ldap: Operation not allowed on nonleaf (ITS#3006)

[christian.geissler@firestorm.ch]

Full_Name: Christian Geissler
Version: 2.0.11-73
OS: SuSE Linux Enterprise Server
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.162.70.184)


Hello.
I've got the SUSE RPM with the version: openldap2 ver. 2.0.11-73. I think
the
Openldap Directory is broken. Is there any chance to repair the openldap
database?
I can't remove a user. I got this Error Message:  ldap: Operation not
allowed on nonleaf. What means the slapd server?

Can you help me?

Sorry for my bad english.

Greats Christian



slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/suse-email-server.schema
include /etc/openldap/schema/dnszone.schema
include /etc/openldap/schema/samba.schema
# Define global ACLs to disable default read access.
access to * by * read
#
# Check, if entries will match to db
#
schemacheck on
loglevel 0
sizelimit 1000
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
password-hash {crypt}
#allow tls_2_anon
#TLSCertificateFile /usr/ssl/certs/cert.pem
#TLSCertificateKeyFile /usr/ssl/certs/skey.pem

#######################################################################
# ldbm database definitions
#######################################################################
# ******************************* System Backend **********************
database ldbm
directory /var/lib/ldap
lastmod on
mode 0600
#
# Try to improve performance
#
cachesize 50000
dbcachesize 100000
suffix dc=firestorm,dc=ch
rootdn uid=cyrus,dc=firestorm,dc=ch
rootpw {crypt}********

# ******************************* System Backend **********************
#
# cleartext passwords, especially for the rootdn,
# should be avoid. See slapd.conf(5) for details.
# Don't put all your energy in a senseless searching
#
index uid,fn,cn,userpassword,memberuid,gidnumber eq
index alias,relayClientcert,objectclass,uidnumber eq
index mailenabled,relativeDomainName,zoneName eq,pres
index vaddress,mail eq,sub,pres
# Access controll
#
# Private AddressBook
access to dn="ou=addr,uid=(.*),dc=firestorm,dc=ch"
by dn="uid=$1,dc=firestorm,dc=ch" write by * none
# Hide skyrixGreenConfig
access to attr=skyrixGreenConfig
by self write
by peername="127\.0\.0\.1" read
by peername=::1 read
# To let PAM authenticate
access to attr=userpassword
by self write
by anonymous auth
by * none
access to attr=shadowLastChange
by self write
by * read
# only the Admin is allowed to change the members of the addressadmins group
access to dn.base="cn=AddressAdmins,o=AddressBook,dc=firestorm,dc=ch"
by users read
by * none
# only the members of the AddressAdmins group are allowed to write to the
# Public Address Book
access to dn.subtree="o=AddressBook,dc=firestorm,dc=ch"
by group="cn=AddressAdmins,o=AddressBook,dc=firestorm,dc=ch" write
by users read
by * none
# handle write access to the personal data (system address book)
# - first look at the OpenLDAPaci attribute
# - if that doesn't exist or the user-dn is not in the subject clause,
# give write access to the owner of the entry and read acces to anyone else
access to
attr=c,cn,telephoneNumber,facsimileTelephoneNumber,pager,title,givenname,sn,
l,description,mail,street,postalCode,st,homePhone,ou,initials,mobile,labeled
URI,preferredLanguage,entry
by aci write break
by self write
by * read
# if the above break statement is reached add read access for everyone
access to
attr=c,cn,telephoneNumber,facsimileTelephoneNumber,pager,title,givenname,sn,
l,description,mail,street,postalCode,st,homePhone,ou,initials,mobile,labeled
URI,preferredLanguage,entry
by * +rsc