[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
invalid structural object class chain (account/krbPrincipal)
- To: openldap-technical@openldap.org
- Subject: invalid structural object class chain (account/krbPrincipal)
- From: Prentice Bisbal <pbisbal@pppl.gov>
- Date: Thu, 11 May 2017 18:16:54 -0400
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pppl-gov.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=M8Fqa8oQaaQl5lVYRvM9vD0piEIQehLBsnzfnxgAruY=; b=jIM+mFYtdppkY2Mm+vMaCYAy9eO3P8ug+5TLpCE86qIeOwLD7X4qI1SVaOuQSqhxaN SN+U1y+417PXr5J5GlFgAepzc3p6eK73g8RSiG7bQXXkGHQTNudWAB8kKCCyTA9uf17+ goSVBU10IkbI53U+roEI/YKtCV21MtTDjy3klmZk3gefNbyoQThkH6J+/a/a0V4MG0DY usSmTj9+Cg86mZEM4Ke7cRfhA2hcoP/xrGP6HqMiwavql1irIcDcPLIBgmUOJZDni6AB 2lnOPp9JpOeec/xbFDlN0HMiX3yOsH7lXAZmZ1nYXMbKYkgYH4AjlCOAWaFtSG12imw4 a9OA==
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
So with you help, I managed to fix my initial issues of adding some
additional schemas to my system. Now, when I try to add the directory
data from my old LDAP servers with slapcat, I'm getting the following
structural error:
(line=168): (65) invalid structural object class chain
(account/krbPrincipal)
The relevant portions for the offending dn look like this:
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipal
structuralObjectClass: account
I should point out that I recently inherited this LDAP directory, and
now I'm upgrading the LDAP servers to new hardware and a new OS with a
much new version of OpenLDAP. I've never seen the stucturalObjectClass
attribute before. From my experience, when you get errors like this,
it's because either the schemas have changed, or someone used the -c
switch when adding new entries to the directory. Usually it's the latter.
I have googled my error and found many discussions for 'invalid
structural object chain' on this list, but none of them seem to apply to
this case. Most problem seemed be caused by having multiple conflicting
STRUCTURAL object classes in one entry, but that doesn't seem to be the
case since krbPrincipal is not STRUCTURAL. It's also not AUXILIARY:
objectclass ( 2.16.840.1.113719.1.301.6.9.1
NAME 'krbPrincipal'
SUP top
MUST ( krbPrincipalName )
MAY ( krbObjectReferences ) )
account is STRUCTURAL:
objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
SUP top STRUCTURAL
MUST userid
MAY ( description $ seeAlso $ localityName $
organizationName $ organizationalUnitName $ host )
)
but posixAccount and shadowAccount are AUXILIARY :
objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
DESC 'Abstraction of an account with POSIX attributes'
SUP top AUXILIARY
MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
MAY ( userPassword $ loginShell $ gecos $ description ) )
objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount'
DESC 'Additional attributes for shadow passwords'
SUP top AUXILIARY
MUST uid
MAY ( userPassword $ shadowLastChange $ shadowMin $
shadowMax $ shadowWarning $ shadowInactive $
shadowExpire $ shadowFlag $ description ) )
Any ideas for how to fix this? Could I just remove the account
objectClass? I'm not sure whether or not we're using any of it's
attributes.
--
Prentice