OpenLDAP's slapd checks for naming attributes and distinguished values consistency, according
to RFC 4512.
Naming attributes are those attributeTypes that appear in an entry's RDN; distinguished values are the values of the naming attributes that appear in an entry's RDN, e.g, in
cn=Someone+mail=someone@example.com,dc=example,dc=com
the naming attributes are cn and mail, and the distinguished values are Someone and someone@example.com.
OpenLDAP's slapd checks for consistency when:
- adding an entry
- modifying an entry, if the values of the naming attributes are changed
- renaming an entry, if the RDN of the entry changes
Possible causes of error are:
- the naming attributes are not present in the entry; for example:
dn: dc=example,dc=com
objectClass: organization
o: Example
# note: "dc: example" is missing
- the naming attributes are present in the entry, but in the attributeType definition they are marked as:
- collective
- operational
- obsolete
- the naming attributes are present in the entry, but the distinguished values are not; for example:
dn: dc=example,dc=com
objectClass: domain
dc: foobar
# note: "dc" is present, but the value is not "example"
- the naming attributes are present in the entry, with the distinguished values, but the naming attributes:
- do not have an equality field, so equality cannot be asserted
- the matching rule is not supported (yet)
- the matching rule is not appropriate
- the given distinguished values do not comply with their syntax
- other errors occurred during the validation/normalization/match process; this is a catchall: look at previous logs for details in case none of the above apply to your case.
In any case, make sure that the attributeType definition for the naming attributes contains an appropriate EQUALITY field; or that of the superior, if they are defined based on a superior attributeType (look at the SUP field).
See RFC 4512 for details.
ando@sys-net.it, Kurt@OpenLDAP.org |