[mmc.shema] slapadd: bad configuration file!

[raphael.jadot@…]

i did as it was written in documentation for mdv 2008, and i also add openldap-server, openldap-client and openldap-extra-schemas. However, while i try to do

#slapadd -l /tmp/ldap-ini.ldif

Here is the output :

/usr/share/openldap/schema/mmc.shema: line 45: AttributeType not found: "member"
slapadd: bad configuration file!

Here is the file mmc.schema from the line 41 to 45:

41  #Objectclass
42  objectclass ( 1.3.6.1.4.1.40098.1.2.1.19.3 NAME 'GroupPolicy'
43          SUP top
44          MUST ( cn )
45          MAY ( ACL $ member ) )

What is the problem please ?

[cdelfosse@…]

Hello,

please use the mds-users mailing list for this kind of setup problems.

Looks like your /etc/openldap/slapd.conf is badly configured. Please post the content of this file.

Regards,

[anonymous]

thanks. I used the openldap file given with mandriva in openldap-server package, i just modified suffix rootdn and rootpw

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # Modified by Christian Zoffoli <czoffoli@…> # Version 0.2 #

include /usr/share/openldap/schema/mmc.schema include /usr/share/openldap/schema/core.schema include /usr/share/openldap/schema/cosine.schema include /usr/share/openldap/schema/corba.schema include /usr/share/openldap/schema/inetorgperson.schema include /usr/share/openldap/schema/java.schema include /usr/share/openldap/schema/krb5-kdc.schema include /usr/share/openldap/schema/kerberosobject.schema include /usr/share/openldap/schema/misc.schema include /usr/share/openldap/schema/nis.schema include /usr/share/openldap/schema/openldap.schema include /usr/share/openldap/schema/autofs.schema include /usr/share/openldap/schema/samba.schema include /usr/share/openldap/schema/kolab.schema include /usr/share/openldap/schema/evolutionperson.schema include /usr/share/openldap/schema/calendar.schema include /usr/share/openldap/schema/sudo.schema include /usr/share/openldap/schema/dnszone.schema include /usr/share/openldap/schema/dhcp.schema

#include /usr/share/openldap/schema/rfc822-MailMember?.schema #include /usr/share/openldap/schema/pilot.schema #include /usr/share/openldap/schema/qmail.schema #include /usr/share/openldap/schema/mull.schema #include /usr/share/openldap/schema/netscape-profile.schema #include /usr/share/openldap/schema/trust.schema

include /etc/openldap/schema/local.schema

# Define global ACLs to disable default read access and provide default # behaviour for samba/pam use include /etc/openldap/slapd.access.conf

# Provide write access to replicators, and cover access to any other # attributes (default anonymous read access may be undesirable) access to dn.subtree="dc=example,dc=com"

by group="cn=Replicator,ou=Group,dc=example,dc=com" by users read by anonymous read

# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org

pidfile /var/run/ldap/slapd.pid argsfile /var/run/ldap/slapd.args

modulepath /usr/lib/openldap

# database backend modules available: #moduleload back_dnssrv.la #moduleload back_ldap.la #moduleload back_meta.la #moduleload back_monitor.la #moduleload back_passwd.la #moduleload back_sql.la

# overlay modules available: #moduleload accesslog.la #moduleload denyop.la #moduleload dyngroup.la #moduleload dynlist.la #moduleload glue.la #moduleload lastmod.la #moduleload pcache.la #moduleload ppolicy.la #moduleload refint.la #moduleload retcode.la #moduleload rwm.la #moduleload syncprov.la #moduleload translucent.la #moduleload unique.la

#contrib overlays #moduleload smbk5pwd.so

# SASL config #sasl-host ldap.example.com

# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem # and uncomment the following lines. #TLSRandFile /dev/random #TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCertificateFile /etc/ssl/openldap/ldap.pem TLSCertificateKeyFile /etc/ssl/openldap/ldap.pem #TLSCACertificatePath /etc/ssl/openldap/ #TLSCACertificateFile /etc/ssl/cacert.pem TLSCACertificateFile /etc/ssl/openldap/ldap.pem #TLSVerifyClient never # ([never]|allow|try|demand)

# logging #loglevel 256

####################################################################### # database definitions #######################################################################

database bdb suffix "dc=mandtiva,dc=com" #suffix "o=My Organization Name,c=US" rootdn "cn=admin,dc=mandriva,dc=com" #rootdn "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret rootpw {SSHA}gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8 # rootpw {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND # should only be accessable by the slapd/tools. Mode 700 recommended. directory /var/lib/ldap

# Tuning settings, please see the man page for slapd-bdb for more information # as well as the DB_CONFIG file in the database directory # commented entries are at their defaults # In-memory cache size in entries #cachesize 1000 # Checkpoint the bdb database after 256kb of writes or 5 minutes have passed # since the last checkpoint checkpoint 256 5

# Indices to maintain index objectClass eq

# persion-type searches index cn,mail,surname,givenname eq,subinitial

# nss_ldap exact searches: index uidNumber,gidNumber,memberuid,member,uniqueMember eq # username completion via nss_ldap needs uid indexed sub: index uid eq,subinitial

# samba: index sambaSID,sambaDomainName,displayName eq

# autofs: #index nisMapName eq

# bind sdb_ldap: #index zoneName,relativeDomainName eq

# sudo #index sudoUser eq

# syncprov #index entryCSN,entryUUID eq

# Replicas running syncrepl as non-rootdn need unrestricted size/time limits: limits group="cn=Replicator,ou=Group,dc=example,dc=com"

size=unlimited time=unlimited

# Basic ACL (deprecated in favour of ACLs in /etc/openldap/slapd.access.conf) #access to attr=userPassword # by self write # by anonymous auth # by dn="uid=root,ou=People,dc=example,dc=com" write # by * none #access to * # by dn="uid=root,ou=People,dc=example,dc=com" write # by * read

# ACL ensuring replicator has write access #access to * # by group="cn=Replicator,ou=Group,dc=example,dc=com" write # by * read

# Replica configuration (if this server is a slave) #updatedn "cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com" #updateref "ldap://ldap-master.example.com"

# Replication configuration (if this server is a master) #replica host=ldap-slave1.example.com:389 # binddn="cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com" # bindmethod=simple credentials="mypassword"

# Uncomment to enable statistics gathering at basedn cn=monitor (load monitor # module above too) #database monitor OK, the next time i will use de mailing list.

Sorry that i did not understand well the rules :)

[raphael.jadot@…]

oh no, I post too quickly, I should have formatted the text before ! :(

as i said, this is the slapd.conf file in the openldap-server package in mdv 2008. i just changed suffix, rootdn and rootpw

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.6 2001/04/20 23:32:43 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
# Modified by Christian Zoffoli <czoffoli@linux-mandrake.com>
# Version 0.2
#

include /usr/share/openldap/schema/mmc.schema
include	/usr/share/openldap/schema/core.schema
include	/usr/share/openldap/schema/cosine.schema
include	/usr/share/openldap/schema/corba.schema 
include	/usr/share/openldap/schema/inetorgperson.schema
include	/usr/share/openldap/schema/java.schema 
include	/usr/share/openldap/schema/krb5-kdc.schema
include /usr/share/openldap/schema/kerberosobject.schema
include	/usr/share/openldap/schema/misc.schema
include	/usr/share/openldap/schema/nis.schema
include	/usr/share/openldap/schema/openldap.schema 
include /usr/share/openldap/schema/autofs.schema
include /usr/share/openldap/schema/samba.schema
include /usr/share/openldap/schema/kolab.schema
include /usr/share/openldap/schema/evolutionperson.schema
include /usr/share/openldap/schema/calendar.schema
include /usr/share/openldap/schema/sudo.schema
include /usr/share/openldap/schema/dnszone.schema
include /usr/share/openldap/schema/dhcp.schema

#include /usr/share/openldap/schema/rfc822-MailMember.schema
#include /usr/share/openldap/schema/pilot.schema
#include /usr/share/openldap/schema/qmail.schema
#include /usr/share/openldap/schema/mull.schema
#include /usr/share/openldap/schema/netscape-profile.schema
#include /usr/share/openldap/schema/trust.schema

include	/etc/openldap/schema/local.schema


# Define global ACLs to disable default read access and provide default
# behaviour for samba/pam use
include 	/etc/openldap/slapd.access.conf

# Provide write access to replicators, and cover access to any other
# attributes (default anonymous read access may be undesirable)
access to dn.subtree="dc=example,dc=com"
        by group="cn=Replicator,ou=Group,dc=example,dc=com"
        by users read
        by anonymous read

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral	ldap://root.openldap.org

pidfile		/var/run/ldap/slapd.pid
argsfile	/var/run/ldap/slapd.args

modulepath	/usr/lib/openldap

# database backend modules available:
#moduleload      back_dnssrv.la
#moduleload      back_ldap.la
#moduleload      back_meta.la
#moduleload      back_monitor.la
#moduleload      back_passwd.la
#moduleload      back_sql.la

# overlay modules available:
#moduleload     accesslog.la
#moduleload     denyop.la
#moduleload     dyngroup.la
#moduleload     dynlist.la
#moduleload     glue.la
#moduleload     lastmod.la
#moduleload     pcache.la
#moduleload     ppolicy.la
#moduleload     refint.la
#moduleload     retcode.la
#moduleload     rwm.la
#moduleload     syncprov.la
#moduleload     translucent.la
#moduleload     unique.la

#contrib overlays
#moduleload      smbk5pwd.so

# SASL config
#sasl-host ldap.example.com

# To allow TLS-enabled connections, create /etc/ssl/openldap/ldap.pem
# and uncomment the following lines.
#TLSRandFile            /dev/random
#TLSCipherSuite         HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/ssl/openldap/ldap.pem
TLSCertificateKeyFile   /etc/ssl/openldap/ldap.pem
#TLSCACertificatePath   /etc/ssl/openldap/
#TLSCACertificateFile    /etc/ssl/cacert.pem
TLSCACertificateFile    /etc/ssl/openldap/ldap.pem
#TLSVerifyClient never # ([never]|allow|try|demand)

# logging
#loglevel 256

#######################################################################
# database definitions
#######################################################################

database	bdb
suffix		"dc=mandtiva,dc=com"
#suffix		"o=My Organization Name,c=US"
rootdn		"cn=admin,dc=mandriva,dc=com"
#rootdn		"cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
# rootpw		secret
rootpw			{SSHA}gqNR92aL44vUg8aoQ9wcZYzvUxMqU6/8
# rootpw		{crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND 
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory	/var/lib/ldap

# Tuning settings, please see the man page for slapd-bdb for more information
# as well as the DB_CONFIG file in the database directory
# commented entries are at their defaults
# In-memory cache size in entries
#cachesize 1000
# Checkpoint the bdb database after 256kb of writes or 5 minutes have passed
# since the last checkpoint
checkpoint 256 5

# Indices to maintain
index	objectClass						eq

# persion-type searches
index	cn,mail,surname,givenname				eq,subinitial

# nss_ldap exact searches:
index	uidNumber,gidNumber,memberuid,member,uniqueMember	eq
# username completion via nss_ldap needs uid indexed sub:
index   uid                                     		eq,subinitial

# samba:
index   sambaSID,sambaDomainName,displayName    		eq

# autofs:
#index   nisMapName                              		eq

# bind sdb_ldap:
#index   zoneName,relativeDomainName             		eq

# sudo
#index   sudoUser                                		eq

# syncprov
#index  entryCSN,entryUUID                                      eq


# Replicas running syncrepl as non-rootdn need unrestricted size/time limits:
limits group="cn=Replicator,ou=Group,dc=example,dc=com"
 size=unlimited
 time=unlimited

# Basic ACL (deprecated in favour of ACLs in /etc/openldap/slapd.access.conf)
#access to attr=userPassword
#        by self write
#        by anonymous auth
#        by dn="uid=root,ou=People,dc=example,dc=com" write
#        by * none
 
#access to *
#        by dn="uid=root,ou=People,dc=example,dc=com" write
#        by * read

# ACL ensuring replicator has write access
#access to *
#	by group="cn=Replicator,ou=Group,dc=example,dc=com" write
#	by * read

# Replica configuration (if this server is a slave)
#updatedn        "cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com"
#updateref       "ldap://ldap-master.example.com"

# Replication configuration (if this server is a master)
#replica host=ldap-slave1.example.com:389
#        binddn="cn=ldap-master.example.com,ou=Hosts,dc=example,dc=com"
#        bindmethod=simple credentials="mypassword"

# Uncomment to enable statistics gathering at basedn cn=monitor (load monitor
# module above too)
#database monitor

[cdelfosse@…]

Please put this line:

include /usr/share/openldap/schema/mmc.schema

at the end of all the "include" lines.

[Raphael.jadot]

ok, when i did that, the message changed : line 39: Inconsistent duplicate atrribute Type "ACL" But i suddenly remember that somewhere i read that "kolab.schema" and "mmc.schema" were in conflict, so i comment the line with kolab.schema and now it works !

In conclusion : 1. put mmc.schema at the end 2. comment kolab.shema

thank you for your help !

Raphaël

[cdelfosse@…]

Ok thanks for the tip. I commited that to the MDS install doc.

Regards,