[Date Prev][Date Next] [Chronological] [Thread] [Top]

invalid structural object class chain (account/krbPrincipal)

To: openldap-technical@openldap.org
Subject: invalid structural object class chain (account/krbPrincipal)
From: Prentice Bisbal <pbisbal@pppl.gov>
Date: Thu, 11 May 2017 18:16:54 -0400
Content-language: en-US
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pppl-gov.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=M8Fqa8oQaaQl5lVYRvM9vD0piEIQehLBsnzfnxgAruY=; b=jIM+mFYtdppkY2Mm+vMaCYAy9eO3P8ug+5TLpCE86qIeOwLD7X4qI1SVaOuQSqhxaN SN+U1y+417PXr5J5GlFgAepzc3p6eK73g8RSiG7bQXXkGHQTNudWAB8kKCCyTA9uf17+ goSVBU10IkbI53U+roEI/YKtCV21MtTDjy3klmZk3gefNbyoQThkH6J+/a/a0V4MG0DY usSmTj9+Cg86mZEM4Ke7cRfhA2hcoP/xrGP6HqMiwavql1irIcDcPLIBgmUOJZDni6AB 2lnOPp9JpOeec/xbFDlN0HMiX3yOsH7lXAZmZ1nYXMbKYkgYH4AjlCOAWaFtSG12imw4 a9OA==
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0

So with you help, I managed to fix my initial issues of adding someadditional schemas to my system. Now, when I try to add the directorydata from my old LDAP servers with slapcat, I'm getting the followingstructural error:

(line=168): (65) invalid structural object class chain(account/krbPrincipal)


The relevant portions for the offending dn look like this:

objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipal
structuralObjectClass: account

I should point out that I recently inherited this LDAP directory, andnow I'm upgrading the LDAP servers to new hardware and a new OS with amuch new version of OpenLDAP. I've never seen the stucturalObjectClassattribute before. From my experience, when you get errors like this,it's because either the schemas have changed, or someone used the -cswitch when adding new entries to the directory. Usually it's the latter.

I have googled my error and found many discussions for 'invalidstructural object chain' on this list, but none of them seem to apply tothis case. Most problem seemed be caused by having multiple conflictingSTRUCTURAL object classes in one entry, but that doesn't seem to be thecase since krbPrincipal is not STRUCTURAL. It's also not AUXILIARY:


objectclass ( 2.16.840.1.113719.1.301.6.9.1
                NAME 'krbPrincipal'
                SUP top
                MUST ( krbPrincipalName )
                MAY ( krbObjectReferences ) )

account is STRUCTURAL:

objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
        SUP top STRUCTURAL
        MUST userid
        MAY ( description $ seeAlso $ localityName $
                organizationName $ organizationalUnitName $ host )
        )

but posixAccount and shadowAccount are AUXILIARY :

objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
        DESC 'Abstraction of an account with POSIX attributes'
        SUP top AUXILIARY
        MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
        MAY ( userPassword $ loginShell $ gecos $ description ) )

objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount'
        DESC 'Additional attributes for shadow passwords'
        SUP top AUXILIARY
        MUST uid
        MAY ( userPassword $ shadowLastChange $ shadowMin $
              shadowMax $ shadowWarning $ shadowInactive $
              shadowExpire $ shadowFlag $ description ) )

Any ideas for how to fix this? Could I just remove the accountobjectClass? I'm not sure whether or not we're using any of it'sattributes.



--
Prentice

Follow-Ups:
- Re: invalid structural object class chain (account/krbPrincipal)
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Error adding schema: empty AttributeDescription
Next by Date: Re: Client binding to a specific local address
Index(es):
- Chronological
- Thread