[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX



Could not add object cn=default,ou=Policies,dc=itelsib,dc=com
Message: Invalid syntax
Error code: 0x15 (LDAP_INVALID_SYNTAX)
Error description: An invalid attribute value was specified.

You can not use 
cn=default,ou=Policies,dc=itelsib,dc=com 

please try 
cn=ppolicy,ou=Policies,dc=itelsib,dc=com



-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of
openldap-technical-request@OpenLDAP.org
Sent: Thursday, January 13, 2011 6:00 PM
To: openldap-technical@openldap.org
Subject: openldap-technical Digest, Vol 38, Issue 12

Send openldap-technical mailing list submissions to
	openldap-technical@openldap.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
	openldap-technical-request@openldap.org

You can reach the person managing the list at
	openldap-technical-owner@openldap.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of openldap-technical digest..."


Send openldap-technical mailing list submissions to
       openldap-technical@openldap.org
When replying, please edit your Subject: header so it is more specific
than "Re: openldap-technical digest..."

Today's Topics:

   1. One root and two domain? (gael therond)
   2. Re: One root and two domain? (Pierangelo Masarati)
   3. Re: Evolution Contacts Schema (Peter L. Berghold)
   4. Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Konstantin Boyandin)
   5. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Quanah Gibson-Mount)
   6. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Konstantin Boyandin)
   7. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Chris Jacobs)
   8. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Konstantin Boyandin)
   9. LDAP and PAM: account is expired, but pam_ldap allows
      authentification (Konstantin Boyandin)
  10. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Chris Jacobs)
  11. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Indexer)
  12. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Howard Chu)
  13. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Howard Chu)
  14. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Chris Jacobs)
  15. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Howard Chu)
  16. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Howard Chu)
  17. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Indexer)
  18. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Dieter Kluenter)
  19. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Howard Chu)
  20. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Konstantin Boyandin)
  21. Re: LDAP and PAM: account is expired,	but pam_ldap allows
      authentification (Indexer)
  22. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Pierangelo Masarati)
  23. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Konstantin Boyandin)
  24. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Howard Chu)
  25. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Howard Chu)
  26. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Pierangelo Masarati)
  27. Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
      (Howard Chu)
  28. Re: Evolution Contacts Schema (Bj?rn Ruberg)
  29. Re: Evolution Contacts Schema (Stefan Palme)
  30. Hello, how  (Alexey Shalin)


----------------------------------------------------------------------

Message: 1
Date: Wed, 12 Jan 2011 15:58:28 +0100
From: gael therond <gael.therond@gmail.com>
To: openldap-technical <openldap-technical@openldap.org>
Subject: One root and two domain?
Message-ID:
	<AANLkTinxG_W4QQA5-vA587CN1FtYLf7TTUUchNP1DfTh@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Is it possible to add a domain on an already existing root?

I got the following root for now:

dc=lab,dc=corp

and I want to create a second Top entry on my root which will be named
like
this:

dc=prod,dc=corp

Is that possible?

I've try the following syntaxe without succes.

Racine.ldif:

#Racine
dn: dc=prod, dc=corp
ObjectClass: Top
ObjectClass: dcObject
ObjectClass: organization
o: prod.corp
dc: prod

#OU Groups
dn: ou=groups, dc=prod, dc=geka
ObjectClass: organizationalUnit
ObjectClass: top
ou: groups

#OU Users
dn: ou=users, dc=prod, dc=geka
ObjectClass: organizationalUnit
ObjectClass: top
ou: users

And then I've done the usual LdapADD command, but with the following
error
returned:

ldap_add: Server is unwilling to perform (53)
Additional info: No global Superior Knowledge.

Well, my guest is that I didn't set correctly Slapd because my default
root
is lab.corp instead of being TLD .corp
Is that theory right?

Many thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110112/4
e9a3319/attachment.html>

------------------------------

Message: 2
Date: Wed, 12 Jan 2011 16:15:33 +0100
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: gael therond <gael.therond@gmail.com>
Cc: openldap-technical <openldap-technical@openldap.org>
Subject: Re: One root and two domain?
Message-ID: <4D2DC595.4030906@aero.polimi.it>
Content-Type: text/plain; charset=UTF-8; format=flowed

gael therond wrote:
> Is it possible to add a domain on an already existing root?
> 
> I got the following root for now:
> 
> dc=lab,dc=corp
> 
> and I want to create a second Top entry on my root which will be named
like
> this:
> 
> dc=prod,dc=corp
> 
> Is that possible?

It is possible, but it might not be desirable.  In principle, you need 
to define "dc=prod, dc=corp" as an additional suffix for the database, 
something like

<existing>
database <type>
#...
suffix "dc=lab,dc=corp"
</existing>

<new1>
database <type>
#...
suffix "dc=lab,dc=corp"
suffix "dc=prod,dc=corp"
</new1>

However, as far as I remember, back-bdb and back-hdb only support this 
when compiled with a special #define, and at some performance cost.  A 
more straightforward solution would be to define

<new1>
database <type>
#...
suffix "dc=corp"
</new1>

and then add "dc=corp" as the root entry, and "dc=lab,dc=corp" and 
"dc=prod,dc=corp" as regular children entries of it.

> 
> I've try the following syntaxe without succes.
> 
> Racine.ldif:
> 
> #Racine
> dn: dc=prod, dc=corp
> ObjectClass: Top
> ObjectClass: dcObject
> ObjectClass: organization
> o: prod.corp
> dc: prod
> 
> #OU Groups
> dn: ou=groups, dc=prod, dc=geka
> ObjectClass: organizationalUnit
> ObjectClass: top
> ou: groups
> 
> #OU Users
> dn: ou=users, dc=prod, dc=geka
> ObjectClass: organizationalUnit
> ObjectClass: top
> ou: users
> 
> And then I've done the usual LdapADD command, but with the following
error
> returned:
> 
> ldap_add: Server is unwilling to perform (53)
> Additional info: No global Superior Knowledge.
> 
> Well, my guest is that I didn't set correctly Slapd because my default
root
> is lab.corp instead of being TLD .corp
> Is that theory right?

It is not clear from the message what entry failed.  I assume it was 
"dc=prod,dc=corp" because it is not within the database's naming 
context.  However the subsequent entries would be incorrect as well, 
becuase "dc=geka" is not within the "dc=corp" naming context.

p.


------------------------------

Message: 3
Date: Wed, 12 Jan 2011 17:14:27 -0500
From: "Peter L. Berghold" <peter@berghold.net>
To: Stefan Palme <kleiner@hora-obscura.de>
Cc: openldap-technical@openldap.org
Subject: Re: Evolution Contacts Schema
Message-ID: <1294870467.30360.51.camel@kennel>
Content-Type: text/plain; charset="UTF-8"

On
> There you will find the schema definition file for LDAP in
> addressbook/backends/ldap/evolutionperson.schema
> 
> -

Thank you Stefan. 

Now the trouble I'm having (now that the schema is set) is when I
attempt to add an entry from Evolution I get "error: other" which
doesn't tell much. 

>From the phpLDAPAdmin tool I get the error

Could not perform ldap_modify operation.
LDAP said:
Cannot modify object class
Error number:
0x45 (LDAP_NO_OBJECT_CLASS_MODS)
Description:
ObjectClass modifications are not
allowed.

This is not an error I've run across before. Is there an ACL I need to
tweak?  

I can't imagine I'm blazing uncharted territory...  somebody has had to
have gotten this to work before...

-- 
Peter L. Berghold <peter@berghold.net>



------------------------------

Message: 4
Date: Thu, 13 Jan 2011 11:42:29 +0600
From: Konstantin Boyandin <temmokan@gmail.com>
To: openldap-technical@openldap.org
Subject: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2E90C5.9080707@gmail.com>
Content-Type: text/plain; charset=UTF-8

Hello,

OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.

In order to enable ppolicy overlay, I am trying to create the relevant
entries, as specified in

http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies

I import two LDIFs, first:

dn: ou=Policies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Policies

and second

dn: cn=default,ou=Policies,dc=example,dc=com
cn: default
objectClass: top
objectClass: pwdPolicy
objectClass: person
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 2
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value

The first loads OK.
When I try to import the second, I receive this diagnostics:

Could not add object cn=default,ou=Policies,dc=itelsib,dc=com
Message: Invalid syntax
Error code: 0x15 (LDAP_INVALID_SYNTAX)
Error description: An invalid attribute value was specified.

Could someone suggest what's wrong with the attribute name?

the ppolicy.schema is specified in /etc/slapd.conf.

Thanks.
Sincerely,
Konstantin


------------------------------

Message: 5
Date: Wed, 12 Jan 2011 21:55:15 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Konstantin Boyandin <temmokan@gmail.com>,
	openldap-technical@openldap.org
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <581FB9A12F3D947263DFFEA7@quanah-mac.local>
Content-Type: text/plain; charset=us-ascii; format=flowed



--On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin 
<temmokan@gmail.com> wrote:

> Hello,
>
> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>
> In order to enable ppolicy overlay, I am trying to create the relevant
> entries, as specified in
>
> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies

I would suggest you compare the version you are running (2.3) with the 
version that the document you are reading uses (2.4).  There is an
obvious 
difference there, and it is a major one.  I suggest you run a current 
supported release of OpenLDAP that matches the documentation you are
using.

--Quanah


-- 
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration



------------------------------

Message: 6
Date: Thu, 13 Jan 2011 12:38:54 +0600
From: Konstantin Boyandin <temmokan@gmail.com>
To: Quanah Gibson-Mount <quanah@zimbra.com>
Cc: openldap-technical@openldap.org
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2E9DFE.4000301@gmail.com>
Content-Type: text/plain; charset=UTF-8

13.01.2011 11:55, Quanah Gibson-Mount ?????:
> 
> 
> --On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin
> <temmokan@gmail.com> wrote:
> 
>> Hello,
>>
>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>
>> In order to enable ppolicy overlay, I am trying to create the
relevant
>> entries, as specified in
>>
>> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
> 
> I would suggest you compare the version you are running (2.3) with the
> version that the document you are reading uses (2.4).  There is an
> obvious difference there, and it is a major one.  I suggest you run a
> current supported release of OpenLDAP that matches the documentation
you
> are using.

Thanks. I opened the 2.3 admin link instead:
http://www.openldap.org/doc/admin23/
and it has no overlays section at all. That's weird, since I am using
replication feature and there's a directive

overlay syncprov

in /etc/openldap/slapd.conf

How can I find the reasons for 'Invalid syntax' error in such a
situation?
Thanks.


------------------------------

Message: 7
Date: Wed, 12 Jan 2011 23:59:17 -0700
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
To: "'temmokan@gmail.com'" <temmokan@gmail.com>, "'quanah@zimbra.com'"
	<quanah@zimbra.com>
Cc: "'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID:
	
<6C447584419BFE4E83D46E88F81314864850E59590@EXCH07-05.apollogrp.edu>
Content-Type: text/plain; charset="utf-8"

That appears to be the point.

See:
http://www.openldap.org/software/man.cgi?query=ppolicy&apropos=0&sektion
=0&manpath=OpenLDAP+2.3-Release&format=html
... No results.

Also look for the ppolicy in:
http://www.openldap.org/doc/admin23/schema.html#Distributed%20Schema%20F
iles
... It's not there.

Where did you get the schema and the libraries necessary?

FWIW: the password policy and MUCH more reliable syncing between servers
is why we upgraded in my shop (turned off the old 2.3 master last week
after finally overcoming last hurdles: solaris and use by other custom
systems.)

- chris

Chris Jacobs, Systems Administrator
Apollo Group  |  Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
To: Quanah Gibson-Mount <quanah@zimbra.com>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Wed Jan 12 23:38:54 2011
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX

13.01.2011 11:55, Quanah Gibson-Mount ?????:
>
>
> --On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin
> <temmokan@gmail.com> wrote:
>
>> Hello,
>>
>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>
>> In order to enable ppolicy overlay, I am trying to create the
relevant
>> entries, as specified in
>>
>> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>
> I would suggest you compare the version you are running (2.3) with the
> version that the document you are reading uses (2.4).  There is an
> obvious difference there, and it is a major one.  I suggest you run a
> current supported release of OpenLDAP that matches the documentation
you
> are using.

Thanks. I opened the 2.3 admin link instead:
http://www.openldap.org/doc/admin23/
and it has no overlays section at all. That's weird, since I am using
replication feature and there's a directive

overlay syncprov

in /etc/openldap/slapd.conf

How can I find the reasons for 'Invalid syntax' error in such a
situation?
Thanks.


This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.



------------------------------

Message: 8
Date: Thu, 13 Jan 2011 13:11:17 +0600
From: Konstantin Boyandin <temmokan@gmail.com>
To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Cc: "'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EA595.30408@gmail.com>
Content-Type: text/plain; charset=UTF-8

13.01.2011 12:59, Chris Jacobs ?????:
> That appears to be the point.
> 
> See:
http://www.openldap.org/software/man.cgi?query=ppolicy&apropos=0&sektion
=0&manpath=OpenLDAP+2.3-Release&format=html
> ... No results.
> 
> Also look for the ppolicy in:
>
http://www.openldap.org/doc/admin23/schema.html#Distributed%20Schema%20F
iles
> ... It's not there.
> 
> Where did you get the schema and the libraries necessary?

The ppolicy schema is provided by
openldap-servers-2.3.43-12.el5_5.3.x86_64 RPM.

The overlays are provided by
openldap-servers-overlays-2.3.43-12.el5_5.3 RPM.

The directives

modulepath /usr/lib64/openldap
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"

do not cause slaptest's protests.

> FWIW: the password policy and MUCH more reliable syncing between
servers is why we upgraded in
> my shop (turned off the old 2.3 master last week after finally
overcoming last hurdles: solaris and use by other custom systems.)

The 2.3.* is the current version available from CentOS standard
repositories.

Switching to 2.4.* (welcome, endless sequences of configure/make/make
install) will only be the last resort if anything else fails. So far,
the mentioned OpenLDAP works fine on both master and slave servers.

So, returning to the original question, is it possible to find why
adding a dn fails? What's wrong with the syntax?

Sincerely,
Konstantin

> 
> - chris
> 
> Chris Jacobs, Systems Administrator
> Apollo Group  |  Apollo Marketing | Aptimus
> 2001 6th Ave Ste 3200 | Seattle, WA 98121
> phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
> email:  chris.jacobs@apollogrp.edu
> 
> ----- Original Message -----
> From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
> To: Quanah Gibson-Mount <quanah@zimbra.com>
> Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
> Sent: Wed Jan 12 23:38:54 2011
> Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
> 
> 13.01.2011 11:55, Quanah Gibson-Mount ?????:
>>
>>
>> --On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin
>> <temmokan@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>>
>>> In order to enable ppolicy overlay, I am trying to create the
relevant
>>> entries, as specified in
>>>
>>>
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>>
>> I would suggest you compare the version you are running (2.3) with
the
>> version that the document you are reading uses (2.4).  There is an
>> obvious difference there, and it is a major one.  I suggest you run a
>> current supported release of OpenLDAP that matches the documentation
you
>> are using.
> 
> Thanks. I opened the 2.3 admin link instead:
> http://www.openldap.org/doc/admin23/
> and it has no overlays section at all. That's weird, since I am using
> replication feature and there's a directive
> 
> overlay syncprov
> 
> in /etc/openldap/slapd.conf
> 
> How can I find the reasons for 'Invalid syntax' error in such a
situation?
> Thanks.
> 
> 
> This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
> 
> 



------------------------------

Message: 9
Date: Thu, 13 Jan 2011 13:15:34 +0600
From: Konstantin Boyandin <temmokan@gmail.com>
To: openldap-technical@openldap.org
Subject: LDAP and PAM: account is expired, but pam_ldap allows
	authentification
Message-ID: <4D2EA696.4020705@gmail.com>
Content-Type: text/plain; charset=UTF-8

Hello,

Could someone direct me to the source of wisdom to solve this: I have
set correctly the fields (attributes)

shadowExpire
shadowLastChange
shadowMin
shadowMax

to make the account expired (OpenLDAP used to run NT domain), but when I
ssh to a server using pam_ldap authentication, it is still allowed to
login.

How pam_ldap should be instructed to take the expiration attributes ito
account?

Thanks.
Sincerely,
Konstantin


------------------------------

Message: 10
Date: Thu, 13 Jan 2011 00:19:56 -0700
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
To: "'temmokan@gmail.com'" <temmokan@gmail.com>
Cc: "'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID:
	
<6C447584419BFE4E83D46E88F81314864850E59591@EXCH07-05.apollogrp.edu>
Content-Type: text/plain; charset="utf-8"

Perhaps try man slapo_ppolicy - it should hopefully provide the limits
and acceptable values and compare with your ldif to find the cause of
"Error description: An invalid attribute value was specified."

Alternative: reduce the number of attributes (divide and conquer) to
find the culprit.

Perhaps also checking the schema file for the limits or acceptable
values.

- chris

Chris Jacobs, Systems Administrator
Apollo Group  |  Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
To: Chris Jacobs
Cc: 'openldap-technical@openldap.org' <openldap-technical@openldap.org>
Sent: Thu Jan 13 00:11:17 2011
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX

13.01.2011 12:59, Chris Jacobs ?????:
> That appears to be the point.
>
> See:
http://www.openldap.org/software/man.cgi?query=ppolicy&apropos=0&sektion
=0&manpath=OpenLDAP+2.3-Release&format=html
> ... No results.
>
> Also look for the ppolicy in:
>
http://www.openldap.org/doc/admin23/schema.html#Distributed%20Schema%20F
iles
> ... It's not there.
>
> Where did you get the schema and the libraries necessary?

The ppolicy schema is provided by
openldap-servers-2.3.43-12.el5_5.3.x86_64 RPM.

The overlays are provided by
openldap-servers-overlays-2.3.43-12.el5_5.3 RPM.

The directives

modulepath /usr/lib64/openldap
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=Policies,dc=example,dc=com"

do not cause slaptest's protests.

> FWIW: the password policy and MUCH more reliable syncing between
servers is why we upgraded in
> my shop (turned off the old 2.3 master last week after finally
overcoming last hurdles: solaris and use by other custom systems.)

The 2.3.* is the current version available from CentOS standard
repositories.

Switching to 2.4.* (welcome, endless sequences of configure/make/make
install) will only be the last resort if anything else fails. So far,
the mentioned OpenLDAP works fine on both master and slave servers.

So, returning to the original question, is it possible to find why
adding a dn fails? What's wrong with the syntax?

Sincerely,
Konstantin

>
> - chris
>
> Chris Jacobs, Systems Administrator
> Apollo Group  |  Apollo Marketing | Aptimus
> 2001 6th Ave Ste 3200 | Seattle, WA 98121
> phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
> email:  chris.jacobs@apollogrp.edu
>
> ----- Original Message -----
> From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
> To: Quanah Gibson-Mount <quanah@zimbra.com>
> Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
> Sent: Wed Jan 12 23:38:54 2011
> Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
>
> 13.01.2011 11:55, Quanah Gibson-Mount ?????:
>>
>>
>> --On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin
>> <temmokan@gmail.com> wrote:
>>
>>> Hello,
>>>
>>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>>
>>> In order to enable ppolicy overlay, I am trying to create the
relevant
>>> entries, as specified in
>>>
>>>
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>>
>> I would suggest you compare the version you are running (2.3) with
the
>> version that the document you are reading uses (2.4).  There is an
>> obvious difference there, and it is a major one.  I suggest you run a
>> current supported release of OpenLDAP that matches the documentation
you
>> are using.
>
> Thanks. I opened the 2.3 admin link instead:
> http://www.openldap.org/doc/admin23/
> and it has no overlays section at all. That's weird, since I am using
> replication feature and there's a directive
>
> overlay syncprov
>
> in /etc/openldap/slapd.conf
>
> How can I find the reasons for 'Invalid syntax' error in such a
situation?
> Thanks.
>
>
> This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
>
>



This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.



------------------------------

Message: 11
Date: Thu, 13 Jan 2011 17:52:50 +1030
From: Indexer <indexer@internode.on.net>
To: Konstantin Boyandin <temmokan@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID: <B2349AC3-160C-4962-9534-4E7BEB5B179D@internode.on.net>
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 13/01/2011, at 17:45, Konstantin Boyandin wrote:

> Hello,
> 
> Could someone direct me to the source of wisdom to solve this: I have
> set correctly the fields (attributes)
> 
> shadowExpire
> shadowLastChange
> shadowMin
> shadowMax
> 
> to make the account expired (OpenLDAP used to run NT domain), but when
I
> ssh to a server using pam_ldap authentication, it is still allowed to
login.
> 
> How pam_ldap should be instructed to take the expiration attributes
ito
> account?

Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf,
and your /etc/ldap.conf (not your /etc/openldap/ldap.conf

> 
> Thanks.
> Sincerely,
> Konstantin

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNLqhNAAoJEHF16AnLoz6JhHEP/24fLtJqjB6dHzOezQMpy3jc
uF3hN4YMyBHtD1kn8A6EVfu0LZopyL7HrQpgev9SsBeB+2KcB4htf6p7j8cMbVeX
9fZ0yMnt/+PadWHoseQGtd9hdtr/j5PCSQxPer8Uh1msR12OSu66A+22KXHtl0DN
rTXelPCo99zK2tiwsRRV1cmFJ08FO7Dc3b5nhsPvKXdJIo4cpk3dnbl2ruSC+zCG
xjawl0F814Aw3fZ7Wfg0k/vheSZlcpDouIW/M14FMLuHeTWYRDnPoT2NisKZAqOr
/MRHINDlYNILHwEPLxVwLhXt7cpmwcMp4OJnFDcnqylZBVrrZcmUJXLXvzb6BCUK
p0QWusLfElsKpIqiliFXdQO4xblt0kxmad31o09SFPltqGxiIe8L14PdT9rnnips
WEgN7L8cwBm258DbUAPtHnpi438ZEV2hqYA1TkW/Um/9sU5VYB8m8FPNCJ07inA5
Rv+E2RqjGjvXlkPCoaRS+Kl9+RKTHa5fmUZPorZTbDTQIwzc4Zotzj1ovhzaT3h8
xbK1BqOyNrE0PWSG94Lu9Oc1Ls42XWzaCthIZeGsMeQLQvzCk+mTGLULR7nQmxo0
QvL2Kf419uCTfM2GyjDFCXMEeECFPMJM0Pg5j8+Ztk9nIYEsKAQmTDy3BKcI6Nm5
tsNJqnso2wkZeB+vUXzz
=h/we
-----END PGP SIGNATURE-----


------------------------------

Message: 12
Date: Wed, 12 Jan 2011 23:29:30 -0800
From: Howard Chu <hyc@symas.com>
To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Cc: "'temmokan@gmail.com'" <temmokan@gmail.com>,
"'quanah@zimbra.com'"
	<quanah@zimbra.com>,	"'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EA9DA.3070800@symas.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Chris Jacobs wrote:
> That appears to be the point.
>
> See:
http://www.openldap.org/software/man.cgi?query=ppolicy&apropos=0&sektion
=0&manpath=OpenLDAP+2.3-Release&format=html
> ... No results.

Sounds like the search index is out of date. Still, all you have to do
is go here

http://www.openldap.org/software/man.cgi?query=(5)&sektion=&apropos=1&ma
npath=OpenLDAP+2.3-Release&title=Section 


and the manpage is there:

http://www.openldap.org/software/man.cgi?query=slapo-ppolicy&sektion=5&a
propos=0&manpath=OpenLDAP+2.3-Release

But better yet, just type "man 5 slapo-ppolicy" on your machine. Why
people 
waste time searching the web when everything is on their local machine
still 
boggles my mind.

> Also look for the ppolicy in:
>
http://www.openldap.org/doc/admin23/schema.html#Distributed%20Schema%20F
iles
> ... It's not there.

The Admin Guide was never intended to be an exhaustive reference - it is
after 
all only a "guide". Every software component is documented in manpages.
The 
manpages should always be the first place you look, not the Guide, and
not the 
web.

> Where did you get the schema and the libraries necessary?
>
> FWIW: the password policy and MUCH more reliable syncing between
servers is why we upgraded in my shop (turned off the old 2.3 master
last week after finally overcoming last hurdles: solaris and use by
other custom systems.)
>
> - chris
>
> Chris Jacobs, Systems Administrator
> Apollo Group  |  Apollo Marketing | Aptimus
> 2001 6th Ave Ste 3200 | Seattle, WA 98121
> phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
> email:  chris.jacobs@apollogrp.edu
>
> ----- Original Message -----
> From:
openldap-technical-bounces@OpenLDAP.org<openldap-technical-bounces@OpenL
DAP.org>
> To: Quanah Gibson-Mount<quanah@zimbra.com>
> Cc: openldap-technical@openldap.org<openldap-technical@openldap.org>
> Sent: Wed Jan 12 23:38:54 2011
> Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
>
> 13.01.2011 11:55, Quanah Gibson-Mount ?????:
>>
>>
>> --On January 13, 2011 11:42:29 AM +0600 Konstantin Boyandin
>> <temmokan@gmail.com>  wrote:
>>
>>> Hello,
>>>
>>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>>
>>> In order to enable ppolicy overlay, I am trying to create the
relevant
>>> entries, as specified in
>>>
>>>
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>>
>> I would suggest you compare the version you are running (2.3) with
the
>> version that the document you are reading uses (2.4).  There is an
>> obvious difference there, and it is a major one.  I suggest you run a
>> current supported release of OpenLDAP that matches the documentation
you
>> are using.
>
> Thanks. I opened the 2.3 admin link instead:
> http://www.openldap.org/doc/admin23/
> and it has no overlays section at all. That's weird, since I am using
> replication feature and there's a directive
>
> overlay syncprov
>
> in /etc/openldap/slapd.conf
>
> How can I find the reasons for 'Invalid syntax' error in such a
situation?
> Thanks.
>
>
> This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
>
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 13
Date: Wed, 12 Jan 2011 23:30:56 -0800
From: Howard Chu <hyc@symas.com>
To: Konstantin Boyandin <temmokan@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID: <4D2EAA30.7010107@symas.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Konstantin Boyandin wrote:
> Hello,
>
> Could someone direct me to the source of wisdom to solve this: I have
> set correctly the fields (attributes)
>
> shadowExpire
> shadowLastChange
> shadowMin
> shadowMax
>
> to make the account expired (OpenLDAP used to run NT domain), but when
I
> ssh to a server using pam_ldap authentication, it is still allowed to
login.
>
> How pam_ldap should be instructed to take the expiration attributes
ito
> account?

Ask on a pam_ldap mailing list. pam_ldap is not a piece of OpenLDAP
software, 
your question is off topic here.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 14
Date: Thu, 13 Jan 2011 00:38:43 -0700
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
To: "'indexer@internode.on.net'" <indexer@internode.on.net>,
	"'temmokan@gmail.com'" <temmokan@gmail.com>
Cc: "'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID:
	
<6C447584419BFE4E83D46E88F81314864850E59592@EXCH07-05.apollogrp.edu>
Content-Type: text/plain; charset="iso-8859-1"

I was thinking along the same lines:
* is pam_password exop in your /etc/ldap.conf?
* And passwd entry for nsswitch contains ldap?
* Ditto for /etc/pam.d/system-auth-ac?

- chris

Chris Jacobs, Systems Administrator
Apollo Group  |  Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email:  chris.jacobs@apollogrp.edu

----- Original Message -----
From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
To: Konstantin Boyandin <temmokan@gmail.com>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Thu Jan 13 00:22:50 2011
Subject: Re: LDAP and PAM: account is expired,  but pam_ldap allows
authentification

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


On 13/01/2011, at 17:45, Konstantin Boyandin wrote:

> Hello,
>
> Could someone direct me to the source of wisdom to solve this: I have
> set correctly the fields (attributes)
>
> shadowExpire
> shadowLastChange
> shadowMin
> shadowMax
>
> to make the account expired (OpenLDAP used to run NT domain), but when
I
> ssh to a server using pam_ldap authentication, it is still allowed to
login.
>
> How pam_ldap should be instructed to take the expiration attributes
ito
> account?

Isnt this handled via nsswitch? Can you show us your /etc/nsswitch.conf,
and your /etc/ldap.conf (not your /etc/openldap/ldap.conf

>
> Thanks.
> Sincerely,
> Konstantin

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNLqhNAAoJEHF16AnLoz6JhHEP/24fLtJqjB6dHzOezQMpy3jc
uF3hN4YMyBHtD1kn8A6EVfu0LZopyL7HrQpgev9SsBeB+2KcB4htf6p7j8cMbVeX
9fZ0yMnt/+PadWHoseQGtd9hdtr/j5PCSQxPer8Uh1msR12OSu66A+22KXHtl0DN
rTXelPCo99zK2tiwsRRV1cmFJ08FO7Dc3b5nhsPvKXdJIo4cpk3dnbl2ruSC+zCG
xjawl0F814Aw3fZ7Wfg0k/vheSZlcpDouIW/M14FMLuHeTWYRDnPoT2NisKZAqOr
/MRHINDlYNILHwEPLxVwLhXt7cpmwcMp4OJnFDcnqylZBVrrZcmUJXLXvzb6BCUK
p0QWusLfElsKpIqiliFXdQO4xblt0kxmad31o09SFPltqGxiIe8L14PdT9rnnips
WEgN7L8cwBm258DbUAPtHnpi438ZEV2hqYA1TkW/Um/9sU5VYB8m8FPNCJ07inA5
Rv+E2RqjGjvXlkPCoaRS+Kl9+RKTHa5fmUZPorZTbDTQIwzc4Zotzj1ovhzaT3h8
xbK1BqOyNrE0PWSG94Lu9Oc1Ls42XWzaCthIZeGsMeQLQvzCk+mTGLULR7nQmxo0
QvL2Kf419uCTfM2GyjDFCXMEeECFPMJM0Pg5j8+Ztk9nIYEsKAQmTDy3BKcI6Nm5
tsNJqnso2wkZeB+vUXzz
=h/we
-----END PGP SIGNATURE-----


This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.




------------------------------

Message: 15
Date: Wed, 12 Jan 2011 23:39:36 -0800
From: Howard Chu <hyc@symas.com>
To: Konstantin Boyandin <temmokan@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EAC38.9040303@symas.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Konstantin Boyandin wrote:
> Hello,
>
> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>
> In order to enable ppolicy overlay, I am trying to create the relevant
> entries, as specified in
>
> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>
> I import two LDIFs, first:
>
> dn: ou=Policies,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: Policies
>
> and second
>
> dn: cn=default,ou=Policies,dc=example,dc=com
> cn: default
> objectClass: top
> objectClass: pwdPolicy
> objectClass: person
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword
> pwdCheckQuality: 2
> pwdExpireWarning: 600
> pwdFailureCountInterval: 30
> pwdGraceAuthNLimit: 2
> pwdInHistory: 5
> pwdLockout: TRUE
> pwdLockoutDuration: 0
> pwdMaxAge: 7776000
> pwdMaxFailure: 5
> pwdMinAge: 0
> pwdMinLength: 5
> pwdMustChange: FALSE
> pwdSafeModify: FALSE
> sn: dummy value
>
> The first loads OK.
> When I try to import the second, I receive this diagnostics:
>
> Could not add object cn=default,ou=Policies,dc=itelsib,dc=com
> Message: Invalid syntax
> Error code: 0x15 (LDAP_INVALID_SYNTAX)
> Error description: An invalid attribute value was specified.
>
> Could someone suggest what's wrong with the attribute name?

OpenLDAP never produces the text you provided above. It seems you're
using 
some other LDAP tool to do this import, and it is not showing you the
actual 
error message sent from the server. OpenLDAP slapd will always identify
the 
actual attribute and value that causes an error. I suggest you try
importing 
this entry with OpenLDAP's ldapadd and examine the error message from
there.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 16
Date: Wed, 12 Jan 2011 23:43:15 -0800
From: Howard Chu <hyc@symas.com>
To: Indexer <indexer@internode.on.net>
Cc: Konstantin Boyandin <temmokan@gmail.com>,
	openldap-technical@openldap.org
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID: <4D2EAD13.8070309@symas.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Indexer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> On 13/01/2011, at 17:45, Konstantin Boyandin wrote:
>
>> Hello,
>>
>> Could someone direct me to the source of wisdom to solve this: I have
>> set correctly the fields (attributes)
>>
>> shadowExpire
>> shadowLastChange
>> shadowMin
>> shadowMax
>>
>> to make the account expired (OpenLDAP used to run NT domain), but
when I
>> ssh to a server using pam_ldap authentication, it is still allowed to
login.
>>
>> How pam_ldap should be instructed to take the expiration attributes
ito
>> account?
>
> Isnt this handled via nsswitch? Can you show us your
/etc/nsswitch.conf, and your /etc/ldap.conf (not your
/etc/openldap/ldap.conf

As a reminder - the OpenLDAP-technical list is for the discussion of
actual 
OpenLDAP software, as well as how to make other software interoperate
with it. 
Questions that are purely about how to use 3rd party software "foo" work
at 
all do not belong on this list.

There is no evidence that the original poster is having any trouble
using 
OpenLDAP. His question is entirely about making 3rd party software work,
and 
those questions belong on the support forums for those 3rd party
software 
packages.
-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 17
Date: Thu, 13 Jan 2011 18:20:38 +1030
From: Indexer <indexer@internode.on.net>
To: Howard Chu <hyc@symas.com>
Cc: Konstantin Boyandin <temmokan@gmail.com>,
	openldap-technical@openldap.org
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID: <9B2F47BA-3714-4255-B803-88FDE6137A87@internode.on.net>
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>>> 
>>> shadowExpire
>>> shadowLastChange
>>> shadowMin
>>> shadowMax
>>> 
>>> to make the account expired (OpenLDAP used to run NT domain), but
when I
>>> ssh to a server using pam_ldap authentication, it is still allowed
to login.

This look to be a question where the user does not know what is
responsible for the issue he is seeing, but does relate to his attempt
to use OpenLDAP. He is correct in asking here, and helpfully pointing
him in the correct direction is the right course of action, rather than
saying "you are wrong to ask this here". This problem may have been to
him related to missing elements from his user objects (which would have
been openldap) or it was anything else.

Also you said

> 
> As a reminder - the OpenLDAP-technical list is for the discussion of
actual OpenLDAP software, as well as how to make other software
interoperate with it. Questions that are purely about how to use 3rd
party software "foo" work at all do not belong on this list.
> 

This counts as "other software interoperate with it." from where I am
sitting. I have seen many questions like this, and I think it should be
something we answer and point people in the correct direction of rather
than saying "you'll get no help here"

So instead of going to a doctor to be referred to a specialist, you will
go straight to a specialist without knowing what your problem is? makes
complete sense.

> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNLq7RAAoJEHF16AnLoz6J0v0P/3qar1PzjtmNvLz0I9NlQpNq
cXXzgA4jCOyuAEe6gdjC5PwWm+RgY7grTHjWW6LGEyekwwOsfSf9GVxotH/vG875
Om+3RSPQYMzG0IJopOs5g4YfNVJqNpFypD+9xa7dHupBdpVnOAkzrNgXFOqbJhyZ
t9ytMoBWdJrUK8AUUAcbSh/wxg+02uF7rBLQXrfWdNbdYZDxPRJOlHxLqyNN6Wlh
7QCssbW8LRTb6clgI7+MZJlBKDj0dQbrCNAGLOZB3meRTzRx10qN6v5+6AAnbgsJ
cW4T8VjUb1aVwYnkSGLWxYQnobCWkBK8DaHnthTGtMxg9L8CHqZiBBbhP60pqpEs
1tIRoW4ebdaaAPR3Mla9ttnC2Phpkv7D67/aAC1U6T1MuG8tfGj7xAA1YX5w6FTl
FMA+p0N8aDVAOUCGgFgwWvnD9kvqasH1xMyHlk7hOGjiEAGGbVZELeQ8fehoQxWU
ZorbhKrxEqn72XLQwPGN4O+06e98Bg39oyhHP1iA/PuEeIEzFXVfsJ0pFpfhHKmL
n+UVcdYtmr1TLYyXjoCH7IOxDK6UKnVgs0XZnNnODtzIq3zFjrEmBZp8ebdBV/Vx
1++hKfbz+wlpk4a4/OceHMLN1JzMsktVMVvvx5WK9UejgHCFdAmxcJfLsF8n8HVx
fvZK6O9KNDVQfkuWllXa
=bAdY
-----END PGP SIGNATURE-----


------------------------------

Message: 18
Date: Thu, 13 Jan 2011 08:56:03 +0100
From: Dieter Kluenter <dieter@dkluenter.de>
To: openldap-technical@openldap.org
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <20110113085603.52ef8805@rubin.avci.de>
Content-Type: text/plain; charset=UTF-8

Am Thu, 13 Jan 2011 11:42:29 +0600
schrieb Konstantin Boyandin <temmokan@gmail.com>:

> Hello,
> 
> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
> 
> In order to enable ppolicy overlay, I am trying to create the relevant
> entries, as specified in
> 
> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
> 
> I import two LDIFs, first:
> 
> dn: ou=Policies,dc=example,dc=com
> objectClass: organizationalUnit
> objectClass: top
> ou: Policies
> 
> and second
> 
> dn: cn=default,ou=Policies,dc=example,dc=com
> cn: default
> objectClass: top
> objectClass: pwdPolicy
> objectClass: person
> pwdAllowUserChange: TRUE
> pwdAttribute: userPassword

the OID of userPassword is required
pwdAttribute: 2.5.4.35

-Dieter

-- 
Dieter Kl?nter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53?37'09,95"N
10?08'02,42"E


------------------------------

Message: 19
Date: Wed, 12 Jan 2011 23:59:56 -0800
From: Howard Chu <hyc@symas.com>
To: Indexer <indexer@internode.on.net>
Cc: Konstantin Boyandin <temmokan@gmail.com>,
	openldap-technical@openldap.org
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID: <4D2EB0FC.90807@symas.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

Indexer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
>>>>
>>>> shadowExpire
>>>> shadowLastChange
>>>> shadowMin
>>>> shadowMax
>>>>
>>>> to make the account expired (OpenLDAP used to run NT domain), but
when I
>>>> ssh to a server using pam_ldap authentication, it is still allowed
to login.
>
> This look to be a question where the user does not know what is
> responsible
for the issue he is seeing, but does relate to his attempt to use
OpenLDAP. He
is correct in asking here, and helpfully pointing him in the correct
direction
is the right course of action, rather than saying "you are wrong to ask
this
here". This problem may have been to him related to missing elements
from his
user objects (which would have been openldap) or it was anything else.

Pointing him to pam_ldap was the correct action.

> Also you said

>> As a reminder - the OpenLDAP-technical list is for the discussion of
>> actual OpenLDAP software, as well as how to make other software
>> interoperate with it. Questions that are purely about how to use 3rd
>> party software "foo" work at all do not belong on this list.

> This counts as "other software interoperate with it." from where I am
> sitting. I have seen many questions like this, and I think it should
be
> something we answer and point people in the correct direction of
rather
> than saying "you'll get no help here"

> So instead of going to a doctor to be referred to a specialist, you
will go
> straight to a specialist without knowing what your problem is? makes
> complete sense.

It was obvious that he was not asking "why doesn't my pam_ldap talk to
my 
OpenLDAP server."

Missing elements from the user objects is a *data* problem, it is not an

interoperability problem. He would have the same issue whether the
server was 
OpenLDAP, Oracle, or M$AD. It has nothing to do with OpenLDAP, and a
careful 
reader would have known all of this. If you're not reading carefully,
you 
should not be responding to the posts.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 20
Date: Thu, 13 Jan 2011 14:11:58 +0600
From: Konstantin Boyandin <temmokan@gmail.com>
To: Howard Chu <hyc@symas.com>
Cc: openldap-technical@openldap.org
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EB3CE.9020808@gmail.com>
Content-Type: text/plain; charset=UTF-8

13.01.2011 13:39, Howard Chu writes:
> Konstantin Boyandin wrote:
>> Hello,
>>
>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>
>> In order to enable ppolicy overlay, I am trying to create the
relevant
>> entries, as specified in
>>
>> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>>
>> I import two LDIFs, first:
>>
>> dn: ou=Policies,dc=example,dc=com
>> objectClass: organizationalUnit
>> objectClass: top
>> ou: Policies
>>
>> and second
>>
>> dn: cn=default,ou=Policies,dc=example,dc=com
>> cn: default
>> objectClass: top
>> objectClass: pwdPolicy
>> objectClass: person
>> pwdAllowUserChange: TRUE
>> pwdAttribute: userPassword
>> pwdCheckQuality: 2
>> pwdExpireWarning: 600
>> pwdFailureCountInterval: 30
>> pwdGraceAuthNLimit: 2
>> pwdInHistory: 5
>> pwdLockout: TRUE
>> pwdLockoutDuration: 0
>> pwdMaxAge: 7776000
>> pwdMaxFailure: 5
>> pwdMinAge: 0
>> pwdMinLength: 5
>> pwdMustChange: FALSE
>> pwdSafeModify: FALSE
>> sn: dummy value
>>
>> The first loads OK.
>> When I try to import the second, I receive this diagnostics:
>>
>> Could not add object cn=default,ou=Policies,dc=itelsib,dc=com
>> Message: Invalid syntax
>> Error code: 0x15 (LDAP_INVALID_SYNTAX)
>> Error description: An invalid attribute value was specified.
>>
>> Could someone suggest what's wrong with the attribute name?
> 
> OpenLDAP never produces the text you provided above. It seems you're
> using some other LDAP tool to do this import, and it is not showing
you
> the actual error message sent from the server. OpenLDAP slapd will
> always identify the actual attribute and value that causes an error. I
> suggest you try importing this entry with OpenLDAP's ldapadd and
examine
> the error message from there.

I tried importing with slapadd. The output:

str2entry: invalid value for attributeType pwdAttribute #0 (syntax
1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=22)

The error above refers to the allowed value of pwdAttribute, which can
only be userPassword now.

The problem is the value for this attribute in LDIF *is* userPassword,
as in the cited sample. I checked the LDIF - no 'invisible' characters
around the value.

JFYI, I checked the values for the attributes using man page. This, and
other references provided with packages is where I look first prior to
asking on the Net.


------------------------------

Message: 21
Date: Thu, 13 Jan 2011 18:43:11 +1030
From: Indexer <indexer@internode.on.net>
To: Howard Chu <hyc@symas.com>
Cc: Konstantin Boyandin <temmokan@gmail.com>,
	openldap-technical@openldap.org
Subject: Re: LDAP and PAM: account is expired,	but pam_ldap allows
	authentification
Message-ID: <AD7A5ADF-C7C7-4594-BFD3-734A249D2FB9@internode.on.net>
Content-Type: text/plain; charset=us-ascii

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> 
> It was obvious that he was not asking "why doesn't my pam_ldap talk to
my OpenLDAP server."
> 
> Missing elements from the user objects is a *data* problem, it is not
an interoperability problem. He would have the same issue whether the
server was OpenLDAP, Oracle, or M$AD. It has nothing to do with
OpenLDAP, and a careful reader would have known all of this. If you're
not reading carefully, you should not be responding to the posts.

Infact, it wouldn't matter if the backend was M$AD or not. You can still
use the OpenLDAP client libraries to talk to AD. It is still thusly, an
OpenLDAP related question, where the user does not know where to look
from here, and they personally did not know, it was NOT the fault of
OpenLDAP or pam_ldap but rather of nsswitch.

The fact of the matter, is that not everyone knows everything, or they
may have missed something in research etc. It is hard to find a man
page, if you don't know what you are looking for. Google also is not
perfect. This person did not know about nsswitch and its requirement,
merely believing that the key parts of this issue were either OpenLDAP
or pam_ldap. We have more experience to know this is not the case. He
did not. He asked where he though the most experience would be - here
and rightly so as well, since we were able to tell him "look at
nsswitch, rather than OpenLDAP or pam_ldap". 

This comes down far more to what he was asking about (and his limited
experience), and your perception of it, rather than "what is allowed and
what is not". 

> 
> -- 
>  -- Howard Chu
>  CTO, Symas Corp.           http://www.symas.com
>  Director, Highland Sun     http://highlandsun.com/hyc/
>  Chief Architect, OpenLDAP  http://www.openldap.org/project/

William Brown

pgp.mit.edu



-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)

iQIcBAEBAgAGBQJNLrQaAAoJEHF16AnLoz6JAWgQAJHDmRWQ0LJIf9fG2rk0XDkW
f3cJUUHPlD7fD9ixIMM6L/INuAtMEq/Pc2qEz6mmZSLHAcRwwjN7VwScVg3FKteX
iCTSpvJWXUzucj3z4zLAWG7YbCWlfyy04+Q8KO22iqioZcYLRHhTTGHbEZnNKw21
oxH/SYqsAl0I10kfPIkmBUPg79D8F3qJSpaIbD87yWQQ3dcssaUyuCA7ZLw63pMB
//6GESdWFgsoZ7Eev8Oy2y8/z9mJCFo41CeG81Fqdt+/Ftf/oXf4nx0FeHPIiHhP
csw/jRIG64E6c9HNbWfmIctWQx47YdkfhjK3a51TElAASV3ZUKGb9Pf0kXy/06M/
3wyRiHuYIx3S/x8ySQeIFVtiyIbp3g1uakjuTGkH/vo45rX8xnJNIG4bwmQYO6H6
69gtNov0N4A6sIKnM4MqeMBVrq9czFAwrrA+wh7pKzvWgZ2UiWNobNbev993aqdy
hSWUutQc81wZ90q1ix6Znw8+WD5mk/Ah4zKT5OTmR4duBiKiLxQk6BmtTedsSNDc
suweezIKh80DUVkJ4JYVCP4Suxo6SxGTzkWIscdAoVsu8PVt0x+O9Vzlq5wkH9Bx
hcJbwny4huKv857dn8jHVV0Y597WhKgso9iEgCSwDBRrNWA+Tmbpi2zdk0S8JGPs
6o3R7YvrFKFMk7pyp8/s
=brNS
-----END PGP SIGNATURE-----


------------------------------

Message: 22
Date: Thu, 13 Jan 2011 09:16:56 +0100
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Cc: "'temmokan@gmail.com'" <temmokan@gmail.com>,
	"'openldap-technical@openldap.org'"
<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EB4F8.6060001@aero.polimi.it>
Content-Type: text/plain; charset=UTF-8; format=flowed

Chris Jacobs wrote:
> Perhaps try man slapo_ppolicy

The man page name is slapo-ppolicy(5).

> - it should hopefully provide the limits and acceptable values and
compare with your ldif to find the cause of "Error description: An
invalid attribute value was specified."
> 
> Alternative: reduce the number of attributes (divide and conquer) to
find the culprit.
> 
> Perhaps also checking the schema file for the limits or acceptable
values.

Or check the archives, e.g. 
<http://www.openldap.org/lists/openldap-software/200802/msg00337.html>: 
for some time, in OpenLDAP 2.3, the pwdAttribute could only contain
OIDs.

p.


------------------------------

Message: 23
Date: Thu, 13 Jan 2011 14:22:12 +0600
From: Konstantin Boyandin <temmokan@gmail.com>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: "'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EB634.3070209@gmail.com>
Content-Type: text/plain; charset=UTF-8

13.01.2011 14:16, Pierangelo Masarati writes:
> Chris Jacobs wrote:
>> Perhaps try man slapo_ppolicy
> 
> The man page name is slapo-ppolicy(5).
> 
>> - it should hopefully provide the limits and acceptable values and
>> compare with your ldif to find the cause of "Error description: An
>> invalid attribute value was specified."
>>
>> Alternative: reduce the number of attributes (divide and conquer) to
>> find the culprit.
>>
>> Perhaps also checking the schema file for the limits or acceptable
>> values.
> 
> Or check the archives, e.g.
>
<http://www.openldap.org/lists/openldap-software/200802/msg00337.html>:
> for some time, in OpenLDAP 2.3, the pwdAttribute could only contain
OIDs.

Thank you very much!
After I changed the string to

pwdAttribute: 2.5.4.35

the import was a success. This problem's solved. So reading Web *can* be
of more use than reading man pages only.

Sincerely,
Konstantin


------------------------------

Message: 24
Date: Thu, 13 Jan 2011 00:24:45 -0800
From: Howard Chu <hyc@symas.com>
To: Konstantin Boyandin <temmokan@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EB6CD.8000501@symas.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Konstantin Boyandin wrote:
> 13.01.2011 13:39, Howard Chu writes:
>> Konstantin Boyandin wrote:
>>> Hello,
>>>
>>> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.
>>>
>>> In order to enable ppolicy overlay, I am trying to create the
relevant
>>> entries, as specified in
>>>
>>>
http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies
>>>
>>> I import two LDIFs, first:
>>>
>>> dn: ou=Policies,dc=example,dc=com
>>> objectClass: organizationalUnit
>>> objectClass: top
>>> ou: Policies
>>>
>>> and second
>>>
>>> dn: cn=default,ou=Policies,dc=example,dc=com
>>> cn: default
>>> objectClass: top
>>> objectClass: pwdPolicy
>>> objectClass: person
>>> pwdAllowUserChange: TRUE
>>> pwdAttribute: userPassword
>>> pwdCheckQuality: 2
>>> pwdExpireWarning: 600
>>> pwdFailureCountInterval: 30
>>> pwdGraceAuthNLimit: 2
>>> pwdInHistory: 5
>>> pwdLockout: TRUE
>>> pwdLockoutDuration: 0
>>> pwdMaxAge: 7776000
>>> pwdMaxFailure: 5
>>> pwdMinAge: 0
>>> pwdMinLength: 5
>>> pwdMustChange: FALSE
>>> pwdSafeModify: FALSE
>>> sn: dummy value
>>>
>>> The first loads OK.
>>> When I try to import the second, I receive this diagnostics:
>>>
>>> Could not add object cn=default,ou=Policies,dc=itelsib,dc=com
>>> Message: Invalid syntax
>>> Error code: 0x15 (LDAP_INVALID_SYNTAX)
>>> Error description: An invalid attribute value was specified.
>>>
>>> Could someone suggest what's wrong with the attribute name?
>>
>> OpenLDAP never produces the text you provided above. It seems you're
>> using some other LDAP tool to do this import, and it is not showing
you
>> the actual error message sent from the server. OpenLDAP slapd will
>> always identify the actual attribute and value that causes an error.
I
>> suggest you try importing this entry with OpenLDAP's ldapadd and
examine
>> the error message from there.
>
> I tried importing with slapadd. The output:
>
> str2entry: invalid value for attributeType pwdAttribute #0 (syntax
> 1.3.6.1.4.1.1466.115.121.1.38)
> slapadd: could not parse entry (line=22)
>
> The error above refers to the allowed value of pwdAttribute, which can
> only be userPassword now.
>
> The problem is the value for this attribute in LDIF *is* userPassword,
> as in the cited sample. I checked the LDIF - no 'invisible' characters
> around the value.

Sounds like you don't actually have the ppolicy overlay configured on
the 
database you're loading into. The pwdAttribute syntax handler is part of
the 
ppolicy overlay and will only get installed if you configure the overlay
on 
the target database.
>
> JFYI, I checked the values for the attributes using man page. This,
and
> other references provided with packages is where I look first prior to
> asking on the Net.
>


-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 25
Date: Thu, 13 Jan 2011 00:31:53 -0800
From: Howard Chu <hyc@symas.com>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: "'temmokan@gmail.com'" <temmokan@gmail.com>,
	"'openldap-technical@openldap.org'"
<openldap-technical@openldap.org>,
	Chris Jacobs <Chris.Jacobs@apollogrp.edu>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EB879.9050203@symas.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Pierangelo Masarati wrote:
> Chris Jacobs wrote:
>> Perhaps try man slapo_ppolicy
>
> The man page name is slapo-ppolicy(5).
>
>> - it should hopefully provide the limits and acceptable values and
compare with your ldif to find the cause of "Error description: An
invalid attribute value was specified."
>>
>> Alternative: reduce the number of attributes (divide and conquer) to
find the culprit.
>>
>> Perhaps also checking the schema file for the limits or acceptable
values.
>
> Or check the archives, e.g.
>
<http://www.openldap.org/lists/openldap-software/200802/msg00337.html>:
> for some time, in OpenLDAP 2.3, the pwdAttribute could only contain
OIDs.

That issue was fixed long before 2.3.43, which he says he is running.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 26
Date: Thu, 13 Jan 2011 09:32:14 +0100
From: Pierangelo Masarati <masarati@aero.polimi.it>
To: Konstantin Boyandin <temmokan@gmail.com>
Cc: "'openldap-technical@openldap.org'"
	<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EB88E.9080308@aero.polimi.it>
Content-Type: text/plain; charset=UTF-8; format=flowed

Konstantin Boyandin wrote:

>> Or check the archives, e.g.
>>
<http://www.openldap.org/lists/openldap-software/200802/msg00337.html>:
>> for some time, in OpenLDAP 2.3, the pwdAttribute could only contain
OIDs.
> 
> Thank you very much!
> After I changed the string to
> 
> pwdAttribute: 2.5.4.35
> 
> the import was a success. This problem's solved. So reading Web *can*
be
> of more use than reading man pages only.

The archives of the OpenLDAP project are indeed part of the web.  In 
order to get valuable information you need to be able to dig it out from

tons of s**t, though.

p.


------------------------------

Message: 27
Date: Thu, 13 Jan 2011 00:45:33 -0800
From: Howard Chu <hyc@symas.com>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: Konstantin Boyandin <temmokan@gmail.com>,
	"'openldap-technical@openldap.org'"
<openldap-technical@openldap.org>
Subject: Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX
Message-ID: <4D2EBBAD.6000808@symas.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

Pierangelo Masarati wrote:
> Konstantin Boyandin wrote:
>
>>> Or check the archives, e.g.
>>>
<http://www.openldap.org/lists/openldap-software/200802/msg00337.html>:
>>> for some time, in OpenLDAP 2.3, the pwdAttribute could only contain
OIDs.
>>
>> Thank you very much!
>> After I changed the string to
>>
>> pwdAttribute: 2.5.4.35
>>
>> the import was a success. This problem's solved. So reading Web *can*
be
>> of more use than reading man pages only.
>
> The archives of the OpenLDAP project are indeed part of the web.  In
> order to get valuable information you need to be able to dig it out
from
> tons of s**t, though.

Indeed. In fact Dieter's answer was already 3 years out of date when he
posted 
it. The issue in question is ITS#4025 which was fixed in September 2005
and 
released in OpenLDAP 2.3.8.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


------------------------------

Message: 28
Date: Thu, 13 Jan 2011 10:04:09 +0100
From: Bj?rn Ruberg <bjorn@ruberg.no>
To: openldap-technical@openldap.org
Subject: Re: Evolution Contacts Schema
Message-ID: <4D2EC009.7070306@ruberg.no>
Content-Type: text/plain; charset=UTF-8; format=flowed

On 01/12/2011 11:14 PM, Peter L. Berghold wrote:
> Now the trouble I'm having (now that the schema is set) is when I
> attempt to add an entry from Evolution I get "error: other" which
> doesn't tell much.
>
> > From the phpLDAPAdmin tool I get the error
>
> Could not perform ldap_modify operation.
> LDAP said:
> Cannot modify object class
> Error number:
> 0x45 (LDAP_NO_OBJECT_CLASS_MODS)
> Description:
> ObjectClass modifications are not
> allowed.
>
> This is not an error I've run across before. Is there an ACL I need to
> tweak?
What you seem to be doing to your LDAP object is similar to replacing
the foundation of your house. You're normally not allowed to change the
structural object class of an object. This is a limitation in LDAP (not
in OpenLDAP but every implementation), it's not an ACL issue. Some LDAP
clients may offer ways to work around this but it looks like
phpLDAPadmin does not.

You claim to be adding an object, but the error message indicates
modification of an existing object rather than adding a new one. For
further assistance I suggest giving more details.


> I can't imagine I'm blazing uncharted territory...  somebody has had
to
> have gotten this to work before...

See for instance 
http://www.openldap.org/lists/openldap-software/200504/msg00511.html - 
also see http://www.openldap.org/faq/data/cache/883.html for some 
background.

-- 
Bj?rn





------------------------------

Message: 29
Date: Thu, 13 Jan 2011 10:14:57 +0100
From: Stefan Palme <kleiner@hora-obscura.de>
To: openldap-technical@openldap.org
Subject: Re: Evolution Contacts Schema
Message-ID: <1294910097.12106.7.camel@drops.kapott.org>
Content-Type: text/plain; charset="UTF-8"


On Thu, 2011-01-13 at 10:04 +0100, Bj?rn Ruberg wrote:
> On 01/12/2011 11:14 PM, Peter L. Berghold wrote:
> > Now the trouble I'm having (now that the schema is set) is when I
> > attempt to add an entry from Evolution I get "error: other" which
> > doesn't tell much.
> >
> > > From the phpLDAPAdmin tool I get the error
> >
> > ...
> > 
> > This is not an error I've run across before. Is there an ACL I need
to
> > tweak?
> What you seem to be doing to your LDAP object is similar to replacing
the foundation of your house. You're normally not allowed to change the
structural object class of an object. This is a limitation in LDAP (not
in OpenLDAP but every implementation), it's not an ACL issue. Some LDAP
clients may offer ways to work around this but it looks like
phpLDAPadmin does not.
> 
> You claim to be adding an object, but the error message indicates
modification of an existing object rather than adding a new one. For
further assistance I suggest giving more details.

I guess, you (the OP) try to automatically "convert" LDAP addressbook
entries created by Thunderbird to addressbook entries as used by
Evolution. This will not work.

Maybe you can use Thunderbird to export all your existing addressbook
entries to VCARD or similar standard format, then remove all addressbook
entries from your LDAP server, and use Evolution to import the VCARDs
and store them as "new" entries in LDAP...

Regards
-stefan-




------------------------------

Message: 30
Date: Thu, 13 Jan 2011 17:36:23 +0600
From: "Alexey Shalin" <a.shalin@ipc.kg>
To: <openldap-technical@openldap.org>
Subject: Hello, how 
Message-ID: <05EA8BD9F149744AA29116A75DE08A740B2B2D@mail.domenipc.kg>
Content-Type: text/plain; charset="koi8-r"

 

Good afternoon,
Tell me how to exclude the user's "search" from thesecurity policies


The user is located in the ou =users



Ou=policy also located in ou=users

 

The reason that I need to exclude the user, is that when I set the
pwdMaxAge and pwdGraceAuthNLimit. 

 

I can not log into the application at any login. In the openldap logs
have a message

 

 

bdb_dn2entry("uid=search,ou=users,ou=db")

bdb_entry_get: rc=0

ppolicy_bind: Entry uid=search,ou=users,ou=db has an expired password:
-39 grace logins

send_ldap_response: msgid=1 tag=97 err=49

ber_flush2: 52 bytes to sd 13

tls_write: want=73, written=73

  0000:  17 03 01 00 44 c3 ec 7b  f6 fb 12 85 2d 87 57 6c
....D..{....-.Wl

  0010:  6c 8c 36 ec 6f d3 39 1d  91 4b 1a db 53 d6 99 0e
l.6.o.9..K..S...

  0020:  e8 94 85 93 b0 9a 3e 38  18 ab 00 fc 0f 3f d6 b4
......>8.....?..

  0030:  39 a8 2d 8f 84 7f 46 09  90 cf 1d d2 28 a3 6e eb
9.-...F.....(.n.

  0040:  e8 ac f0 ad 66 44 7b 4f  47                        ....fD{OG

ldap_write: want=52, written=52

  0000:  30 32 02 01 01 61 07 0a  01 31 04 00 04 00 a0 24
02...a...1.....$

  0010:  30 22 04 19 31 2e 33 2e  36 2e 31 2e 34 2e 31 2e
0"..1.3.6.1.4.1.

  0020:  34 32 2e 32 2e 32 37 2e  38 2e 35 2e 31 04 05 30
42.2.27.8.5.1..0

  0030:  03 81 01 00                                        ....

conn=1 op=0 RESULT tag=97 err=49 text=

 

If I set  pwdGraceAuthNLimit to 100. I'm able to login into the
application. I can not change password for user "search" :-(

 

Thank you

------------------------------------------------------------------------
-------
? ?????????, 
??????? ?????

????????? ?????????????
????? ?????????? ?????????????????

??? "????????????? ?????????????? ?????"
720083, ?????????? ??????????
?. ??????, ??. ??????? 1/2
???.: +996 (312) 637738 (??. 138)
????: +996 (312) 637748
e-mail: a.shalin@ipc.kg

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110113/7
fdaaf0b/attachment.html>

------------------------------

_______________________________________________
openldap-technical mailing list
openldap-technical@openldap.org
http://www.openldap.org/lists/mm/listinfo/openldap-technical


End of openldap-technical Digest, Vol 38, Issue 12
**************************************************

 

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5783 (20110113) __________

The message was checked by ESET NOD32 Antivirus.

http://www.esetnod32.ru/.ml
 
 

__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5785 (20110113) __________

The message was checked by ESET NOD32 Antivirus.

http://www.esetnod32.ru/.ml