Re: invalid syntax on pwdPolicy object add
On 9/16/10 12:12 PM, Buchan Milne wrote: On Monday, 13 September 2010 09:30:14 Julien Vehent wrote: I have created the OU 'policies' just fine, but when I try to add a pwdPolicy object, i get the following error: (theEOF isn't necessary, if you don't specify an input file, ldapadd etc. will use stdin by default, just use CTRL-D to terminate the input in place of the EOF) # ldapadd -x -D cn=admin,dc=example,dc=net -W EOF dn: cn=defaultpwpolicy,ou=policies,dc=example,dc=net objectClass: pwdPolicy objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdInHistory: 2 pwdMaxFailure: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMinLength: 6 EOF Enter LDAP Password: adding new entry cn=defaultpwpolicy,ou=policies,dc=example,dc=net ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax Are you sure that you don't have any invalid characters on the: objectClass: pwdPolicy line ? For example, trailing white space is often a cause of this problem. You may want to use an ldif file, and attach it to any reply (as trailing space is easily missed if copying/pasting text into the stdin of ldapadd and/or email client) (your ldif above does still need a suitable structural objectclass, but it is not the cause of the error message above). FYI, Kiran Ayyagari was able to reproduce the same issue using Apache Directory Studio, ie the problem is not in the LDIF file... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: invalid syntax on pwdPolicy object add
Hello, I think that the pwdAttribute needs an OID value (specified by the syntax) so you would must use the OID of the userPassword attribute which is 2.5.4.35
Re: invalid syntax on pwdPolicy object add
mailing lists wrote: Hello, I think that the pwdAttribute needs an OID value (specified by the syntax) so you would must use the OID of the userPassword attribute which is 2.5.4.35 This is true if you don't have the ppolicy module loaded. When the module is loaded, it installs a custom syntax handler for the pwdAttribute attribute that will recognize textual attribute names as well as OIDs. If you don't have the module loaded, you have done something wrong. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: invalid syntax on pwdPolicy object add
On 9/14/10 8:40 AM, mailing lists wrote: Hello, I think that the pwdAttribute needs an OID value (specified by the syntax) so you would must use the OID of the userPassword attribute which is 2.5.4.35 I thought that would be a possibility for the failure Kiran and Julien are facing, (please guys, can you give it a try ?), but IMO, there is no reason why we would not be allowed to use 'userPassword' in this context. Using the OID instead of the alias name does not carry any extra information, as soon as the alias is valid accordingly to the schema (whatever it represents, be it an AT, OC, MR, or any of the other kind of schema objects). The syntax should just check that the alias is syntaxically correct. It's up to the ppolicy overlay to check that the value is a valid AT. Plus the error message is really misleading if this is the cause for the error. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: invalid syntax on pwdPolicy object add
On Tue, 14 Sep 2010 10:51:01 +0200, Emmanuel Lecharny elecha...@gmail.com wrote: On 9/14/10 8:40 AM, mailing lists wrote: Hello, I think that the pwdAttribute needs an OID value (specified by the syntax) so you would must use the OID of the userPassword attribute which is 2.5.4.35 I thought that would be a possibility for the failure Kiran and Julien are facing, (please guys, can you give it a try ?), but IMO, there is no reason why we would not be allowed to use 'userPassword' in this context. Using the OID instead of the alias name does not carry any extra information, as soon as the alias is valid accordingly to the schema (whatever it represents, be it an AT, OC, MR, or any of the other kind of schema objects). The syntax should just check that the alias is syntaxically correct. It's up to the ppolicy overlay to check that the value is a valid AT. Plus the error message is really misleading if this is the cause for the error. I tried with the OID... same thing. How can I check that the module is properly loaded and functional ? Julien
invalid syntax on pwdPolicy object add
Hello all, I'm trying to add a default password policy to my directory. I have set the following parameters in slapd.conf: include /etc/ldap/schema/ppolicy.schema [...] moduleload ppolicy [...] backend hdb databasehdb suffix dc=example,dc=net [...] # Password policy overlay ppolicy ppolicy_default cn=defaultpwpolicy,ou=policies,dc=example,dc=net I have created the OU 'policies' just fine, but when I try to add a pwdPolicy object, i get the following error: # ldapadd -x -D cn=admin,dc=example,dc=net -W EOF dn: cn=defaultpwpolicy,ou=policies,dc=example,dc=net objectClass: pwdPolicy objectClass: top pwdAttribute: userPassword pwdAllowUserChange: TRUE pwdInHistory: 2 pwdMaxFailure: 10 pwdLockout: TRUE pwdLockoutDuration: 1800 pwdMinLength: 6 EOF Enter LDAP Password: adding new entry cn=defaultpwpolicy,ou=policies,dc=example,dc=net ldap_add: Invalid syntax (21) additional info: objectClass: value #0 invalid per syntax The Schema is properly loaded, the ppolicy.so module is in the path (ie, /usr/lib/ldap on debian). So, I'm out of ideas. Anything I've missed here ? Thanks for your help, Julien
Re: invalid syntax on pwdPolicy object add
On Mon, 13 Sep 2010 10:52:03 +0200, Christian Manalmoen...@informatik.uni-bremen.de wrote: Hi, pwdPolicy is an auxiliary objectClass. You have to use it in conjunction with a structural objectClass. Look at the example from the admin guide: http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies Hi I've tried to use add the 'person' object (core.schema is loaded), but I still obtain the same error Also include the schema : |include /opt/symas/etc/openldap/schema/ppolicy.schema| in slapd.conf. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: invalid syntax on pwdPolicy object add
On Mon, 13 Sep 2010 13:12:15 +0200, Emmanuel Lecharny elecha...@gmail.com wrote: On Mon, 13 Sep 2010 11:34:56 +0200, Emmanuel Lecharnyelecha...@gmail.com wrote: On Mon, 13 Sep 2010 10:52:03 +0200, Christian Manalmoen...@informatik.uni-bremen.de wrote: Hi, pwdPolicy is an auxiliary objectClass. You have to use it in conjunction with a structural objectClass. Look at the example from the admin guide: http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies Hi I've tried to use add the 'person' object (core.schema is loaded), but I still obtain the same error Also include the schema : |include /opt/symas/etc/openldap/schema/ppolicy.schema| in slapd.conf. Hi, From my first email, ppolicy.schema is included: --- include /etc/ldap/schema/ppolicy.schema Uhhh.. My bad. Check that you don't have extra space/tabs at the end of the ObjectClass attributeType in your ldif file. Which version of OpenLDAP are you using ? # slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Aug 26 2010 18:33:04) $ r...@monster:/tmp/buildd/openldap-2.4.23/debian/build/servers/slapd It's not a space/tab problem, and I've tried to put the request in an ldif file and insert it, with the same result. It's definitely a constraint that's not satisfied... but which one ?? Julien
Re: invalid syntax on pwdPolicy object add
On Mon, 13 Sep 2010 19:29:12 +0530, Kiran Ayyagari kayyag...@apache.org wrote: On Mon, Sep 13, 2010 at 5:07 PM, Julien Vehent jul...@linuxwall.info wrote: # slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Aug 26 2010 18:33:04) $ r...@monster:/tmp/buildd/openldap-2.4.23/debian/build/servers/slapd It's not a space/tab problem, and I've tried to put the request in an ldif file and insert it, with the same result. It's definitely a constraint that's not satisfied... but which one ?? think it is reproducible cause I have got the same error when I followed the above steps 'error code 21 - pwdAttribute: value #0 invalid per syntax' I have built OpenLDAP version 2.4.23 on Ubuntu 9.04 with berkeley db version 4.7.25 Kiran Ayyagari Alright, so it's either my steps that are wrong, or a problem with slapd. I'll be humble and suppose that my configuration is wrong first. Any hint on what I could have missed ? described here: http://wiki.linuxwall.info/doku.php/en:ressources:dossiers:openldap:openldap_debian#password_policy Julien
Re: invalid syntax on pwdPolicy object add
On Mon, Sep 13, 2010 at 5:07 PM, Julien Vehent jul...@linuxwall.info wrote: On Mon, 13 Sep 2010 13:12:15 +0200, Emmanuel Lecharny elecha...@gmail.com wrote: On Mon, 13 Sep 2010 11:34:56 +0200, Emmanuel Lecharnyelecha...@gmail.com wrote: On Mon, 13 Sep 2010 10:52:03 +0200, Christian Manalmoen...@informatik.uni-bremen.de wrote: Hi, pwdPolicy is an auxiliary objectClass. You have to use it in conjunction with a structural objectClass. Look at the example from the admin guide: http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies Hi I've tried to use add the 'person' object (core.schema is loaded), but I still obtain the same error Also include the schema : |include /opt/symas/etc/openldap/schema/ppolicy.schema| in slapd.conf. Hi, From my first email, ppolicy.schema is included: --- include /etc/ldap/schema/ppolicy.schema Uhhh.. My bad. Check that you don't have extra space/tabs at the end of the ObjectClass attributeType in your ldif file. Which version of OpenLDAP are you using ? # slapd -V @(#) $OpenLDAP: slapd 2.4.23 (Aug 26 2010 18:33:04) $ r...@monster:/tmp/buildd/openldap-2.4.23/debian/build/servers/slapd It's not a space/tab problem, and I've tried to put the request in an ldif file and insert it, with the same result. It's definitely a constraint that's not satisfied... but which one ?? think it is reproducible cause I have got the same error when I followed the above steps 'error code 21 - pwdAttribute: value #0 invalid per syntax' I have built OpenLDAP version 2.4.23 on Ubuntu 9.04 with berkeley db version 4.7.25 Kiran Ayyagari