OpenLDAP - much confusion when adding entries

Hello all,

I've successfully installed OpenLDAP, got it running, written my own schema, and had slapd start fine with the schema I created.

I'm now trying to add things using ldapadd and ldif files..

I've already added an organization, and now I'm trying to add an ou (using organizationalUnit), as I gather I need to add new people entries branched from this.

It isn't working: using this in the LDIF file:

dn: ou=People, o=myOrganisation, dc=myDomain, dc=com
objectclass: organizationalUnit
ou=People

I get the following error:

No such object matched DN: dc=myDomain, dc=com
ldif_record()=32

Even though my slapd.conf file shows dc=myDomain, dc=com.

I've successfully added the following (using the OpenLDAP quick start guide):

dn: dc=myDomain,dc=com
objectclass: dcObject
objectclass: organization
o: myOrganization
dc: myDomain

dn: cn=Manager,dc=myDomain,dc=com
objectclass: organizationalRole
cn: Manager

I'm a bit lost now. I don't really understand whereabouts my actual people (who subclass from inetorgperson) go, and although I've heard they should go under o=People, I've yet to get that to work

In short, I'm confused. Would anyone be able to give me any pointers?

TIA,
Gemma

You are all set - but you need to add the o=myOrganisation prior to adding the ou=People. Your previously added entry - though containing an o=myOrganisation doesn't do it. In fact - you should remove the o=myOrganisation attribute from your domainComponent so that:

dn: dc=myDomain,dc=com
objectclass: dcObject
dc: myDomain

dn: ou=myOrganisation,dc=myDomain,dc=com
objectclass: organization
o: myOrganization

Then add:

dn: ou=People, o=myOrganisation, dc=myDomain, dc=com
objectclass: organizationalUnit
ou=People

That should do it for you ...

HTH

Thanks so much!

That makes a lot more sense than the example I was trying in the QuickStart Guide...

Thanks for your help
Gemma

Hello, sorry, got a further question

How do you go about removing the o=myOrganization from the dcObject?

I've tried ldapmodify using

dn: dc=myDomain, dc=com
changetype: modify
delete : o

and it didn't work. I tried to delete the whole dc=myDomain, dc=com but it refused.

Could you provide any hints please?

Thanks

Does the command give you any errors at runtime?

Your ldif looks basically correct - though there is a space between delete and :

Ideally it would look like:

dn: dc=myDomain, dc=com
changetype: modify
delete: o

Then:

ldapmodify -h host -p port -D "binddn" -w bindpw -v -f xxx.ldif

you should see:

ldap_init( yourhost, yourport)
delete o:
modifying entry dc=myDomain,dc=com
modify complete

If it fails -the -v option on the ldapmodify will tell you why (or it should) - or you can check the error log on the directory server for more information ....

HTH - let me know if it doesn't

Yeah, I'm getting an objectclass error: missing required attribute. Is this cos I specified to use objectclass: oganization in the dcObject bit? If so... how does one remove that?

In the worst case.... would I need to delete all the data and start again? How would I do this?!

Thanks so much for your help, it seems OpenLDAP and its associations are a bit difficult to find good info on...

Thanks!
Gemma

Hmm - that is a strange error to get during deletion - you didn't specify that (o=myOrganization) in the slapd.conf file did you?

My next suggestion - to avoid having to delete and re-create the root suffix - is to use a tool like ldapbrowser to attempt deleting the o entry.

To do this - specifically - you would need to connect to your server as the manager and left click on your root suffix. The attributes associated with this suffix will appear on the right hand side - simply right click the o attribute (not the value) and select edit - then delete value - and click ok.

You may not have the ldapbrowser tool yet - but you will eventually need it anyway ... You can get it from:

http://www.iit.edu/~gawojar/ldap/

Nope, nothing odd like such in the slapd.conf. I tried deleting the attribute through ldapbrowser, but got the same message, so I rebuilt the tree. Since I hadn't managed to add anything meaningful anyway, it didn't take long

One other thing: I've now got the o and ou set properly, by cannot add new people under ou=People. When I try to add a new record, I get a "incorrect syntax" kind of error against the following line:

dn: cn=Sample Name, ou=People, o=myOrganization, dc=myDomain, dc=com

I find this odd, since I've extended inetorgperson, and nothing else is required.... I also can't see anything wrong with this line, but then, I am a bit new to LDIF formatting...

Have you any advice?

Thanks so much for your wisdom and patience

I hate to be a pain - but could you just past that LDIF record (and the next one if you have more than one) on this site - just to be sure it looks ok?

Thanks ...

Here it is, I should have posted it earlier really...

(bear in mind it contains bits from my custom schema, which contains the objects emailPerson and NameViewPerson)

dn: cn=Gemma Turtle, ou=People, o=myOrganization, dc=myDomain, dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: emailPerson
objectclass: NameViewPerson
cn=Gemma Turtle
sn=Turtle
telephoneNumber=000000000
departmentNumber=0001
employeeNumber=138016
employeeType=Temp
givenName=Gemma Turtle
labeledURI=www.aWebSite.com
mobile=00000000000
roomNumber=43f
uid=T138016
reportsTo=138019
countryCode=UK

Even if I # out bits of it it still objects to the first line

Do you by chance have logging enabled? If so you may be able to discern the problem by attempting the addition then checking the error log - which is usually pretty descriptive as to why things fail - as opposed to the invalid syntax error. Moving forward it is always a good idea to enable the error log for this type of activity.

The LDIF looks fine - but I am not familar with your schema hierarchy - so it's a little hard to say for sure. Enabling the error log should let us know if there are schema issues.

I'm now a little confused as to how syslogd handles log information, and where it writes it to...

Once I've figured this out and generated some logs, I shall post them

Thanks for your help!

Hello there again... I've configured openldap to log at levels -1 and 256, and configured syslogd to receive the messages and store them, but I'm not getting any from that request I'm totally clueless now... Any ideas?

Howdy - two things to try:

1. Could you post the objectclass definitions for emailPerson and NameViewPerson

2. Have you tried adding (only as a test) the entry with a RDN tied to uid - like adding:

dn: uid=T138016, ou=People, o=myOrganization, dc=myDomain, dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgPerson
objectclass: emailPerson
objectclass: NameViewPerson
cn=Gemma Turtle
sn=Turtle
telephoneNumber=000000000
departmentNumber=0001
employeeNumber=138016
employeeType=Temp
givenName=Gemma Turtle
labeledURI=www.aWebSite.com
mobile=00000000000
roomNumber=43f
uid=T138016
reportsTo=138019
countryCode=UK

I can't imagine this would work - but it will help narrow down the issue if it succeeds.

Hello there,

From trying to add the record with uid instead of cn in the top line, I've got the same incorrect format error message. My extended schema is as follows....

attributetype (1.1.2.1.1 NAME 'mailHost'
DESC 'User mail host'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.1.2 NAME 'reportsTo'
DESC 'Manager of this user'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.1 NAME 'calendar'
DESC 'User calendar server'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.2 NAME 'desktopHost'
DESC 'User desktop'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.3 NAME 'extendedAddress'
DESC 'Internal mailstop'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.4 NAME 'extensionPhone'
DESC 'Internal extension number'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.5 NAME 'globalLocation'
DESC 'Building'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.6 NAME 'nickname'
DESC 'User nickname or preferred name'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.7 NAME 'pagerEmail'
DESC 'Email to pager address'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.8 NAME 'altContact'
DESC 'Alternative contact'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.9 NAME 'rfc822Recipient'
DESC 'All valid mail addresses'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)

attributetype (1.1.2.2.10 NAME 'countryCode'
DESC 'Country code'
EQUALITY caseIgnoreMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15)


objectclass (1.1.2.1 NAME 'emailPerson' SUP inetOrgPerson
STRUCTURAL
MAY ( mailHost $
reportsTo ) )

objectclass (1.1.2.2 NAME 'NameViewPerson' SUP emailPerson
STRUCTURAL
MUST ( cn $
sn )
MAY ( calendar $
desktopHost $
extendedAddress $
extensionPhone $
globalLocation $
nickname $
pagerEmail $
altContact $
rfc822Recipient $
countryCode ) )

Apologies for the awful formatting... hopefully this makes sense / is correct

Thanks for your continued help!
Gemma