[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Issues migrating from openLDAP 2.0.27-11 to 2.3.43-12.el5_5.2

Thanks a lot for replying, it seems like removing OC: account from all users, and then adding it to Computers allows the import to work.

Now my last problem before going live is the Primary Group SID. Within my LDIF file they are all correct, but as soon as I run slapadd on the ldiff file, the User SID stays correct, but the Primary Group SID changes to the value of "net getlocalsid" on the server, I don't believe this is correct as my other samba/ldap setup uses the same Primary Group SID as what is in the LDIF file and works great (and is not the source of the LDIF file). This installation gives:

User jonny with invalid SID S-1-5-21-3318375643-2463009161-752822122-3028 in passdb

in the logs. Is this looking like an LDAP problem, or Samba? I've tried everything I could to get the Primary Group SID set correctly, smbpasswd has some flags to change it, but it looks like the newer version does not support these flags.

On Fri, Nov 19, 2010 at 4:50 AM, Emmanuel Lecharny <elecharny@gmail.com> wrote:
The Account OC directly inherits from Top, the InetOrgPerson OC has an inheriting hierarchy which is :
InetOrgPerson -> OragnizationalPerson -> Person -> Top

When defining an entry, you can't have two Structural OCs (Account and InetOrgPerson are Structural) defined at the same time.

It's a bit like if in Java you tries to define a class extending 2 classes. It's not allowed (somehow not the perfect metaphor, but it may help).

You have to either select one or the other OC for you entry, or if you need some of the AT present in both OC then define your own OC inheriting from either Account or InetOrgPerson OC, and add the missing ATs.

Hope it helps

PS : OC = OjectClass, AT = AttriuteType (for clarity)

On 11/17/10 9:05 PM, Chris Beach wrote:
I've purchased a new server to replace my current domain controller, one
issue I'm having is migrating LDAP from my old server to the new one, I've
worked out a lot of the problems I've had, but I'm not having any luck with
this one. Please keep in mind, I am not very knowledgeable with LDAP in
general, so I may have missed things more experienced people may not have.

I had two objectClasses that were conflicting: account and inetOrgPerson,
apparently in my old LDAP version it allowed this, but the new one was
giving errors ( (65) invalid structural object class chain
(inetOrgPerson/account)), so I simply removed all of the account
objectClasses to see what it would do, this did get rid of half the errors,
and all of my users now show up in LDAP, but I find now that all of my
ou=Computers are erroring out with:

slapadd: dn="uid=STCQA01$,ou=Computers,dc=pin,dc=com" (line=10425): (65) no
structural object class provided

I can only assume this is because I've removed the account object class from
the file, but if I add it back in I get:

slapadd: dn="uid=STCQA01$,ou=Computers,dc=pin,dc=com" (line=10426): (65)
invalid structural object class chain (inetOrgPerson/account)

Any suggestions on what I'm doing wrong here?

Here is my includes in slapd.conf:

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /usr/share/doc/samba-3.0.33/LDAP/samba.schema
include         /etc/openldap/schema/RADIUS-LDAPv3.schema

I really would appreciate any feedback, thanks!

Emmanuel Lécharny

Chris Beach
IT Analyst