I'm currently implementing a pwdCheckModule library for Openldap version 2.4.14 (Version cannot be changed). During that I'd like to read some attributes from the LDAP database. One of these attributes is called pcpMinNumberLowerUpper and holds minimum number of lower and/or upper characters. The attribute should be part of an already existing objectClass called pwdPolicy located under the cn:schema which already has some other attributes like pwdMaxAge etc.
I'd like to use the ldapmodify terminal command in order to add the attribute to the already existing LDAP database. The command I'v just used looks like the following:
ldapmodify -h localhost -p 389 -D "cn=Administrator,dc=<mydc>,dc=<mydc>..." -w "<mysecret>" -x -f pcp_attribute_upgrade.ldif
The corresponding ldif-file has the following content:
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.18 NAME 'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUED USAGE userApplications )
Now, if I execute the command above it raises the following error message to the terminal output:
ldap_start_tls: Protocol error (2)
additional info: unsupported extended operation
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: attributetypes: value #0 invalid per syntax
I already tried to use olcAttributeTypes instead of attributeTypes but it did not help. Any help would be nice :-)
Thanks in advance,
Flo
With default OpenLdap configuration, for schema modification usually you have to use external authentication from local ldap servers root account:
sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f pcp.ldif
and pcp.ldif should be:
dn: cn=schema,cn=config
changetype: modify
add: olcAttributetypes
olcAttributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.18 NAME 'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE userApplications )
(changed dn, "attributeTypes" replaced to "olcAttributetypes" and "SINGLE-VALUED" to "SINGLE-VALUE")
The keyword for single valued attribute is SINGLE-VALUE, as reported when trying to add the schema definition to the OpenDJ LDAP directory server :
The provided value "( 1.3.6.1.4.1.42.2.27.8.1.18 NAME
'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUED USAGE
userApplications )"could not be parsed as a valid attribute type
description because it contains an illegal token "SINGLE-VALUED"
Change it as below and it'll work.
dn: cn=schema
changetype: modify
add: attributetypes
attributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.18 NAME 'pcpMinNumberLowerUpper' DESC 'Minimum of upper or lower characters' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE USAGE userApplications )
Related
I am trying to add a custom attributes object class, because one of my applications only works with sAMAccountName.
I found out, that it needs the following schema to add it to LDAP.
olcAttributeTypes: ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
I created a ldif file with this content and sAMAccountName appeared in Apache Directory Studio
dn: cn=custom-attributes,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: custom-attributes
olcAttributeTypes: ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
But if I tried to add this attribute to my user I got an error #65, because it was not allowed by my object classes, so I removed it and tried to add a object class for custom attributes:
dn: cn=custom-attributes,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: custom-attributes
olcAttributeTypes: ( 1.2.840.113556.1.4.221
NAME 'sAMAccountName'
SYNTAX '1.3.6.1.4.1.1466.115.121.1.15'
SINGLE-VALUE )
olcObjectClasses: ( 1.3.6.1.4.1.4203.666.100.1
NAME 'customAttributes'
SUP top
AUXILIARY
DESC 'Custom attributes class'
MAY (sAMAccountName)
)
Now I am getting this error
ldapadd: invalid format (line 6) entry: "cn=custom-attributes,cn=schema,cn=config"
I am adding the ldif file via terminal
ldapadd -H ldaps://ldap.mydomain.com/ -f samaccountname.ldif -D "cn=admin,cn=config" -w mypassword
Which line is meant by the error message? And whats wrong with the syntax?
I also heard about proxy the sAMAccountName to uid, but I did not find a example ldif file, so this solution seamed more achievable to me.
I think it is due to the last parenthesis. A new line on a LDIF file means a new item description. Try to put the last parenthesis at the end of the MAY line.
I would like to modify my openldap schema to make memberUid case insensitive.
Looking in /etc/ldap/slapd.d/cn=config/cn=schema/cn={2}nis.ldif:
dn: cn={2}nis
objectClass: olcSchemaConfig
cn: {2}nis
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExac
tIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.26 )
I tried the following:
$ ldapmodify -h localhost -x
dn: cn={2}nis
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
But I got the following error:
modifying entry "cn={2}nis"
ldap_modify: Server is unwilling to perform (53)
additional info: no global superior knowledge
I also tried using objectClass instead of olcAttributeTypes, but received the following:
modifying entry "cn={2}nis"
ldap_modify: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
Can someone point me in the right direction? I have found a lot of documentation on adding new attributes and objectclasses, but not much on modifying the existing schema.
I'm talking here about common ldap operations, it could be different when tweaking the configuration.
I never tried to modify only one value in a set of a multivalued attribute, what I do in this case is delete the value I want to modify and add the new one :
Something like :
dn: cn={2}nis,cn=schema,cn=config
changetype: modify
delete: olcAttributeTypes
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
add: olcAttributeTypes
olcAttributeTypes: {10}( 1.3.6.1.1.1.1.12 NAME 'memberUid' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
I have an existing LDAP ObjectClass of gosaAccount, used by Fusion Directory, and I am looking to add a new attribute to track the badge numbers of members with this object class. Fairly simple. I was able to use ldapmodify to add the attribute but have had no luck adding the attribute to the gosaAccount object through ldapmodify. Right now I am running into the error ldap_modify: Invalid syntax (21) additional info: objectclasses: value #0 invalid per syntax when I attempt to run ldapmodify with an LDIF file with the below contents. What am I missing that would prevent me from modifying this class?
This is the file I used to add the attribute to the schema common name (exposing it to all Schemas/Object Classes)
version: 1
dn: cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 2.16.840.1.113730.3.1.5
NAME 'badgeNumber'
DESC 'Employee Badge Number'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.36
SINGLE-VALUE )
And this LDIF file is the one used to add that attribute to gosaObject.
version: 1
dn: cn=schema,cn=config
changetype: modify
replace: objectclasses
objectclasses: ( 1.3.6.1.4.1.10098.1.2.1.19.6 NAME 'gosaAccount'
DESC 'Class for GOsa Accounts (v2.6.6)'
SUP top
AUXILIARY
MUST uid
MAY ( sambaLMPassword $ sambaNTPassword $ sambaPwdLastSet $ gosaDefaultLanguage $ academicTitle $ personalTitle $ dateOfBirth $ sambaBadPasswordCount $ sambaBadPasswordTime $ gender $ gosaLoginRestriction $ badgeNumber ) )
I am trying to set up an openLDAP LDAP on Ubuntu 14.04, and I would like to add a custom schema to the dynamic ldap conf. As I understood, I have to add dynamically a ldif entry to my ldap, under the DN: cn=myCustomSchema,cn=schema,cn=config.
What I wanted to do was:
creation of a schema file
creation of a .conf file linking to my schema file
conversion of the schema to a ldif file, thanks to a slaptest or slapcat command and the .conf file
addition of the .ldif to the LDAP
I can't go through point 3., since both slaptest and slapcat command return: line xxx: unknown directive outside backend info and database definitions.
I've read a thousand time my schema file, but I can't find my error. I also couldn't find anything usefull about such an error.
Here is a part of my schema file:
attributeTypes: (1.2.840.113556.1.8000.2554.48931.2232.50796
NAME 'altitudeEntity'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE USAGE userApplications )
attributeTypes: ( 1.2.840.113556.1.8000.17728.40464.13370.25661.2712
NAME 'descriptionEntity'
EQUALITY caseIgnoreMatch
ORDERING caseIgnoreOrderingMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
.
. other attributes
.
ObjectClass: ( 1.2.840.113556.45669.16975.37105.36062
NAME 'principalClass'
SUP top STRUCTURAL
MUST RDNFragment
MAY ( altitudeEntity $ descriptionEntity $ ...) )
.
. other classes extending principalClass (SUP principalClass)
.
Also: when keeping only attributes, the commands succeed and the ldif files are generated. The error is always on the first objectClass.
Thanks for any help :)
Found the error this morning, I guess I was tired yesterday.
The correct syntax is objectclass ( OID ... without " : ". I changed also attributeTypes: ( OID... to attributetype ( OID... and everything worked fine.
I am currently working with LDAP which is on a UNIX server. The main purpose for me right now is to modify two entries in the directory by Ldapmodify through command line. The command is as follows:
ldapmodify -a -D 'cn=ldap,dc=cs,dc=ttu,dc=edu' \
-w *password* -H *server address* -f Documents/user.ldif
user.ldif file is as follows:
dn: cn=*username*,cn=Users,dc=ttu,dc=edu
changetype: modify
replace: displayName
displayName: abc
-
replace: loginShell
loginShell: /bin/tc
-
I get the following error when i try to run it:
ldapmodify: invalid format (line 5) entry: "cn=*username*,cn=Users,dc=ttu,dc=edu"
I checked the "dn" and it is correct. Why am I getting this error then?
I have a similar problem. In my case, my dn was correct, but it says "invalid format (line 16) ..." .
This is how I solved this:
The error msg can be misleading, because the dn is indeed correct. But line number "(line 5)" is an accurate pointer to the problem. In your case, I think the dash '-' is causing the problem. Try to remove the dashes and it may work!
is the cn RDN of the entry?
One can have an entry in directory sn=john, ou=Users .....
sn: john
cn: doe
displayName: johnny
the RDN is an attribute used as reference, in this case
dn: cn=doe,....
would be wrong, no matter that the entry has an attribute in specified value.
In the example you provided, DN is first line, and error says about 5th line.
Assuming you put it in some batch, maybe SOME entry has some special character in it's CN ?
And "Users" is usually an "ou" or "dc" or something, even if the container has "cn" attribute with "Users" as one of cn values. Are entries separated by empty newlines? Didn't you put minus sign after last modification of previous entry above, instead of one ( or more ) newline(s) ?
Oh, and when putting ldif with many entries ( changes ), it's wise to try it with "-n". And (actually for some reason I don't remember) I personally prefer to pipe ldif instead of "-f"
cat user.ldif | ldapmodify ...opts...
?
PS. haha :) try to remove "-a", it turns ldapmodify to ldapadd actually :) And add "-x" if you want to use "simple" auth ( with -w password ).
It must be the problem of character encoding of dash(-)
I met the same problem before because I edited file on windows and used it on centOS in Virtualbox
Then I made a new file in centos using touch and edited it using vi and it works.
I've ran into the same issue. In my case, I had an extra space after the dash (-) character separating the entries.
For example, note the space after the dash on line 5:
$cat -A sample.ldif
dn: uid=noelp,ou=People,dc=example,dc=co,dc=us$
changetype: modify$
replace: employeeType$
employeeType: fulltime$
- $
replace: title$
title: Sr IT Analyst$
-$
replace: employeeNumber$
employeeNumber: 1299$
Same issue can happen with a blank line with a space afer it.