[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems importing ppolicy LDIF: LDAP_INVALID_SYNTAX



Konstantin Boyandin wrote:
13.01.2011 13:39, Howard Chu writes:
Konstantin Boyandin wrote:
Hello,

OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit.

In order to enable ppolicy overlay, I am trying to create the relevant
entries, as specified in

http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies

I import two LDIFs, first:

dn: ou=Policies,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Policies

and second

dn: cn=default,ou=Policies,dc=example,dc=com
cn: default
objectClass: top
objectClass: pwdPolicy
objectClass: person
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 2
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 7776000
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLength: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
sn: dummy value

The first loads OK.
When I try to import the second, I receive this diagnostics:

Could not add object cn=default,ou=Policies,dc=itelsib,dc=com
Message: Invalid syntax
Error code: 0x15 (LDAP_INVALID_SYNTAX)
Error description: An invalid attribute value was specified.

Could someone suggest what's wrong with the attribute name?

OpenLDAP never produces the text you provided above. It seems you're
using some other LDAP tool to do this import, and it is not showing you
the actual error message sent from the server. OpenLDAP slapd will
always identify the actual attribute and value that causes an error. I
suggest you try importing this entry with OpenLDAP's ldapadd and examine
the error message from there.

I tried importing with slapadd. The output:

str2entry: invalid value for attributeType pwdAttribute #0 (syntax
1.3.6.1.4.1.1466.115.121.1.38)
slapadd: could not parse entry (line=22)

The error above refers to the allowed value of pwdAttribute, which can
only be userPassword now.

The problem is the value for this attribute in LDIF *is* userPassword,
as in the cited sample. I checked the LDIF - no 'invisible' characters
around the value.

Sounds like you don't actually have the ppolicy overlay configured on the database you're loading into. The pwdAttribute syntax handler is part of the ppolicy overlay and will only get installed if you configure the overlay on the target database.

JFYI, I checked the values for the attributes using man page. This, and
other references provided with packages is where I look first prior to
asking on the Net.



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/