Discussion:
Adding an object class with required attributes to an existing entry
Nick Milas
2011-12-16 12:49:57 UTC
Permalink
Hi,

I want to add a new objectclass using an ldif; this objectclass requires
some attributes (according to schema). I can't make it work.

For posixAccount class, required attributes are:
cn
gidNumber
homeDirectory
uid
uidNumber

I already have cn and uid.

I am trying:

dn: uid=userx,ou=people,dc=example,dc=com
changetype: modify
add: ObjectClass
objectClass: posixAccount
uidNumber: 1700
homeDirectory: /var/members/userx
gidNumber: 48
loginShell: /bin/false

and it fails.

I've tried other ways too, like including existing objectclasses in the
LDIF (I've read about that in a blog), using a separate add statement
for optional attribute loginShell, etc. but nothing worked.

If the ObjectClass to add does not specify REQUIRED attributes in the
schema, there is no problem in adding it.

How should I formulate the LDIF?

Please advise.

Thanks,
Nick
Hallvard Breien Furuseth
2011-12-16 13:22:27 UTC
Permalink
Post by Nick Milas
dn: uid=userx,ou=people,dc=example,dc=com
changetype: modify
add: ObjectClass
objectClass: posixAccount
uidNumber: 1700
(...)
With 'changetype: modify', for every attribute type you need
'add: <attrtype>' in front and a line with just '-' after, to
separate it from next attr.type. See 1st 'man ldapmodify' example.

Beyond that - it's usually easier to help when you give the error
message and the command line you used, not just "it fails".
--
Hallvard
Nick Milas
2011-12-16 14:36:49 UTC
Permalink
Post by Hallvard Breien Furuseth
With 'changetype: modify', for every attribute type you need
'add:<attrtype>' in front and a line with just '-' after, to
separate it from next attr.type. See 1st 'man ldapmodify' example.
Beyond that - it's usually easier to help when you give the error
message and the command line you used, not just "it fails".
Thanks for the reply.

I have tried using ldapmodify and the following ldif file:

dn: uid=userx,ou=people,dc=example,dc=com
changetype: modify
add: ObjectClass
objectClass: posixAccount
-
add: uidNumber
uidNumber: 1700
-
add: homeDirectory
homeDirectory: /var/members/userx
-
add: gidNumber
gidNumber: 48
-
add: loginShell
loginShell: /bin/false

I found that this works fine using the openldap ldapmodify tool.
Unfortunately, however, it doesn't work with any other tool (that's why
I didn't succeed before). I tried with phpLDAPadmin 1.1.0.7, JXplorer
(3.3 beta) and ApacheDS (2.0.0 beta) and all return an error.

phpLDAPadmin: LDIF Parse Error / Description: The attribute to modify
doesnt match the one specified by the add attribute.
JXplorer: javax.naming.directory.InvalidAttributeIdentifierException:
[LDAP: error code 17 - add: attribute type undefined]
ApacheDS: #!ERROR Record is invalid

Some incompatibility in LDIF syntax perhaps? I'll continue testing to
see what should be acceptable LDIF syntax for such tools.

Any feedback/experience will be welcome.

Thanks,
Nick
Hallvard Breien Furuseth
2011-12-16 14:53:45 UTC
Permalink
Post by Nick Milas
add: ObjectClass
objectClass: posixAccount
phpLDAPadmin: LDIF Parse Error / Description: The attribute to modify
doesnt match the one specified by the add attribute.
Maybe it does a case-sensisite compare. Try lowercase 'O'
Post by Nick Milas
[LDAP: error code 17 - add: attribute type undefined]
ApacheDS: #!ERROR Record is invalid
WTF... Maybe it wants the missing '-' after the entry. OpenLDAP
doesn't require it, but possibly the LDIF standard does.
--
Hallvard
Nick Milas
2011-12-16 17:34:14 UTC
Permalink
Post by Hallvard Breien Furuseth
WTF... Maybe it wants the missing '-' after the entry. OpenLDAP
doesn't require it, but possibly the LDIF standard does.
Tried objectClass instead of ObjectClass (in all following tests). Then:

phpLDAPadmin does not work either with or without the '-' at the bottom:

LDIF text import
Could not modify object: uid=userx,ou=people,dc=example,dc=com
LDAP said: LDAP_OBJECT_CLASS_VIOLATION
You tried to perform an operation that would cause an undefined
attribute to exist or that would remove a required attribute, given
the current list of ObjectClasses. This can also occur if you do not
specify a structural objectClass when creating an entry, or if you
specify more than one structural objectClass.

JXplorer also does not work with or without the '-' at the bottom:
With the '-':

java.lang.RuntimeException: "Error - illegal line in ldif file " +
"(" + lineNumber +") in LDIF file: + " + fileName + "\n" +
attributeValueText

Without the '-':

javax.naming.directory.InvalidAttributeIdentifierException: [LDAP:
error code 17 - add: attribute type undefined]; remaining name
'uid=userx,ou=people,dc=example,dc=com'

ApacheDS: WORKS only WITHOUT the '-' at the bottom.

With the '-' at the bottom: #!ERROR Record is invalid

So, where are we? I guess I could contact those developers (ApacheDS and
JXplorer at least) and tell them so they can do something about it...

Nick
Nick Milas
2011-12-16 19:26:05 UTC
Permalink
Post by Nick Milas
ApacheDS: WORKS only WITHOUT the '-' at the bottom.
Correction: Apache Directory Studio LDIF import works fine both with and
without the '-' at the bottom. It just needs a CR at the end of the
bottom line with text (in the LDIF file). I found that these LDIF
imports were failing because the bottom '-' was not followed by a CR. If
the bottom LDIF line (whichever it might be) didn't have a CR at the
end, the file wouldn't be imported correctly.

Tests with Apache Directory Studio were on Windows OS.

Nick
h***@arcor.de
2011-12-16 18:05:43 UTC
Permalink
Post by Nick Milas
Post by Hallvard Breien Furuseth
With 'changetype: modify', for every attribute type you need
'add:<attrtype>' in front and a line with just '-' after, to
separate it from next attr.type. See 1st 'man ldapmodify' example.
Beyond that - it's usually easier to help when you give the error
message and the command line you used, not just "it fails".
Thanks for the reply.
dn: uid=userx,ou=people,dc=example,dc=com
changetype: modify
add: ObjectClass
objectClass: posixAccount
-
add: uidNumber
uidNumber: 1700
-
add: homeDirectory
homeDirectory: /var/members/userx
-
add: gidNumber
gidNumber: 48
-
add: loginShell
loginShell: /bin/false
I found that this works fine using the openldap ldapmodify tool.
Unfortunately, however, it doesn't work with any other tool (that's
why I didn't succeed before). I tried with phpLDAPadmin 1.1.0.7,
JXplorer (3.3 beta) and ApacheDS (2.0.0 beta) and all return an
error.
phpLDAPadmin: LDIF Parse Error / Description: The attribute to modify
doesnt match the one specified by the add attribute.
[LDAP: error code 17 - add: attribute type undefined]
ApacheDS: #!ERROR Record is invalid
Some incompatibility in LDIF syntax perhaps? I'll continue testing to
see what should be acceptable LDIF syntax for such tools.
Any feedback/experience will be welcome.
I have had a similiar problem with gq. gq is just another gtk based
client. The problem get solved if i add the objectclass top prior to add
any Auxiliary objectclass.

Yes, i know that openldap does not require the objectclass top, but some
clients do their own verifiation.
Post by Nick Milas
Thanks,
Nick
--
Harry Jede
Loading...