[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: invalid syntax (21) error while importing password password policy

To: Christian Kratzer <ck@cksoft.de>
Subject: Re: invalid syntax (21) error while importing password password policy
From: Philip Bubel <philip@bubel.com>
Date: Mon, 16 Sep 2013 21:13:23 +0000
Accept-language: en-US
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Content-id: <9C5A27AD06FF7B47A0C0E5DA986E21AF@southpark.bubel.net>
Content-language: en-US
In-reply-to: <alpine.BSF.2.00.1309162306090.38503@pohjola.cksoft.de>
Thread-index: AQHOsyGTJBOEK1DSbUSLEvZoAPm60g==
Thread-topic: invalid syntax (21) error while importing password password policy
User-agent: Microsoft-MacOutlook/14.3.6.130613

Thanks.  I've checked and rechecked the /tmp/ppolicy.ldif for
stray/illegal characters, spaces, etc.  I can't find anything.  I deleted
and recreated the file, the line, everything I could think of.

Agree with you on upgrading, that¹s in the plan as well.

On 9/16/13 5:09 PM, "Christian Kratzer" <ck-lists@cksoft.de> wrote:

>Hi,
>
>On Mon, 16 Sep 2013, Philip Bubel wrote:
>
>> Running OpenLdap 2.4.23 on Centos 6.4 and we are having truoble
>>enabling password polices.  I've read a number of FAQ's online, plus
>>spent hours searching for a solution to this problem, although a lot of
>>folks seem to have the same issue I haven't been able to find a solution
>>that works for us.  I run into trouble running ldapadd to import the new
>>policy.  I end up with the invalid syntax error I've included below,
>>along with a copy of the .ldif file and my slapd.conf file.  I was able
>>to create the policies OU without issue, I also tried using the OID for
>>pwdAttribute instead of userPassword.
>>
>> [root@asu10d schema]# ldapadd -D "cn=Manager,dc=XXXX,dc=test" -W -x -f
>>/tmp/ppolicy.ldif
>> Enter LDAP Password:
>> adding new entry "cn=policy,ou=policies,dc=XXXX,dc=test"
>> ldap_add: Invalid syntax (21)
>> additional info: pwdAttribute: value #0 invalid per syntax
>
>Please check you /tmp/ppolicy.ldif that there are now illegal characters
>in the line with pwdAttribute:
>
>It looks like this is perhaps borken.
>
>Please also consider updating to the latest openldap 2.4.36 via one of
>the openly available rpm.
>
>Greetings
>Christian
>
>>
>> Contents of policy.ldif
>> n: cn=policy,ou=policies,dc=XXXX,dc=test
>> cn: default
>> objectClass: pwdPolicy
>> objectClass: person
>> objectClass: top
>> pwdAllowUserChange: TRUE
>> pwdAttribute: userPassword
>> pwdCheckQuality: 2
>> pwdExpireWarning: 600
>> pwdFailureCountInterval: 30
>> pwdGraceAuthNLimit: 5
>> pwdInHistory: 5
>> pwdLockout: TRUE
>> pwdLockoutDuration: 0
>> pwdMaxAge: 0
>> pwdMaxFailure: 5
>> pwdMinAge: 0
>> pwdMinLength: 5
>> pwdMustChange: FALSE
>> pwdSafeModify: FALSE
>> sn: dummy value
>>
>> Contents of my slapd.conf
>>
>> include         /etc/openldap/schema/corba.schema
>> include         /etc/openldap/schema/core.schema
>> include         /etc/openldap/schema/cosine.schema
>> include         /etc/openldap/schema/duaconf.schema
>> include         /etc/openldap/schema/dyngroup.schema
>> include         /etc/openldap/schema/inetorgperson.schema
>> include         /etc/openldap/schema/java.schema
>> include         /etc/openldap/schema/misc.schema
>> include         /etc/openldap/schema/nis.schema
>> include         /etc/openldap/schema/openldap.schema
>> include         /etc/openldap/schema/ppolicy.schema
>> include         /etc/openldap/schema/collective.schema
>> include         /etc/openldap/schema/samba.schema
>> include         /etc/openldap/schema/pmi.schema
>>
>> allow bind_v2
>>
>> pidfile         /var/run/openldap/slapd.pid
>> argsfile        /var/run/openldap/slapd.args
>>
>> modulepath /usr/lib64/openldap
>>
>> moduleload ppolicy.la
>>
>> TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
>> TLSCertificateFile /etc/pki/tls/certs/slapd.pem
>> TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
>>
>> database config
>> access to *
>>       by 
>>dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
>>        by dn.exact="cn=Manager,dc=XXXX,dc=test" read
>>        by * none
>>
>> database        bdb
>> suffix          "dc=XXXXX,dc=test"
>> checkpoint      1024 15
>> rootdn          "cn=Manager,dc=XXXX,dc=test"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoided.  See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw          hello (Temp password used for testing)
>>
>> overlay ppolicy
>> policy_default "cn=default,ou=policies,dc=XXXX,dc=test"
>> policy_use_lockout
>>
>> directory       /var/lib/ldap
>>
>> # Indices to maintain for this database
>> index objectClass                       eq,pres
>> index ou,cn,mail,surname,givenname      eq,pres,sub
>> index uidNumber,gidNumber,loginShell    eq,pres
>> index uid,memberUid                     eq,pres,sub
>> index nisMapName,nisMapEntry            eq,pres,sub
>>
>>
>
>-- 
>Christian Kratzer                      CK Software GmbH
>Email:   ck@cksoft.de                  Wildberger Weg 24/2
>Phone:   +49 7032 893 997 - 0          D-71126 Gaeufelden
>Fax:     +49 7032 893 997 - 9          HRB 245288, Amtsgericht Stuttgart
>Web:     http://www.cksoft.de/         Geschaeftsfuehrer: Christian
>Kratzer

Follow-Ups:
- Re: invalid syntax (21) error while importing password password policy
  - From: Christian Kratzer <ck-lists@cksoft.de>

References:
- Re: invalid syntax (21) error while importing password password policy
  - From: Christian Kratzer <ck-lists@cksoft.de>

Prev by Date: RE: invalid syntax (21) error while importing password password policy
Next by Date: openldap mods check attributetype undefined
Index(es):
- Chronological
- Thread