[Scottish] LDAP migration help

Andrew Back andy at smokebelch.org
Wed Jun 13 14:47:45 BST 2007 

On Wed, 13 Jun 2007, Phillip Bennett wrote:

> Hi everyone,
>
> I am trying to migrate our NIS services (users, autofs etc) to an LDAP 
> server. I have found the Migration Tools from PADL (www.padl.com) and I am 
> having a few weird problems.
>
> When running the "migrate_all_nis_online.sh" script, I recieve the following 
> error:
>
> adding new entry "uid=clare,ou=People,dc=mve,dc=com"
> ldap_add: Invalid syntax (21)
>       additional info: objectClass: value #6 invalid per syntax
>
> The data in question from the created ldif file is as follows:
>
> dn: uid=clare,ou=People,dc=mve,dc=com
> uid: clare
> cn: Clare Bond
> givenName: Clare
> sn: Bond
> mail: clare at mve.com
> mailRoutingAddress: clare at islay.mve.com
> mailHost: islay.mve.com
> objectClass: inetLocalMailRecipient
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: kerberosSecurityObject
> userPassword: {crypt}<snip!>
> krbName: clare at MVE.COM
> loginShell: /bin/tcsh
> uidNumber: 2049
> gidNumber: 20
> homeDirectory: /homes/clare
> gecos: Clare Bond
>
> I'm not sure exactly which value is giving the error, but after removing all 
> the mail ones, it looks like it's one of the objectClass values.  There is no 
> white space, and the values all look right to me.
>
> All the howtos I have read so far indicate that the "USE_EXTENDED_SCHEMA" 
> VALUE SHOULD BE SET TO 1.  However, if I set it to 0, the LDIF file gives the 
> following data:
>
> dn: uid=clare,ou=People,dc=mve,dc=com
> uid: clare
> cn: Clare Bond
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> userPassword: {crypt}<snip!>
> loginShell: /bin/tcsh
> uidNumber: 2049
> gidNumber: 20
> homeDirectory: /homes/clare
> gecos: Clare Bond
>
> Then, the resulting LDIF file works properly (after a bout of deleting 
> duplicate service informatoin) and I have an LDAP database.  So the question 
> becomes, "Do I need the extended schema?"

Depends if your applications need it, e.g. pam_ldap, Samba and so on. The 
2nd stripped-down LDIF looks possibly a bit thin to me, so I'm guessing 
they may.

Check that all the attributes and object classes required by the 1st LDIF 
are in the DSA core or included schema. If not all are find some extra 
schema to include that gives you what you need.

And hope that you don't require to add an extra syntax type to the DSA as 
from what I remember it isn't fun - with most DSAs syntax are not 
generally configurable via text-based config and requires 
modification/extension to the code. The DSA could be moaning about 
included schema if it doesn't understand a syntax type used for an 
attribute... But if this is the case it may be you can subsititute for 
one it does know about.

Andrew

More information about the Scottish mailing list