[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: invalid structural object class chain (inetOrgPerson/fw1person)

To: Brian Gaber <Brian.Gaber@PWGSC.GC.CA>
Subject: Re: invalid structural object class chain (inetOrgPerson/fw1person)
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Fri, 22 Jul 2005 09:52:58 +0200
Cc: Erlend Hamnaberg <hamnis@start.no>, OpenLDAP-software@OpenLDAP.org
In-reply-to: <23DAE57950D72248853D0F864E67F31BD81ED5@mb-ncr-022.ad.pwgsc-tpsgc.gc.ca>
References: <23DAE57950D72248853D0F864E67F31BD81ED5@mb-ncr-022.ad.pwgsc-tpsgc.gc.ca>
User-agent: Mozilla Thunderbird 1.0.2 (X11/20050322)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brian Gaber wrote:
|>Attempting to convert OpenLDAP v2.0.27-11 to OpenLDAP v2.2.26
|>I am running the 2.2.26 slapadd on the file created by the 2.0.27 slapcat
|>
|>Here is what I get:
|>
|>
|
| Did you add the fw1person schema to slapd.conf ?
|

| Yes, I did, its not too long (95 lines) so I have included it below.
| It is called fw1ng.schema,  It comes from CheckPoint corporation for
| their firewall to determine access by their firewall.

Well, either they haven't been maintaining it, or you have an old copy ...


|  If anyone is
| interested here is their document that I used for my setup
| http://www.opsec.com/solutions/partners/downloads/OpenLDAP_VPN-1.pdf
|

It's outdated:

"Abstract
Check Point? VPN-1® NG has the ability to access LDAP directory servers
for managing users, groups and
templates. OpenLDAP is a free, stable and widely used LDAP Server on
UNIX platforms. This guide describes how to
configure OpenLDAP on Red Hat Linux 8.0 for the integration with VPN-1NG
SmartDirectory."


| objectclass ( 1.3.114.7.3.2.0.1   NAME 'fw1template'
|   SUP 'top'
|   MUST ( cn )
|   MAY (
|     member $ description $ fw1auth-method $ fw1auth-server $
fw1pwdlastmod $
|     fw1skey-number $ fw1skey-seed $ fw1skey-passwd $ fw1skey-mdm $
|     fw1expiration-date $ fw1hour-range-from $ fw1hour-range-to $ fw1day $
|     fw1allowed-src $ fw1allowed-dst $ fw1allowed-vlan $ fw1SR-keym $
|     fw1SR-datam $ fw1SR-mdm $ fw1enc-fwz-expiration $ fw1sr-auth-track $
|     fw1grouptemplate $ fw1ISAKMP-EncMethod $ fw1ISAKMP-AuthMethods $
|     fw1ISAKMP-HashMethods $ fw1ISAKMP-Transform $
fw1ISAKMP-DataIntegrityMethod $
|     fw1ISAKMP-SharedSecret $ fw1ISAKMP-DataEncMethod $ fw1enc-methods $
|     fw1userPwdPolicy $ memberOf )
|     )
| objectclass ( 1.3.114.7.3.2.0.2
|   NAME 'fw1person'
|   SUP 'top'
|   MUST ( cn $ sn )
|   MAY (
|     description $ userpassword $ mail $ uid $ fw1auth-method $
fw1auth-server $
|     fw1pwdlastmod $ fw1skey-number $ fw1skey-seed $ fw1skey-passwd $
fw1skey-mdm $
|     fw1expiration-date $ fw1hour-range-from $ fw1hour-range-to $ fw1day $
|     fw1allowed-src $ fw1allowed-dst $ fw1allowed-vlan $ fw1SR-keym $
fw1SR-datam $
|     fw1SR-mdm $ fw1enc-fwz-expiration $ fw1sr-auth-track $
fw1grouptemplate $
|     fw1ISAKMP-EncMethod $ fw1ISAKMP-AuthMethods $ fw1ISAKMP-HashMethods $
|     fw1ISAKMP-Transform $ fw1ISAKMP-DataIntegrityMethod $
fw1ISAKMP-SharedSecret $
|     fw1ISAKMP-DataEncMethod $ fw1enc-methods $ fw1userPwdPolicy $
fw1badPwdCount $
|     fw1lastLoginFailure $ memberoftemplate $ memberOf )
|     )

Well, from my understanding of rfc2252, the objectclass definition
should specify one of "ABSTRACT", "STRUCTURAL", or "AUXILIARY", using
AUXILIARY will solve your problem ... eg (watch out for line breaks
though ...):

objectclass ( 1.3.114.7.3.2.0.2
~  NAME 'fw1person'
~  SUP 'top' AUXILIARY
~  MUST ( cn $ sn )
~  MAY (
~    description $ userpassword $ mail $ uid $ fw1auth-method $
fw1auth-server $
~    fw1pwdlastmod $ fw1skey-number $ fw1skey-seed $ fw1skey-passwd $
fw1skey-mdm $
~    fw1expiration-date $ fw1hour-range-from $ fw1hour-range-to $ fw1day $
~    fw1allowed-src $ fw1allowed-dst $ fw1allowed-vlan $ fw1SR-keym $
fw1SR-datam $
~    fw1SR-mdm $ fw1enc-fwz-expiration $ fw1sr-auth-track $
fw1grouptemplate $
~    fw1ISAKMP-EncMethod $ fw1ISAKMP-AuthMethods $ fw1ISAKMP-HashMethods $
~    fw1ISAKMP-Transform $ fw1ISAKMP-DataIntegrityMethod $
fw1ISAKMP-SharedSecret $
~    fw1ISAKMP-DataEncMethod $ fw1enc-methods $ fw1userPwdPolicy $
fw1badPwdCount $
~    fw1lastLoginFailure $ memberoftemplate $ memberOf )
~    )

Of course, you should *really* consult the vendor who supplied you with
the schema.

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng          RHCE (803004789010797),LPIC-1 (LPI000074592)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC4KXarJK6UGDSBKcRAocdAKC0Ii5lTG1jezl/gSsmfq+iiZNljgCfaIz0
OuWbdlLdNYjL6YXaEJ7WJZE=
=0hcn
-----END PGP SIGNATURE-----

References:
- RE: invalid structural object class chain (inetOrgPerson/fw1person)
  - From: "Brian Gaber" <Brian.Gaber@PWGSC.GC.CA>

Prev by Date: Re: Structural objectclass modifications
Next by Date: Re: ldap newbie again
Index(es):
- Chronological
- Thread