| Author |
Topic: Schema-Compliant Issues -- OpenDJ |
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
 |
|
|
| Schema-Compliant Issues -- OpenDJ |
Even with the "schema-check" being set as "false", OpenDJ does not allow the followings:
1) To modify/add NO-USER-MODIFICATION attributes
"Entry xxx cannot be added because it
includes attribute xxx which is defined as NO-USER-MODIFICATION in the
server schema"
2) To add not-defined or obsolete objectclasses
"Object class xxx cannot be added to entry xxx because that class is not defined in the Directory Server schema"
3) To modify/add encoded passwords
"Pre-encoded passwords are not allowed for the password attribute xxx"
|
|
|
|
|
|
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
|
For encoded password issue, OpenDS cannot verify that pre-encrypted password matches the password policy and therefore rejects them by default, with the following error : LDAP: error code 53 - Pre-encoded passwords are not allowed for the password attribute userPassword.
To allow pre-encrypted passwords, the default password policy settings must be changed, and the advanced property "allow-pre-encoded-passwords" set to "true". Use "dsconfig --advanced" to see the advanced properties or open policy cn=Default Password Policy,cn=Password Policies,cn=config to change it. |
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
|
Once 'Schema Checking' is disabled, SunOne DS7 dose not allow to modify NO-USER-MODIFICATION attribute like 'modifytimestamp' either.
dn: uid=test,ou=people,dc=exmaple
changetype: modify
replace: modifytimestamp
modifytimestamp: 20120101180000Z
Returns with 'Constraint violation' error.
But SunOne DS7 allow to add entry with NO-USER-MODIFICATION attribute like:
dn: uid=test,ou=people,dc=exmaple
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: test
cn: test test
modifytimestamp: 20120101180000Z
Note: the added entry has 'modifytimestamp' overridden with its system timestamp value.
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| The SYNTAX within AttributeTypes do not like the char (') |
While extending openDJ's schema, for example, adding into schema a new attribute 'myAttr' with the following:
dn: cn=schema
AttributeTypes: 'myAttr' with value: ( myAttr-oid NAME 'myAttr' DESC
'Standard Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
you are going to get error similar like this:
javax.naming.directory.InvalidAttributeValueException: [LDAP: error code 21 - An error occurred while attempting to decode the attribute type "( myAttr-oid NAME 'myAttr' DESC 'Standard Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )": The provided value "( myAttr-oid NAME 'myAttr' DESC 'Standard Attribute' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )" could not be parsed as an attribute type description because the numeric OID contained an illegal character ' at position 66]; remaining name 'cn=schema'; Operations error
It claims that the numerical OID might be the cause, but the root cause is the syntax value. If the following is used instead,
dn: cn=schema
AttributeTypes: 'myAttr' with value: ( myAttr-oid NAME 'myAttr' DESC
'Standard Attribute' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
there is no error thrown.
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 10/20/2011 03:35:28 PM
Edit
Quote
Report
Profile
Reply