# Problems while following LDAP howto

## meyer37

I am following the Gentoo Guide to OpenLDAP Authentication and I have run ito a problem when attmepting to migrate the existing data.  I have successfully done the following:

```
# export ETC_SHADOW=/etc/shadow

# cd /usr/share/migrationtools

# ./migrate_base.pl > /tmp/base.ldif

# ./migrate_group.pl /etc/group /tmp/group.ldif

# ./migrate_hosts.pl /etc/hosts /tmp/hosts.ldif

# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/base.ldif

# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/group.ldif
```

but when I 

```
# ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif
```

I get the following error

```
adding new entry "uid=jeffm,ou=People,dc=genfic,dc=com"

ldapadd: update failed: uid=jeffm,ou=People,dc=genfic,dc=com

ldap_add: Object class violation (65) additional info: invalid structural object class chain (inetOrgPerson/account)

```

I first recieved this erro referring to the root account so I edited the passwd.ldif to only contain my individual user account an I still recieved the error.  I some some posts referring to the cosine.schema but I really didn't find any answers listed, or I just didn't undstand what needed to be done.  How can I complete this part of the tutorial.

----------

## rwallace

Sounds like one of two possibilities to me.

1) You don't have all the right schemas listed in your slapd.conf file.  Here's what you should have:

```

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/samba.schema

```

You don't really need the last one unless you plan to use the ldap server to also authenticate samba.

2) In your base.ldif you didn't have an entry for dn: "ou=People,dc=genfic,dc=com".  To check this do a ldapsearch and see if "ou=People,dc=genfic,dc=com" is listed in the output.

----------

## meyer37

thanks for the reply. Here is my slapd.conf:

```

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 ku

rt Exp $

#

# See slapd.conf(5) for details on configuration options.

# This file should NOT be world readable.

#

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/inetorgperson.schema

# Use crypt to hash the passwords

password-hash {crypt}

# Define SSL and TLS properties (optional)

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory

# service AND an understanding of referrals.

#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:

# modulepath    /usr/lib/openldap/openldap

# moduleload    back_bdb.la

# moduleload    back_ldap.la

# moduleload    back_ldbm.la

# moduleload    back_passwd.la

# moduleload    back_shell.la

# Sample security restrictions

#       Require integrity protection (prevent hijacking)

#       Require 112-bit (3DES or better) encryption for updates

#       Require 63-bit encryption for simple bind

# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:

#       Root DSE: allow anyone to read it

#       Subschema (sub)entry DSE: allow anyone to read it

#       Other DSEs:

#               Allow self write access

#               Allow authenticated users read access

#               Allow anonymous users to authenticate

#       Directives needed to implement policy:

# access to dn.base="" by * read

# access to dn.base="cn=Subschema" by * read

# access to *

#       by self write

#       by users read

#       by anonymous auth

#

# if no access controls are present, the default policy is:

#       Allow read by all

#

# rootdn can always write!

#######################################################################

# ldbm database definitions

#######################################################################

database        ldbm

suffix          "dc=genfic,dc=com"

rootdn          "cn=Manager,dc=genfic,dc=com"

rootpw          {MD5}3xKywSvKqdykJnTEctI5qw==

directory       /var/lib/openldap-ldbm

index           objectClass     eq

```

and when I run

```
ldapsearch -D "cn=Manage,dc=genfic,dc=com" -W
```

I do find the following in the output

```

# People, genfic.com

dn: ou=People,dc=genfic,dc=com

ou: People

objectClass: top

objectClass: organizationalUnit
```

Yet I still get 

```
adding new entry "uid=jeffm,ou=People,dc=genfic,dc=com"

ldapadd: update failed: uid=jeffm,ou=People,dc=genfic,dc=com

ldap_add: Object class violation (65)

        additional info: invalid structural object class chain (inetOrgPerson/account)

```

when I run 

```

ldapadd -D "cn=Manager,dc=genfic,dc=com" -W -f /tmp/passwd.ldif

```

----------

## Microft

Today I updated to the LDAP 2.1.x series and for that I wanted to rebuild the hole tree.

And I have now the same problem; whether I want to insert the user by ldapadd or by directory_administrator.

Are there modifications in the scheme-files since 2.0.x, which must be considered?

Tim

----------

## Microft

I figured it out.

http://www.openldap.org/lists/openldap-software/200209/msg00665.html

The problem is the "objectClass: account"-line. Just delete it.

But it's very curious that the tools use this combination, but the new LDAP version doesn't allow this.

Tim

----------

## meyer37

Thanks, after removing the objectClass: Account line everything ran great.  Thanks for the help.

----------

## waverider202

In LDAPv3, every entry must have 1 structural objectClass.  OpenLDAP 2.0.x didn't follow this rule.  OpenLDAP >= 2.1.x does.  Many programs still try to make an entry with 2 structural objectClasses.  This is a bug in the program that's making the ldif files.

----------

## zaiyon

Hi, I have the same problem using sladp, adding the samba schema to my includes will stop sladp from starting, removing the line:

```

index           objectClass     eq

```

from sladp.conf does not help me, I still get the following:

```

# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif

Enter LDAP Password:

adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"

ldapadd: update failed: uid=root,ou=People,dc=zaiyon.ath,dc=cx

ldap_add: Object class violation (65)

        additional info: invalid structural object class chain (inetOrgPerson/account)

```

The object stuff lines from ldap.conf are all stil commentet, I'm not that far with the howto right now.

```

# grep object /etc/ldap.conf # attribute/objectclass mapping

#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

#nss_map_objectclass posixAccount User

#nss_map_objectclass posixGroup Group

#pam_filter objectclass=User

#nss_map_objectclass posixAccount aixAccount

#nss_map_objectclass posixGroup aixAccessGroup

#pam_filter objectclass=aixAccount

```

I tried to run the migrate_passwd.pl tool again and tried to sladpadd again, with no new result.

It worked to migrate and sladpadd the other stuff, I have just problems with the passwd file,

I'm a real ldap n00b, am I doing any obviously wrong thing?

edit:

Forgot to post my full sladp.conf, here it is:

```

include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

password-hash {crypt}

TLSCertificateFile /etc/ssl/ldap.pem

TLSCertificateKeyFile /etc/openldap/ssl/ldap.pem

TLSCACertificateFile /etc/ssl/ldap.pem

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

database        ldbm

suffix          "dc=zaiyon.ath,dc=cx"

rootdn          "cn=Manager,dc=zaiyon.ath,dc=cx"

rootpw          {MD5}keUKVO3YBG/eI2tviWAalw==

directory       /var/lib/openldap-ldbm

index           objectClass     eq

```

----------

## weyhan

 *Quote:*   

> Hi, I have the same problem using sladp, adding the samba schema to my includes will stop sladp from starting, removing the line:
> 
> ```
> index           objectClass     eq
> ```
> ...

 

Don't remove that line. What they were talking about in the previous post is the "objectClass: account" line in the passwd.ldif file.

You might find this thread interesting:

https://forums.gentoo.org/viewtopic.php?t=72607

Although the author of the Howto did not agree with migrating the whole password + group to ldap. You might or might not agree with his view point but I believe there are information in this thread that might be useful.

And also what I did to make my ldap+pam setup work:

https://forums.gentoo.org/viewtopic.php?p=1346899#1346899

However, I believe some of the kerberos stuff might not be necessary. (I might have got my ldap+pam working but I still don't have full understanding of it...)

----------

## zaiyon

thx for help & links, this helped me a bit, it seems to work now, but if I try to add the entry now, I get:

```

# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif

Enter LDAP Password:

adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"

ldapadd: update failed: uid=root,ou=People,dc=zaiyon.ath,dc=cx

ldap_add: Already exists (68)

```

So I read trough the valid stuff of the manpages of ldapadd and ldapdelete to delete this, but as you can see I'm the same ldap n00b like yesterday:

```

# ldapdelete -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif

Enter LDAP Password:

Delete Result: Invalid DN syntax (34)

Additional info: invalid DN

```

I don't have the guts to fool around further more, because I really don't know what I'm doing.

I already knew the first link but it was a bit complicated for me to read through it because it seems to be different from the official howto in some ways, like I said I have to learn much about stuff like ldap and kerberos.

PS:

Do you know what I can do about the samba.scheme stuff? The init script does not post any error messages, it just doesn't work if I include the samba.schema, but it would be kinda usefull to be capable of that one...

----------

## weyhan

 *Quote:*   

> So I read trough the valid stuff of the manpages of ldapadd and ldapdelete to delete this, but as you can see I'm the same ldap n00b like yesterday:
> 
> ```
> # ldapdelete -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
> 
> ...

 

I think you have partially added entries from the passwd.ldif that is why you can't add again. Also I think your delete command might not be correct.

Fortunately you can always start over. All you need to do is to stop slapd, delete the db files and start slapd again. According to the slapd.conf you have posted, the db files should be in /var/lib/openldap-ldbm. So, you would do: 

```

# /etc/init.d/slpad stop

# rm -f /var/lib/openldap-ldbm/*

# /etc/init.d/slapd start
```

Then go back to the howto and start to populate the db by using ldapadd.

 *Quote:*   

> I already knew the first link but it was a bit complicated for me to read through it because it seems to be different from the official howto in some ways, like I said I have to learn much about stuff like ldap and kerberos.

 

The first link will not work very well because it is based on an earlier version of openldap and that version is not very strict on the schema checking. However, if you combine that with the second link (which details what I did to get my setup working), you should be able to at least get that the ldap+pam setup working.

 *Quote:*   

> PS:
> 
> Do you know what I can do about the samba.scheme stuff? The init script does not post any error messages, it just doesn't work if I include the samba.schema, but it would be kinda usefull to be capable of that one...

 

Making openldap work with pam as well as samba is a whole different beast. I am at the moment trying to convert my setup to include samba authentication and also for samba to act as PDC. But I am facing some issues with samba at the moment. Once I get it up, I will sure post, maybe to the Docs & tips forum or write it up in the wiki site. In any case I will also include a notice here in this forum.

However, don't hold your breath. Though I have most of the setup working, including generating your own certs (the right way), I am not sure when I will be able to resolve all the issues.

----------

## zaiyon

Hi, thx for help again, but I still have problems with that, I read through the second link but  that seems not to solve my problem atm, see it yourself:

I migratet all that stuff again, working fine until I got to passwd.ldif again, this time I removed the objectClass: account line before trying to ldapadd, now I get this:

```

# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif

Enter LDAP Password:

adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"

adding new entry "uid=bin,ou=People,dc=zaiyon.ath,dc=cx"

ldapadd: update failed: uid=bin,ou=People,dc=zaiyon.ath,dc=cx

ldap_add: Object class violation (65)

        additional info: invalid structural object class chain (inetOrgPerson/account)

```

As you can see it now hangs on the next user....

trying it again brings me to this again:

```

# ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif

Enter LDAP Password:

adding new entry "uid=root,ou=People,dc=zaiyon.ath,dc=cx"

ldapadd: update failed: uid=root,ou=People,dc=zaiyon.ath,dc=cx

ldap_add: Already exists (68)

```

I searched the web and gentoo forums again, until some time without finding my problem I just tried again to delete all those dbs, migrate data again and now delete two lines from passwd, accound and initorgperson, trying sladpadd passwd.ldif with the same result....

----------

## weyhan

 *Quote:*   

> I migratet all that stuff again, working fine until I got to passwd.ldif again, this time I removed the objectClass: account line before trying to ldapadd, now I get this:
> 
> ```
> # ldapadd -D "cn=Manager,dc=zaiyon.ath,dc=cx" -W -f /tmp/passwd.ldif
> 
> ...

 

Err... I think you only remove one line of "objectClass: account" right? You actually need to remove all the lines for every user.

If you still can't get it to work, post your passwd.ldif files but not the whole file. Pick the user that fail and maybe a few more. That file is kind of long.

----------

## zaiyon

argh am I stupid, I overread that "971 lines" stuff....

now it works, thx, you've been of great help!

Now I'm stuck with the client configuration, but that'll work somehow ^^

I'll post it if I can get the things to work your wondering about, but I don't think this'll be soon  :Very Happy: 

----------

## weyhan

 *zaiyon wrote:*   

> argh am I stupid, I overread that "971 lines" stuff....
> 
> now it works, thx, you've been of great help!

 

No worries. We all do that some times.  :Wink: 

 *zaiyon wrote:*   

> Now I'm stuck with the client configuration, but that'll work somehow ^^
> 
> I'll post it if I can get the things to work your wondering about, but I don't think this'll be soon 

 

Client configuration is the easy part. So don't worry.

----------

## dennis_demarco

The LDAP HOW-TO is out  of date with 2.1

In 2.1 You can't use a self signed certificate. You need a CA certificate. That can be private CA or commerical

http://www.openldap.org/faq/data/cache/185.html

There is a difference in /etc/ldap and /etc/openldap/ldap.conf

/etc/openldap/ldap.conf is the library conf file (/etc/ldap.conf is padl.com / pam_ldap) files. 

You need to place

tls_cacert in both of these files.

Very agervating. and not well documented.

----------

