Re: ldapadd of LDIF files with attribute 'apple-generateduid' not allowed [Resolved]

[Michael Ströder <michael@stroeder.com>]

Alexander Hartner wrote:
> On 21 Feb 2008, at 11:56, Alexander Hartner wrote:
> 
>> I am trying to import a simple LDIF file into OpenDirectory on OS X
>> 10.5.2 Leopard Server.
>>
>> However when I issue the following ldapadd command I get an error :
>>
>> ldapadd -D [rootdn] -x -w [secretPassword] -f Import.ldif
>>
>> Error : 65 Object class violation"
>> attribute 'apple-generateduid' not allowed
>
> At it turns out the problem was with the objectClasses. 

Yes.

> I should have used : 
> 
>     * objectClass: top
>     * objectClass: person
>     * objectClass: organizationalPerson
>     * objectClass: inetOrgPerson
>     * objectClass: extensibleObject 

No!

Adding extensibleObject almost disables schema checking for that entry.
This is only appropriate in very special cases but in general is bad
practice. E.g. a schema-aware client does not have any chance to display
an appropriate input form based on schema information. And likely Apple
LDAP clients will search for entries of a particular object class and
might ignore your entries.

You should rather search for the right schema file and import that. A
quick search turned up:

http://mattfleming.com/files/active/0/apple.schema

So the right solution is to add object class 'apple-user'.

Ciao, Michael.