[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: invalid structural object class chain (inetOrgPerson/fw1person)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Brian Gaber wrote:
|>Attempting to convert OpenLDAP v2.0.27-11 to OpenLDAP v2.2.26
|>I am running the 2.2.26 slapadd on the file created by the 2.0.27 slapcat
|>
|>Here is what I get:
|>
|>
|
| Did you add the fw1person schema to slapd.conf ?
|
| Yes, I did, its not too long (95 lines) so I have included it below.
| It is called fw1ng.schema, It comes from CheckPoint corporation for
| their firewall to determine access by their firewall.
Well, either they haven't been maintaining it, or you have an old copy ...
| If anyone is
| interested here is their document that I used for my setup
| http://www.opsec.com/solutions/partners/downloads/OpenLDAP_VPN-1.pdf
|
It's outdated:
"Abstract
Check Point? VPN-1® NG has the ability to access LDAP directory servers
for managing users, groups and
templates. OpenLDAP is a free, stable and widely used LDAP Server on
UNIX platforms. This guide describes how to
configure OpenLDAP on Red Hat Linux 8.0 for the integration with VPN-1NG
SmartDirectory."
| objectclass ( 1.3.114.7.3.2.0.1 NAME 'fw1template'
| SUP 'top'
| MUST ( cn )
| MAY (
| member $ description $ fw1auth-method $ fw1auth-server $
fw1pwdlastmod $
| fw1skey-number $ fw1skey-seed $ fw1skey-passwd $ fw1skey-mdm $
| fw1expiration-date $ fw1hour-range-from $ fw1hour-range-to $ fw1day $
| fw1allowed-src $ fw1allowed-dst $ fw1allowed-vlan $ fw1SR-keym $
| fw1SR-datam $ fw1SR-mdm $ fw1enc-fwz-expiration $ fw1sr-auth-track $
| fw1grouptemplate $ fw1ISAKMP-EncMethod $ fw1ISAKMP-AuthMethods $
| fw1ISAKMP-HashMethods $ fw1ISAKMP-Transform $
fw1ISAKMP-DataIntegrityMethod $
| fw1ISAKMP-SharedSecret $ fw1ISAKMP-DataEncMethod $ fw1enc-methods $
| fw1userPwdPolicy $ memberOf )
| )
| objectclass ( 1.3.114.7.3.2.0.2
| NAME 'fw1person'
| SUP 'top'
| MUST ( cn $ sn )
| MAY (
| description $ userpassword $ mail $ uid $ fw1auth-method $
fw1auth-server $
| fw1pwdlastmod $ fw1skey-number $ fw1skey-seed $ fw1skey-passwd $
fw1skey-mdm $
| fw1expiration-date $ fw1hour-range-from $ fw1hour-range-to $ fw1day $
| fw1allowed-src $ fw1allowed-dst $ fw1allowed-vlan $ fw1SR-keym $
fw1SR-datam $
| fw1SR-mdm $ fw1enc-fwz-expiration $ fw1sr-auth-track $
fw1grouptemplate $
| fw1ISAKMP-EncMethod $ fw1ISAKMP-AuthMethods $ fw1ISAKMP-HashMethods $
| fw1ISAKMP-Transform $ fw1ISAKMP-DataIntegrityMethod $
fw1ISAKMP-SharedSecret $
| fw1ISAKMP-DataEncMethod $ fw1enc-methods $ fw1userPwdPolicy $
fw1badPwdCount $
| fw1lastLoginFailure $ memberoftemplate $ memberOf )
| )
Well, from my understanding of rfc2252, the objectclass definition
should specify one of "ABSTRACT", "STRUCTURAL", or "AUXILIARY", using
AUXILIARY will solve your problem ... eg (watch out for line breaks
though ...):
objectclass ( 1.3.114.7.3.2.0.2
~ NAME 'fw1person'
~ SUP 'top' AUXILIARY
~ MUST ( cn $ sn )
~ MAY (
~ description $ userpassword $ mail $ uid $ fw1auth-method $
fw1auth-server $
~ fw1pwdlastmod $ fw1skey-number $ fw1skey-seed $ fw1skey-passwd $
fw1skey-mdm $
~ fw1expiration-date $ fw1hour-range-from $ fw1hour-range-to $ fw1day $
~ fw1allowed-src $ fw1allowed-dst $ fw1allowed-vlan $ fw1SR-keym $
fw1SR-datam $
~ fw1SR-mdm $ fw1enc-fwz-expiration $ fw1sr-auth-track $
fw1grouptemplate $
~ fw1ISAKMP-EncMethod $ fw1ISAKMP-AuthMethods $ fw1ISAKMP-HashMethods $
~ fw1ISAKMP-Transform $ fw1ISAKMP-DataIntegrityMethod $
fw1ISAKMP-SharedSecret $
~ fw1ISAKMP-DataEncMethod $ fw1enc-methods $ fw1userPwdPolicy $
fw1badPwdCount $
~ fw1lastLoginFailure $ memberoftemplate $ memberOf )
~ )
Of course, you should *really* consult the vendor who supplied you with
the schema.
Regards,
Buchan
- --
Buchan Milne Senior Support Technician
Obsidian Systems http://www.obsidian.co.za
B.Eng RHCE (803004789010797),LPIC-1 (LPI000074592)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFC4KXarJK6UGDSBKcRAocdAKC0Ii5lTG1jezl/gSsmfq+iiZNljgCfaIz0
OuWbdlLdNYjL6YXaEJ7WJZE=
=0hcn
-----END PGP SIGNATURE-----