6

I have the ldif

dn: olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcPPolicyConfig
olcOverlay: ppolicy
olcPPolicyDefault: cn=default,ou=policies,dc=local
olcPPolicyHashCleartext: TRUE

dn: olcOverlay=memberof,olcDatabase={1}hdb,cn=config
objectClass: top
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {1}memberof
olcMemberOfMemberAD: uniqueMember
olcMemberOfGroupOC: groupOfUniqueNames
olcMemberOfRefInt: TRUE

which i'm trying to use to configure the ldap server with the following command :

ldapadd -Y EXTERNAL -H, ldapi:/// -f /tmp/overlays.ldif
The error I'm getting is:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "olcOverlay=ppolicy,olcDatabase={1}hdb,cn=config"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #3 invalid per syntax

I suspect that it's due to an incorrect password, but I can't tell for sure. The hits I've had searching on the web have been for "value #2" or "value #1" - as a non ldap expert, I don't know if this makes any difference.

Thanks, Bruce

Bruce Becker
  • 277
  • 1
  • 4
  • 18

1 Answers1

9

It's not a bad password, i.e. Invalid credentials (49).

It is Invalid syntax (21). Specifically, in the case of objectClass, you're trying to use an objectClass that doesn't exist (olcPPolicyConfig).

OpenLDAP counts multi-attribute values, of which objectClass is one, starting at 0. Which means your ldapadd looks like:

value#0: top  
value#1: olcConfig  
value#2: olcOverlayConfig  
value#3: olcPPolicyConfig

The olcPPolicyConfig objectClass is provided by the libtool library ppolicy.la, which generally needs to be loaded as a module. The same goes for memberOf and most other overlays.

$ sudo ldapadd -Y EXTERNAL -H ldapi:/// <<EOF
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: ppolicy.la

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof.la
EOF

Your module path may differ, the above the the correct path for CentOS7.

84104
  • 12,698
  • 6
  • 43
  • 75