype: modify
add: olcAttributetypes
olcAttributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.18 NAME 'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE userApplications )
(changed dn, "attributeTypes" replaced to "olcAttributetypes" and "SINGLE-VALUED" to "SINGLE-VALUE")
The keyword for single valued attribute is SINGLE-VALUE, as reported when trying to add the schema definition to the OpenDJ LDAP directory server :
The provided value "( 1.3.6.1.4.1.42.2.27.8.1.18 NAME
'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUED USAGE
userApplications )"could not be parsed as a valid attribute type
description because it contains an illegal token "SINGLE-VALUED"
Change it as below and it'll work.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.18 NAME 'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE userApplications )
I try to move some posixGroup-Definitions from one ldap-server to a new one using
ldapadd -x -v -W -D cn=ldapAdmin,dc=ibk,dc=local -f groups_ldap_20151028.ldif
This produces the following error:
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add objectClass:
posixGroup
sambaGroupMapping
add cn:
users
add displayName:
users
add sambaGroupType:
2
add sambaSID:
S-1-5-21-4027309494-1722177077-478768286-513
add gidNumber:
100
adding new entry "cn=users,ou=groups,dc=ibk,dc=local"
ldap_add: Object class violation (65)
additional info: no structural object class provided
I do not understand what happens here, so please give me a hint. As i found posixGroup' is a structural object, sambaGroupMapping not. Adding 'top' as objectClass did not help. All necessary attributes are set and the old setting worked. Importing users the same way worked also well. Both ldap-version are the same.
EDIT: The primary Problem was the wrong schema which had posixGroup an as structural class. The modern uses the configuration in the description below. The rest was a mess of duplicate names and whitespace in the ldif-file. Thank you!
Try adding group or groupOfName or groupofUniqueName (depends on LDAP implementation) as an added objectClass. posixGroup is typically an Auxiliary Group
'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( authPassword $ userPassword $ memberUid $ description ) X-ORIGIN 'draft-howard-rfc2307bis' )
I have one attribute (groupIDNumber), I want to make it work as auto-increment number?
How can we define that attr?
Thank for your help,
-nm
This blog suggests that you can achieve the equivalent by creating a new object that is sort of a sequence. A working implementation in OpenLDAP is reported here. The object is defined as follows (note: not my code, just reproducing what was reported):
----------------------------------------------
objectClass ( 1.3.6.1.4.1.4203.666.599
NAME 'uidNext'
SUP top STRUCTURAL
MUST ( cn $ uidNumber ) )
----------------------------------------------
LDIF entiries are then written as:
--- increment.ldif -------------------------------
dn: cn=uidNext,dc=example,dc=com
changetype: modify
increment:uidNumber
uidNumber: 1
-
---- EOF ------------------------------------------
And called with:
$ ldapadd -x -D "cn=Admin,dc=example,dc=com" -wsecret -f ./autoinc.ldif
This is not part of the LDAP protocol, nor is it a standard thing to do. It is something you would normally do in your client-side logic. However, depending on which LDAP server you are using, it may be possible to achieve using a plugin or extension.