[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Continued Problem with importing Shadow Accounts
You are apparently missing the whole concept of what an objectClass is. You
should really do some reading on the 'net about LDAP in general. The
OpenLDAP FAQ has good pointers.
If you go to http://www.hklc.com/ldapschema/ and lookup shadowAccount, you
will see:
Must have :
* top
Requires :
* uid
May have :
* userPassword
* shadowLastChange
* shadowMin
* shadowMax
* shadowWarning
* shadowInactive
* shadowExpire
* shadowFlag
* description
Which means that your ldif must include the objectclass "top", like this:
objectClass: top
and, your ldif must have the attribute "uid":
uid: johnh
It may then optionally have any of the other attributes listed under "May
have". That's it. Nothing else. No uidNumber, gidNumber, homeDirectory,
loginShell allowed. If you put those in, you'll get an "Undefined attribute
type" error.
So, here is an example of a valid shadowAccount:
dn: uid=johnh,ou=services,dc=texarkana,dc=txed,dc=net
objectClass: top
objectClass: shadowAccount
uid: johnh
userPassword: {sha}$1$TueBpBUH$6Lg/XO4fPds/Pv8NpLtf5/
shadowLastChange: 6
shadowMin: 0
shadowMax: 0
shadowWarning: 0
shadowInactive: 0
shadowExpire: 0
shadowFlag: 0
description: John's Account
Now, if you want to include other fields like the ones below, and you
probably do if you're trying to use nss_ldap or something, then you'll need
to find the objectClass that defines those attributes, or read some
documentation that generally will tell you what to use (like
http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2307.html). In this case the
objectClass to use is posixAccount. Look it up and you'll find:
Must have :
* top
Requires :
* cn
* uid
* uidNumber
* gidNumber
* homeDirectory
May have :
* userPassword
* loginShell
* gecos
* description
So a valid ldif would be:
dn: uid=johnh,ou=services,dc=texarkana,dc=txed,dc=net
objectClass: top
objectClass: posixAccount
uid: johnh
userPassword: {sha}$1$TueBpBUH$6Lg/XO4fPds/Pv8NpLtf5/
uidNumber: 500
gidNumber: 500
loginShell: /bin/bash
homeDirectory: /home/johnh
Now, if the application you are using requires the fields of both
posixAccount and shadowAccount, then include BOTH objectClasses and you can
use all attributes. So this would be a valid ldif:
dn: uid=johnh,ou=services,dc=texarkana,dc=txed,dc=net
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
uid: johnh
userPassword: {sha}$1$TueBpBUH$6Lg/XO4fPds/Pv8NpLtf5/
uidNumber: 500
gidNumber: 500
loginShell: /bin/bash
homeDirectory: /home/johnh
shadowLastChange: 6
shadowMin: 0
shadowMax: 0
shadowWarning: 0
shadowInactive: 0
shadowExpire: 0
shadowFlag: 0
description: John's Account
> From: "John Humphrey" <txkjohn@hotmail.com>
> Date: Wed, 02 May 2001 08:42:47 -0500
> To: openldap-software@OpenLDAP.org
> Subject: Continued Problem with importing Shadow Accounts
>
> I've failed yet again in attempting to import my Linux (Red Hat 7.0 w/
> shadow passwords) users into the LDAP directory (OpenLDAP 2.0.7 LDAP v3).
> The LDIF file that I'm using to import users returns the following error
> message "Undefined attribute type". The ldif file is included below. I used
> the http://www.hklc.com/ldapschema/ site to guide me in the syntax of the
> file, but to no avail. I would really appreciate some help. Is there a
> better way to add users/groups? I'm not adament about using ldif imports, I
> just don't know of another way to add objects to the directory. Here's my
> ldif file ... :(
>
>
> #Adding a ShadowAccount
> dn: uid=johnh,ou=services,dc=texarkana,dc=txed,dc=net
> objectClass: shadowAccount
> uidNumber: 500
> gidNumber: 500
> loginShell: /bin/bash
> homeDirectory: /home/johnh
> uid: johnh
> userPassword: {sha}$1$TueBpBUH$6Lg/XO4fPds/Pv8NpLtf5/
>
> I've also tried
> "userPassword; hash-sha: $1$TueBpBUH$6Lg/XO4fPds/Pv8NpLtf5/"
>
>
> John Humphrey