Why does this ldapadd command quit with an "Invalid syntax" error?

Question

I'm very new to openldap but extremely well versed in the linux/unix environment. I'm trying to setup my very first test openldap environment using the guide here. I've also read most of the admin guide here and I have to admit, it is a lot to take in.

So following the ubuntu basic setup guide I created an ldif file that looks like this:

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
ou: Groups

dn: cn=engineers,ou=Groups,dc=example,dc=com
objectClass: posixGroup
cn: engineers
gidNumber: 5000

dn: uid=john,ou=People,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: john
sn: Doe
givenName: John
cn: John Doe
displayName: John Doe
uidNumber: 10000
gidNumber: 5000
userPassword: johnldap
gecos: John Doe
loginShell: /bin/bash
homeDirectory: /home/john

Whenever I tried to add it using:

$ ldapadd -x -D cn=admin,dc=example,dc=com -W -f add_content.ldif

I get the following error:

adding new entry "cn=engineers,ou=Groups,dc=my-domain,dc=com"
ldap_add: Invalid syntax (21)
    additional info: objectClass: value #0 invalid per syntax

adding new entry "uid=john,ou=People,dc=my-domain,dc=com"
ldap_add: Invalid syntax (21)
    additional info: objectClass: value #0 invalid per syntax

The results in google for this error don't net any helpful suggestions. What could I be doing wrong here?

What happens if you don't have the dash in your domain? That could be causing it... — Nathan C, Aug 16 '13 at 14:13
@NathanC same thing... my guess is that it can't find `posixGroup`. How do I query for the available `objectClass`es? — hax0r_n_code, Aug 16 '13 at 14:27
@NathanC also I don't have this `/etc/ldap/slapd.d/` directory. I installed openldap from source. — hax0r_n_code, Aug 16 '13 at 14:28
I'm not familiar enough with openldap to answer ...someone else here might be though. — Nathan C, Aug 16 '13 at 14:30
Where is slapd getting it's configuration? You're either using `slapd.conf` somewhere, or dynamic configuration in `cn=config` via `slapd.d`. — larsks, Aug 16 '13 at 14:48
@larsks I wish I knew how to answer that question... but I'm too much a noob at this. I'm modifying the `slapd.conf` located under `/usr/local/etc/openldap/slapd.conf` but there is no `slapd.d` directory anywhere at all — hax0r_n_code, Aug 16 '13 at 14:50
You just answered the question; it sounds like you're using `slapd.conf`. — larsks, Aug 16 '13 at 14:53

score 12 · Accepted Answer · answered Aug 16 '13 at 14:57

12

Your problem is undoubtedly that you need to load the nis schema into your LDAP server. How to do this depends on whether your are using the legacy slapd.conf configuration file or the newer dynamic configuration hosted in cn=config and backed by a slapd.d directory.

Using `slapd.conf`

You will need to include the schema definition in your slapd.conf by adding a line along the lines of:

include /usr/local/etc/openldap/schema/nis.schema

This assumes that the nis.schema file is located at that path; if not, modify the path appropriately.

You will need to restart slapd to activate the new schema.

Using `slapd.d`

(I'm including this for completeness, although it's not directly relevant to your current configfuration).

To load a schema into slapd if you're using the dynamic cn=config configuration, you would use ldapadd. Depending on how your ACLs are configured, the command might look like this:

ldapadd -Y EXTERNAL -H ldapi:// -f /usr/local/etc/openldap/schema/nis.ldif

This assumes that your running slapd has an ACL permitting "peer credentials" authentication to root. If that doesn't work, you would need to provide an appropriate bind DN and password using -D and -W.

There is no restart required in this case.

answered Aug 16 '13 at 14:57

larsks

41,276
13
117
170

Thank you! If I downloaded and installed the latest version of `openldap` why wouldn't I be configured to use `slapd.d`? – hax0r_n_code Aug 16 '13 at 15:00
Maybe the installer defaults to using the legacy configuration file? In any case the documentation has instructions for converting from `slapd.conf` to `slapd.d`. – larsks Aug 16 '13 at 15:01
This answer was very helpful time. I had to add few required schema to make it work for me. Thanks for the answer! – Senthil Kumar May 12 '14 at 18:03
1

How did you know it was the nis.schema that was missing and not some other schema? How did you parse the error? – Mike Shultz Jun 06 '15 at 18:15
1

The error is complaining about the objectclass for cn=engineers, which is "posixGroup". From this it is relatively easy to figure it out in which schema that objectclass is defined. – larsks Jun 06 '15 at 18:58

score 1 · Answer 2 · answered Sep 18 '20 at 00:12

1

I had the same problem, but the final error was due to the blank or tab spaces I had left trailing rows within the ldif format file I created. As soon as I removed those, the Organization Units were added without problems.

answered Sep 18 '20 at 00:12

dcubaz

11
1

score 1 · Answer 3 · answered Jul 31 '17 at 14:44

1

I recently encountered this problem while following the Ubuntu OpenLDAP Server tutorial. Solved it by removing all the trailing whitespace from my rows.

answered Jul 31 '17 at 14:44

jamzsabb

111
2

1

Thanks a lot for this, I just struggled with this error! – TylerDurden Mar 06 '18 at 09:34

score 1 · Answer 4 · edited Jan 25 '19 at 10:15

I fix it deleting the file.ldif that i want to charge in openldap (for example: data.ldif) because the text editor vi sometimes insert invisible character by error or bug and this affect to your ldif file. So delete it and you create another one and try to upload each statement one by one and check with the command ldapsearch -x -h nameofyourserver -b “dc=whateveris,dc=com”, goodbye and i hope to help you with this.

Why does this ldapadd command quit with an "Invalid syntax" error?

4 Answers4

Using slapd.conf

Using slapd.d

Using `slapd.conf`

Using `slapd.d`