Re: Invalid structural object class chain

["Tibbetts, Ric" <ric.tibbetts@ngc.com>]

This one works "too".
I actually took "account" out, leaving me with:

{printf "dn: uid="$1",ou=People,dc=ldap-test,dc=com\n"} \
{printf "givenName:"}  \
{split  ($5, arr, ","); printf arr[2]"\n"; } \
{split  ($5, arr, ","); print "sn: "arr[1]; } \
{printf "objectClass: top\n"} \
{printf "objectClass: posixAccount\n"} \
{printf "objectClass: inetOrgPerson\n"} \
{printf "uid: "$1"\n"} \
{printf "cn: "$5"\n"} \
{printf "mail: "$1"@mail.example.com\n"}
{printf "userPassword: \n"}  \
{printf "uidNumber: "$3"\n"} \
{printf "gidNumber: "14"\n"} \
{printf "homeDirectory: "$6"\n"} \
{printf "loginShell: "$7"\n"} \
{printf "gecos: "$5"\n"} \
{printf "\n"}' | egrep -v ":/bin/.sh" >> /ldap/add.ldap.short.passwd.ldif


So, with this problem solved, I'm left with another:
Now I can create users again, but they can't log in. I'm getting 
authentication errors in /var/log/messages.

I've tried everything I can think of.
ldappasswd doesn't work. It won't let me change the passwords.
I've been using ldapmodify to change passwords from the server. But the 
user still cannot log in, nor change his own password (I "can) log into 
a client as root, then "su - <user>". Once in as the user that way, I 
still cannot change the users password.

Any thoughts?

Ric


Brent Kearney wrote:
> Another option, perhaps less desirable than the one suggested by
> Hallvard, is to alter the 'account' object in cosine.schema from:
>
> objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
>         SUP top STRUCTURAL
>         MUST userid
>         MAY ( description $ seeAlso $ localityName $
>                 organizationName $ organizationalUnitName $ host )
>         )
>
> to:
>
> objectclass ( 0.9.2342.19200300.100.4.5 NAME 'account'
>         SUP top AUXILIARY
>         MUST userid
>         MAY ( description $ seeAlso $ localityName $
>                 organizationName $ organizationalUnitName $ host )
>         )
>
> Cheers,
>
> Brent
>
>
> On Wed, 2003-07-09 at 10:45, Hallvard B Furuseth wrote:
>
> > Tibbetts, Ric writes:
> >
> > > The situation, if I'm adding new users, and use the following combination:
> > >
> > > {printf "objectClass: top\n"} \
> > > {printf "objectClass: person\n"} \
> > > {printf "objectClass: account\n"} \
> > > {printf "objectClass: organizationalPerson\n"} \
> > > {printf "objectClass: inetOrgPerson\n"} \
> > > {printf "objectClass: posixAccount\n"} \
> > > .
> > > ldap_add: Object class violation (65)
> > >         additional info: invalid structural object class chain 
> > > (person/account)
> >
> > Yes.  You have a structural object class _tree_ which ends in both
> > account and in inetOrgPerson.  It may only end in one object class.
> >
> >
> > > Of course, if I move "account" around, the invalid chain changes
> > > accordingly. If I remove "account", the problem goes away. But I'd
> > > like to keep it in.
> >
> > In that case you must add a structural object class which is a subclass
> > of both inetOrgPerson and account.  E.g.
> >
> > objectclass ( <oid> NAME 'personalAccount'
> > 	SUP ( inetOrgPerson $ account ) STRUCTURAL )
> >
> > The other alternative is to remove account after all, and instead add
> > another object class which contains the attributes you want from
> > account.
> >
> > BTW, I don't think you need to list subclasses of classes you add.
> > I believe they are added automatically.  That is, you only need
> > {printf "objectClass: personalAccount\n"} \
> > {printf "objectClass: posixAccount\n"} \