[Date Prev][Date Next] [Chronological] [Thread] [Top]

invalid structural object class chain (account/krbPrincipal)



So with you help, I managed to fix my initial issues of adding some additional schemas to my system. Now, when I try to add the directory data from my old LDAP servers with slapcat, I'm getting the following structural error:

(line=168): (65) invalid structural object class chain (account/krbPrincipal)

The relevant portions for the offending dn look like this:

objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipal
structuralObjectClass: account

I should point out that I recently inherited this LDAP directory, and now I'm upgrading the LDAP servers to new hardware and a new OS with a much new version of OpenLDAP. I've never seen the stucturalObjectClass attribute before. From my experience, when you get errors like this, it's because either the schemas have changed, or someone used the -c switch when adding new entries to the directory. Usually it's the latter.

I have googled my error and found many discussions for 'invalid structural object chain' on this list, but none of them seem to apply to this case. Most problem seemed be caused by having multiple conflicting STRUCTURAL object classes in one entry, but that doesn't seem to be the case since krbPrincipal is not STRUCTURAL. It's also not AUXILIARY:

objectclass ( 2.16.840.1.113719.1.301.6.9.1
                NAME 'krbPrincipal'
                SUP top
                MUST ( krbPrincipalName )
                MAY ( krbObjectReferences ) )

account is STRUCTURAL:

objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
        SUP top STRUCTURAL
        MUST userid
        MAY ( description $ seeAlso $ localityName $
                organizationName $ organizationalUnitName $ host )
        )

but posixAccount and shadowAccount are AUXILIARY :

objectclass ( 1.3.6.1.1.1.2.0 NAME 'posixAccount'
        DESC 'Abstraction of an account with POSIX attributes'
        SUP top AUXILIARY
        MUST ( cn $ uid $ uidNumber $ gidNumber $ homeDirectory )
        MAY ( userPassword $ loginShell $ gecos $ description ) )

objectclass ( 1.3.6.1.1.1.2.1 NAME 'shadowAccount'
        DESC 'Additional attributes for shadow passwords'
        SUP top AUXILIARY
        MUST uid
        MAY ( userPassword $ shadowLastChange $ shadowMin $
              shadowMax $ shadowWarning $ shadowInactive $
              shadowExpire $ shadowFlag $ description ) )

Any ideas for how to fix this? Could I just remove the account objectClass? I'm not sure whether or not we're using any of it's attributes.


--
Prentice