Ping a Specific Port

Question

Matthias Ronge

Asked: 2012-12-01 02:05:20 +0800 CST2012-12-01 02:05:20 +0800 CST 2012-12-01 02:05:20 +0800 CST

LDAP object class violation: attribute ou not allowed in suffix?

772

I am about to set up a LDAP directory. It is used as a tool to communicate user permissions from a web application to WebDav file system access, e.g. adding a user to the web platform shall allow login to the file system with the same credentials. There are no other usages intended. Following this German tutorial which encourages the use of the attributes c, o, ou etc. over dc, I configured the following suffix and root:

suffix                "ou=webtool,o=myOrg,c=de"
rootdn                "cn=ldapadmin,ou=webtool,o=myOrg,c=de"

Server starts and I can connect to it by LDAP Admin, which reports “LDAP error: Object lacks”. Well, there aren’t any objects yet.

I now want to create the root and admin elements from shell. I created an init.ldif file:

dn: ou=webtool,o=myOrg,c=de
objectclass: dcObject
objectclass: organization
dc: webtool
o: webtool

dn: cn=ldapadmin,ou=webtool,o=myOrg,c=de
objectclass: organizationalRole
cn: ldapadmin

Trying to load the file runs into an error, telling me that ou is not allowed:

server:~ # ldapadd -x -D "cn=ldapadmin,ou=webtool,o=myOrg,c=de" -W -f init.ldif
Enter LDAP Password:
adding new entry "ou=webtool,o=myOrg,c=de"
ldap_add: Object class violation (65)
        additional info: attribute 'ou' not allowed

I am not using ou anywhere except in the suffix, so the question: Isn’t it allowed here? What is allowed here?

1 Answers

Voted

Matthias Ronge · Answer 1 · 2012-12-04T23:28:02+08:00

There are numberous dependencies for the creation of elements, and error messages are rather confusing if you don’t know of the concept. The objectclass isn’t necessarily dcObject for the databases’ root node, as it is likely to guess when you read several tutoriales. Instead, it must correspond to the object’s type: Here, for a name starting with ou=, it must be organizationalUnit. I found this piece of information in these tables. Further on, the object class dictates which properties must and can be added in the record. Here, organizationalUnit must have an ou: entry and must not have neither dc: nor o: entries. Thus, the healthy init.ldif file looks like that:

dn: ou=webtool,o=myOrg,c=de
objectclass: organizationalUnit
ou: LDAP server for my webtool

dn: cn=ldapadmin,ou=webtool,o=myOrg,c=de
objectclass: organizationalRole
cn: ldapadmin

Note: The page also states: “While many objectClasses show no MUST attributes you must (ouch) follow any hierarchy […] to determine if this is the really case.” I thought that would mean my root record would have to provide the must fields for c= and o= (c: and o:, respectively) but this is not the case.

LDAP object class violation: attribute ou not allowed in suffix?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?