13.01.2011 13:39, Howard Chu writes: > Konstantin Boyandin wrote: >> Hello, >> >> OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit. >> >> In order to enable ppolicy overlay, I am trying to create the relevant >> entries, as specified in >> >> http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies >> >> I import two LDIFs, first: >> >> dn: ou=Policies,dc=example,dc=com >> objectClass: organizationalUnit >> objectClass: top >> ou: Policies >> >> and second >> >> dn: cn=default,ou=Policies,dc=example,dc=com >> cn: default >> objectClass: top >> objectClass: pwdPolicy >> objectClass: person >> pwdAllowUserChange: TRUE >> pwdAttribute: userPassword >> pwdCheckQuality: 2 >> pwdExpireWarning: 600 >> pwdFailureCountInterval: 30 >> pwdGraceAuthNLimit: 2 >> pwdInHistory: 5 >> pwdLockout: TRUE >> pwdLockoutDuration: 0 >> pwdMaxAge: 7776000 >> pwdMaxFailure: 5 >> pwdMinAge: 0 >> pwdMinLength: 5 >> pwdMustChange: FALSE >> pwdSafeModify: FALSE >> sn: dummy value >> >> The first loads OK. >> When I try to import the second, I receive this diagnostics: >> >> Could not add object cn=default,ou=Policies,dc=itelsib,dc=com >> Message: Invalid syntax >> Error code: 0x15 (LDAP_INVALID_SYNTAX) >> Error description: An invalid attribute value was specified. >> >> Could someone suggest what's wrong with the attribute name? > > OpenLDAP never produces the text you provided above. It seems you're > using some other LDAP tool to do this import, and it is not showing you > the actual error message sent from the server. OpenLDAP slapd will > always identify the actual attribute and value that causes an error. I > suggest you try importing this entry with OpenLDAP's ldapadd and examine > the error message from there.
I tried importing with slapadd. The output: str2entry: invalid value for attributeType pwdAttribute #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=22) The error above refers to the allowed value of pwdAttribute, which can only be userPassword now. The problem is the value for this attribute in LDIF *is* userPassword, as in the cited sample. I checked the LDIF - no 'invisible' characters around the value. JFYI, I checked the values for the attributes using man page. This, and other references provided with packages is where I look first prior to asking on the Net.