Konstantin Boyandin wrote:
13.01.2011 13:39, Howard Chu writes:Konstantin Boyandin wrote:Hello, OpenLDAP version: 2.3.43-12 (CentOS 5.5), 64-bit. In order to enable ppolicy overlay, I am trying to create the relevant entries, as specified in http://www.openldap.org/doc/admin24/overlays.html#Password%20Policies I import two LDIFs, first: dn: ou=Policies,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Policies and second dn: cn=default,ou=Policies,dc=example,dc=com cn: default objectClass: top objectClass: pwdPolicy objectClass: person pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 2 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 7776000 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLength: 5 pwdMustChange: FALSE pwdSafeModify: FALSE sn: dummy value The first loads OK. When I try to import the second, I receive this diagnostics: Could not add object cn=default,ou=Policies,dc=itelsib,dc=com Message: Invalid syntax Error code: 0x15 (LDAP_INVALID_SYNTAX) Error description: An invalid attribute value was specified. Could someone suggest what's wrong with the attribute name?OpenLDAP never produces the text you provided above. It seems you're using some other LDAP tool to do this import, and it is not showing you the actual error message sent from the server. OpenLDAP slapd will always identify the actual attribute and value that causes an error. I suggest you try importing this entry with OpenLDAP's ldapadd and examine the error message from there.I tried importing with slapadd. The output: str2entry: invalid value for attributeType pwdAttribute #0 (syntax 1.3.6.1.4.1.1466.115.121.1.38) slapadd: could not parse entry (line=22) The error above refers to the allowed value of pwdAttribute, which can only be userPassword now. The problem is the value for this attribute in LDIF *is* userPassword, as in the cited sample. I checked the LDIF - no 'invisible' characters around the value.
Sounds like you don't actually have the ppolicy overlay configured on the database you're loading into. The pwdAttribute syntax handler is part of the ppolicy overlay and will only get installed if you configure the overlay on the target database.
JFYI, I checked the values for the attributes using man page. This, and other references provided with packages is where I look first prior to asking on the Net.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/