6

I am trying to create a user in LDAP that uses object classes inetOrgPerson with groupOfNames (so i could use the attribute 'member') but it won't let me no matter which combination I try. What is the correct way to use 'member' attribute?

This is the error message I get when trying to add it through Apache Directory Studio.

Error while creating entry
 - [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUES
  java.lang.Exception: [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 113
    Add Request :
Entry
    dn[n]: uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com
    objectClass: groupOfNames
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    objectClass: inetOrgPerson
    uid: sadsadsadadad@test.com
    member: cn=user,ou=role,dc=test,dc=com
    sn: sadsadsad
    cn: sdsadsad
: ERR_61 Entry uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com contains more than one STRUCTURAL ObjectClass: [OBJECT_CLASS ( 2.5.6.9
 NAME 'groupOfNames'
 DESC RFC2256: a group of names (DNs)
 SUP 'top'
 STRUCTURAL
 MUST ( 'cn' $ 'member' )
 MAY ( 'businessCategory' $ 'seeAlso' $ 'owner' $ 'ou' $ 'o' $ 'description' )
 )
, OBJECT_CLASS ( 2.16.840.1.113730.3.2.2
 NAME 'inetOrgPerson'
 DESC RFC2798: Internet Organizational Person
 SUP 'organizationalPerson'
 STRUCTURAL
 MAY ( 'audio' $ 'businessCategory' $ 'carLicense' $ 'departmentNumber' $ 'displayName' $ 'employeeNumber' $ 'employeeType' $ 'givenName' $ 'homePhone' $ 'homePostalAddress' $ 'initials' $ 'jpegPhoto' $ 'labeledURI' $ 'mail' $ 'manager' $ 'mobile' $ 'o' $ 'pager' $ 'photo' $ 'roomNumber' $ 'secretary' $ 'uid' $ 'userCertificate' $ 'x500UniqueIdentifier' $ 'preferredLanguage' $ 'userSMIMECertificate' $ 'userPKCS12' )
 )
]]
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkResponse(DirectoryApiConnectionWrapper.java:1280)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.access$600(DirectoryApiConnectionWrapper.java:109)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper$6.run(DirectoryApiConnectionWrapper.java:928)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.runAndMonitor(DirectoryApiConnectionWrapper.java:1175)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.checkConnectionAndRunAndMonitor(DirectoryApiConnectionWrapper.java:1109)
    at org.apache.directory.studio.connection.core.io.api.DirectoryApiConnectionWrapper.createEntry(DirectoryApiConnectionWrapper.java:950)
    at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.createEntry(CreateEntryRunnable.java:224)
    at org.apache.directory.studio.ldapbrowser.core.jobs.CreateEntryRunnable.run(CreateEntryRunnable.java:124)
    at org.apache.directory.studio.connection.ui.RunnableContextRunner$1.run(RunnableContextRunner.java:112)
    at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:121)

  [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for MessageType : ADD_REQUEST
Message ID : 113
    Add Request :
Entry
    dn[n]: uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com
    objectClass: groupOfNames
    objectClass: organizationalPerson
    objectClass: person
    objectClass: top
    objectClass: inetOrgPerson
    uid: sadsadsadadad@test.com
    member: cn=user,ou=role,dc=test,dc=com
    sn: sadsadsad
    cn: sdsadsad
: ERR_61 Entry uid=sadsadsadadad@test.com,o=test,ou=tenant,dc=test,dc=com contains more than one STRUCTURAL ObjectClass: [OBJECT_CLASS ( 2.5.6.9
 NAME 'groupOfNames'
 DESC RFC2256: a group of names (DNs)
 SUP 'top'
 STRUCTURAL
 MUST ( 'cn' $ 'member' )
 MAY ( 'businessCategory' $ 'seeAlso' $ 'owner' $ 'ou' $ 'o' $ 'description' )
 )
, OBJECT_CLASS ( 2.16.840.1.113730.3.2.2
 NAME 'inetOrgPerson'
 DESC RFC2798: Internet Organizational Person
 SUP 'organizationalPerson'
 STRUCTURAL
 MAY ( 'audio' $ 'businessCategory' $ 'carLicense' $ 'departmentNumber' $ 'displayName' $ 'employeeNumber' $ 'employeeType' $ 'givenName' $ 'homePhone' $ 'homePostalAddress' $ 'initials' $ 'jpegPhoto' $ 'labeledURI' $ 'mail' $ 'manager' $ 'mobile' $ 'o' $ 'pager' $ 'photo' $ 'roomNumber' $ 'secretary' $ 'uid' $ 'userCertificate' $ 'x500UniqueIdentifier' $ 'preferredLanguage' $ 'userSMIMECertificate' $ 'userPKCS12' )
 )
]]
codenamezero
  • 173
  • 1
  • 6

1 Answers1

7

The technical reason is that both the groupOfNames and the person objectClass are mutually exclusive. They are both structural classes but without a subordinate relationship, making them different objectClass chains and according to RFC 4512:

An object or alias entry is characterised by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class.

A group has members, but a person is not a group and can't have members like a group.

As far as I know you normally make a person a member of a group and the LDAP server provides an internal function to maintain the reverse lookup mapping to easily retrieve the groups an object belongs to, a virtual attribute if you will, typically the memberOf attribute. ApacheDS may not support this (yet).

In other words, the groups an LDAP object belongs to is not a property of the object itself and you should probably not even desire to try to maintain that manually.

Community
  • 1
HBruijn
  • 72,524
  • 21
  • 127
  • 192
  • so the proper way to maintain the users/groups, would be for example: create an orgunit **ou=test**. Then under it, I create **ou=group1** and **ou=group2**, then add the users under those groups? – codenamezero Apr 08 '15 at 14:58
  • 2
    Typically I would expect a `cn=group1` rather than an organisational unit (`ou=` is typically used to create branches in a LDAP directory tree) and have the actual user objects in something like `ou=people,dc=example,dc=com`, group objects in `ou=groups,dc=example,dc=ORG` where a group object `cn=group1,ou=groups,dc=example,dc=com` has one or more `member` attributes that point to a user object in the People OU e.g. `member: cn=Alice,ou=people,dc=example,dc=com`. http://www.zytrax.com/images/ldap-groups.gif – HBruijn Apr 09 '15 at 08:58
  • 1
    Is there any harm in creating subtree to host group of people? Let's say a big company has 3 sister companies under different branding. Wouldn't it be better to split the `people` into 3 separate subtree under each `ou` (this is the reason why i was trying to use `ou` for group1 etc)? – codenamezero Apr 09 '15 at 16:13
  • 2
    There is no harm in organising the LDAP directory as you see fit for your purposes, on the contrary you should model the LDAP to match your purposes (think also of delegating control) so `ou=org1,dc=example,dc=com` and `ou=org2,dc=example,dc=com` etc. each with their own `ou=people` and `ou=groups` makes a lot of sense. – HBruijn Apr 09 '15 at 16:20