| View previous topic :: View next topic |
| Author |
Message |
meyer37
n00b
Joined: 04 Feb 2003
Posts: 41
Location: Milwaukee, WI
|
 Posted: Mon Mar 15, 2004 7:53 pm Post subject: Problems while following LDAP howto |
 |
|
I am following the Gentoo Guide to OpenLDAP Authentication and I have run ito a problem when attmepting to migrate the existing data. I have successfully done the following:
| Code: | # export ETC_SHADOW=/etc/shadow
# cd /usr/share/migrationtools
# ./migrate_base.pl > /tmp/base.ldif
# ./migrate_group.pl /etc/group /tmp/group.ldif
# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif
# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif
# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif |
but when I | Code: | | # ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif |
I get the following error | Code: | adding new entry "uid=jeffm,ou=People,dc=genfic,dc=com"
ldapadd: update failed: uid=jeffm,ou=People,dc=genfic,dc=com
ldap_add: Object class violation (65) additional info: invalid structural object class chain (inetOrgPerson/account)
|
I first recieved this erro referring to the root account so I edited the passwd.ldif to only contain my individual user account an I still recieved the error. I some some posts referring to the cosine.schema but I really didn't find any answers listed, or I just didn't undstand what needed to be done. How can I complete this part of the tutorial. |
|
| Back to top |
|
 |
rwallace
Tux's lil' helper
Joined: 22 May 2003
Posts: 107
Location: Phoenix, AZ US
|
| Posted: Mon Mar 15, 2004 9:13 pm Post subject: |
|
|
Sounds like one of two possibilities to me.
1) You don't have all the right schemas listed in your slapd.conf file. Here's what you should have:
| Code: |
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/samba.schema
|
You don't really need the last one unless you plan to use the ldap server to also authenticate samba.
2) In your base.ldif you didn't have an entry for dn: "ou=People,dc=genfic,dc=com". To check this do a ldapsearch and see if "ou=People,dc=genfic,dc=com" is listed in the output. |
|
| Back to top |
|
|
meyer37
n00b
Joined: 04 Feb 2003
Posts: 41
Location: Milwaukee, WI
|
| Posted: Mon Mar 15, 2004 9:57 pm Post subject: |
|
|
thanks for the reply. Here is my slapd.conf:
| Code: |
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 ku
rt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
# Use crypt to hash the passwords
password-hash {crypt}
# Define SSL and TLS properties (optional)
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules:
# modulepath /usr/lib/openldap/openldap
# moduleload back_bdb.la
# moduleload back_ldap.la
# moduleload back_ldbm.la
# moduleload back_passwd.la
# moduleload back_shell.la
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy is:
# Allow read by all
#
# rootdn can always write!
#######################################################################
# ldbm database definitions
#######################################################################
database ldbm
suffix "dc=genfic,dc=com"
rootdn "cn=Manager,dc=genfic,dc=com"
rootpw {MD5}3xKywSvKqdykJnTEctI5qw==
directory /var/lib/openldap-ldbm
index objectClass eq
|
and when I run
| Code: | | ldapsearch -D "cn=Manage,dc=genfic,dc=com" -W |
I do find the following in the output
| Code: |
# People, genfic.com
dn: ou=People,dc=genfic,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit |
Yet I still get
| Code: | adding new entry "uid=jeffm,ou=People,dc=genfic,dc=com"
ldapadd: update failed: uid=jeffm,ou=People,dc=genfic,dc=com
ldap_add: Object class violation (65)
additional info: invalid structural object class chain (inetOrgPerson/account)
|
when I run | Code: |
ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif
|
|
|
| Back to top |
|
|
Microft
n00b
Joined: 27 Oct 2002
Posts: 40
Location: Arnsberg, Germany
|
| Posted: Tue Mar 16, 2004 12:51 pm Post subject: |
|
|
Today I updated to the LDAP 2.1.x series and for that I wanted to rebuild the hole tree.
And I have now the same problem; whether I want to insert the user by ldapadd or by directory_administrator.
Are there modifications in the scheme-files since 2.0.x, which must be considered?
Tim |
|
| Back to top |
|
|
Microft
n00b
Joined: 27 Oct 2002
Posts: 40
Location: Arnsberg, Germany
|
|
| Back to top |
|
|
meyer37
n00b
Joined: 04 Feb 2003
Posts: 41
Location: Milwaukee, WI
|
| Posted: Tue Mar 16, 2004 2:08 pm Post subject: |
|
|
| Thanks, after removing the objectClass: Account line everything ran great. Thanks for the help. |
|
| Back to top |
|
|
waverider202
Tux's lil' helper
Joined: 25 Sep 2002
Posts: 146
Location: Drexel University
|
| Posted: Tue Mar 16, 2004 4:35 pm Post subject: structure |
|
|
In LDAPv3, every entry must have 1 structural objectClass. OpenLDAP 2.0.x didn't follow this rule. OpenLDAP >= 2.1.x does. Many programs still try to make an entry with 2 structural objectClasses. This is a bug in the program that's making the ldif files.
_________________
 |
|
| Back to top |
|
|
zaiyon
Apprentice
Joined: 19 May 2004
Posts: 219
Location: Germany
|
| Posted: Tue Aug 03, 2004 12:31 pm Post subject: |
|
|
Hi, I have the same problem using sladp, adding the samba schema to my includes will stop sladp from starting, removing the line:
| Code: |
index objectClass eq
|
from sladp.conf does not help me, I still get the following:
| Code: |
# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"
ldapadd: update failed: uid=root,ou=People,dc=zaiyon.ath,dc=cx
ldap_add: Object class violation (65)
additional info: invalid structural object class chain (inetOrgPerson/account)
|
The object stuff lines from ldap.conf are all stil commentet, I'm not that far with the howto right now.
| Code: |
# grep object /etc/ldap.conf # attribute/objectclass mapping
#nss_map_objectclass rfc2307objectclass mapped_objectclass
#nss_map_objectclass posixAccount User
#nss_map_objectclass posixGroup Group
#pam_filter objectclass=User
#nss_map_objectclass posixAccount aixAccount
#nss_map_objectclass posixGroup aixAccessGroup
#pam_filter objectclass=aixAccount
|
I tried to run the migrate_passwd.pl tool again and tried to sladpadd again, with no new result.
It worked to migrate and sladpadd the other stuff, I have just problems with the passwd file,
I'm a real ldap n00b, am I doing any obviously wrong thing?
edit:
Forgot to post my full sladp.conf, here it is:
| Code: |
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
password-hash {crypt}
TLSCertificateFile /etc/ssl/ldap.pem
TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem
TLSCACertificateFile /etc/ssl/ldap.pem
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database ldbm
suffix "dc=zaiyon.ath,dc=cx"
rootdn "cn=Manager,dc=zaiyon.ath,dc=cx"
rootpw {MD5}keUKVO3YBG/eI2tviWAalw==
directory /var/lib/openldap-ldbm
index objectClass eq
|
_________________
What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Tue Aug 03, 2004 4:34 pm Post subject: |
|
|
| Quote: | Hi, I have the same problem using sladp, adding the samba schema to my includes will stop sladp from starting, removing the line:
| Code: | | index objectClass eq |
|
Don't remove that line. What they were talking about in the previous post is the "objectClass: account" line in the passwd.ldif file.
You might find this thread interesting:
https://forums.gentoo.org/viewtopic.php?t=72607
Although the author of the Howto did not agree with migrating the whole password + group to ldap. You might or might not agree with his view point but I believe there are information in this thread that might be useful.
And also what I did to make my ldap+pam setup work:
https://forums.gentoo.org/viewtopic.php?p=1346899#1346899
However, I believe some of the kerberos stuff might not be necessary. (I might have got my ldap+pam working but I still don't have full understanding of it...)
_________________
Han. |
|
| Back to top |
|
|
zaiyon
Apprentice
Joined: 19 May 2004
Posts: 219
Location: Germany
|
| Posted: Tue Aug 03, 2004 6:36 pm Post subject: |
|
|
thx for help & links, this helped me a bit, it seems to work now, but if I try to add the entry now, I get:
| Code: |
# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"
ldapadd: update failed: uid=root,ou=People,dc=zaiyon.ath,dc=cx
ldap_add: Already exists (68)
|
So I read trough the valid stuff of the manpages of ldapadd and ldapdelete to delete this, but as you can see I'm the same ldap n00b like yesterday:
| Code: |
# ldapdelete -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
Delete Result: Invalid DN syntax (34)
Additional info: invalid DN
|
I don't have the guts to fool around further more, because I really don't know what I'm doing.
I already knew the first link but it was a bit complicated for me to read through it because it seems to be different from the official howto in some ways, like I said I have to learn much about stuff like ldap and kerberos.
PS:
Do you know what I can do about the samba.scheme stuff? The init script does not post any error messages, it just doesn't work if I include the samba.schema, but it would be kinda usefull to be capable of that one...
_________________
What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Wed Aug 04, 2004 3:21 am Post subject: |
|
|
| Quote: | So I read trough the valid stuff of the manpages of ldapadd and ldapdelete to delete this, but as you can see I'm the same ldap n00b like yesterday:
| Code: | # ldapdelete -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
Delete Result: Invalid DN syntax (34)
Additional info: invalid DN
|
I don't have the guts to fool around further more, because I really don't know what I'm doing.
|
I think you have partially added entries from the passwd.ldif that is why you can't add again. Also I think your delete command might not be correct.
Fortunately you can always start over. All you need to do is to stop slapd, delete the db files and start slapd again. According to the slapd.conf you have posted, the db files should be in /var/lib/openldap-ldbm. So, you would do: | Code: |
# /etc/init.d/slpad stop
# rm -f /var/lib/openldap-ldbm/*
# /etc/init.d/slapd start |
Then go back to the howto and start to populate the db by using ldapadd.
| Quote: | | I already knew the first link but it was a bit complicated for me to read through it because it seems to be different from the official howto in some ways, like I said I have to learn much about stuff like ldap and kerberos. |
The first link will not work very well because it is based on an earlier version of openldap and that version is not very strict on the schema checking. However, if you combine that with the second link (which details what I did to get my setup working), you should be able to at least get that the ldap+pam setup working.
| Quote: | PS:
Do you know what I can do about the samba.scheme stuff? The init script does not post any error messages, it just doesn't work if I include the samba.schema, but it would be kinda usefull to be capable of that one... |
Making openldap work with pam as well as samba is a whole different beast. I am at the moment trying to convert my setup to include samba authentication and also for samba to act as PDC. But I am facing some issues with samba at the moment. Once I get it up, I will sure post, maybe to the Docs & tips forum or write it up in the wiki site. In any case I will also include a notice here in this forum.
However, don't hold your breath. Though I have most of the setup working, including generating your own certs (the right way), I am not sure when I will be able to resolve all the issues.
_________________
Han. |
|
| Back to top |
|
|
zaiyon
Apprentice
Joined: 19 May 2004
Posts: 219
Location: Germany
|
| Posted: Wed Aug 04, 2004 10:35 am Post subject: |
|
|
Hi, thx for help again, but I still have problems with that, I read through the second link but that seems not to solve my problem atm, see it yourself:
I migratet all that stuff again, working fine until I got to passwd.ldif again, this time I removed the objectClass: account line before trying to ldapadd, now I get this:
| Code: |
# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"
adding new entry "uid=bin,ou=People,dc=zaiyon.ath,dc=cx"
ldapadd: update failed: uid=bin,ou=People,dc=zaiyon.ath,dc=cx
ldap_add: Object class violation (65)
additional info: invalid structural object class chain (inetOrgPerson/account)
|
As you can see it now hangs on the next user....
trying it again brings me to this again:
| Code: |
# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"
ldapadd: update failed: uid=root,ou=People,dc=zaiyon.ath,dc=cx
ldap_add: Already exists (68)
|
I searched the web and gentoo forums again, until some time without finding my problem I just tried again to delete all those dbs, migrate data again and now delete two lines from passwd, accound and initorgperson, trying sladpadd passwd.ldif with the same result....
_________________
What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Wed Aug 04, 2004 1:21 pm Post subject: |
|
|
| Quote: | I migratet all that stuff again, working fine until I got to passwd.ldif again, this time I removed the objectClass: account line before trying to ldapadd, now I get this:
| Code: | # ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
Enter LDAP Password:
adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"
adding new entry "uid=bin,ou=People,dc=zaiyon.ath,dc=cx"
ldapadd: update failed: uid=bin,ou=People,dc=zaiyon.ath,dc=cx
ldap_add: Object class violation (65)
additional info: invalid structural object class chain (inetOrgPerson/account) |
As you can see it now hangs on the next user.... |
Err... I think you only remove one line of "objectClass: account" right? You actually need to remove all the lines for every user.
If you still can't get it to work, post your passwd.ldif files but not the whole file. Pick the user that fail and maybe a few more. That file is kind of long.
_________________
Han. |
|
| Back to top |
|
|
zaiyon
Apprentice
Joined: 19 May 2004
Posts: 219
Location: Germany
|
| Posted: Thu Aug 05, 2004 1:14 pm Post subject: |
|
|
argh am I stupid, I overread that "971 lines" stuff....
now it works, thx, you've been of great help!
Now I'm stuck with the client configuration, but that'll work somehow ^^
I'll post it if I can get the things to work your wondering about, but I don't think this'll be soon 
_________________
What do you have when you have six lawyers buried up to their necks in sand? Not enough sand.
My Project - open Outcast |
|
| Back to top |
|
|
weyhan
Apprentice
Joined: 27 May 2003
Posts: 245
|
| Posted: Thu Aug 05, 2004 3:50 pm Post subject: |
|
|
| zaiyon wrote: | argh am I stupid, I overread that "971 lines" stuff....
now it works, thx, you've been of great help! |
No worries. We all do that some times. 
| zaiyon wrote: | Now I'm stuck with the client configuration, but that'll work somehow ^^
I'll post it if I can get the things to work your wondering about, but I don't think this'll be soon |
Client configuration is the easy part. So don't worry.
_________________
Han. |
|
| Back to top |
|
|
dennis_demarco
n00b
Joined: 06 Oct 2004
Posts: 6
|
| Posted: Wed Oct 06, 2004 6:38 pm Post subject: LDAP HOW-TO |
|
|
The LDAP HOW-TO is out of date with 2.1
In 2.1 You can't use a self signed certificate. You need a CA certificate. That can be private CA or commerical
http://www.openldap.org/faq/data/cache/185.html
There is a difference in /etc/ldap and /etc/openldap/ldap.conf
/etc/openldap/ldap.conf is the library conf file (/etc/ldap.conf is padl.com / pam_ldap) files.
You need to place
tls_cacert in both of these files.
Very agervating. and not well documented. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
