1

I am using ldapadd and I want to add an attribute type to the repository so it can be used by other entries.

I'm having a few issues. Here is my ldif file.

dn: dc=myorg,dc=co,dc=uk
changetype: add
add: attributetypes
attributetype: ( 2.2.980.1.1 NAME ( 'ecdvisibility' 'ecdvis' ) DESC 'The visibility of the object' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE userApplications )

After checking the lines for spaces at the end, I see that everything is OK:

dn: dc=myorg,dc=co,dc=uk$
changetype: add$
add: attributetypes$
attributetype: ( 2.2.980.1.1 NAME ( 'ecdvisibility' 'ecdvis' )$
  DESC 'The visibility of the object'$
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15$
  SINGLE-VALUE$
  USAGE userApplications )$

what I see is a mysterious error like the following:

ldap_add: Undefined attribute type (17) additional info: add: attribute type undefined

I don't understand this error, the attribute type is not defined, I'm trying to add it! Also just before that line it says:

adding new entry "dc=myorg,dc=co,dc=uk"

Why is it adding this, it already exists. I'm also not sure whether I should be using ldapadd or ldapmodify.

My typical command is:

sudo ldapadd -D cn=admin,dc=myorg,dc=co,dc=uk -w password -v -f attributeType.ldif

I also made sure there is a trialling blank line at the end of the file, although that seems to make no difference at all.

What is the best way to add such an attribute that can be used by any user?

Update

I've also tried the following:

dn: cn=schema
changetype: modify
add: attributeTypes
##
## The new attribute type
##
attributeTypes: ( ecdvisibility.oid NAME ( 'ecdvisibility' 'ecdvis' ) DESC 'The visibility of the object' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE USAGE userApplications )

But this time I get this error:

ldap_modify: Invalid syntax (21) additional info: attributeTypes: value #0 invalid per syntax

Update 2:

Before I could make any changes, I had to update the system password that openldap seems to set in the background:

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: password

This worked fine, so then I set about trying to update the attributes.

1st attempt:

dn: cn=schema,cn=config
changetype: add
olcAttributeTypes: ( ecdvisibility.oid
  NAME ( 'ecdvisibility' 'ecdvis' )
  DESC 'The visibility of the object'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  USAGE userApplications )
olcRootDN: cn=config
olcRootPW: password
#objectClass: top

ldap_add: Object class violation (65) additional info: no objectClass attribute

Commenting in the object class, gave me the following error:

ldap_add: Object class violation (65) additional info: no structural object class provided

Ok, so I will try inetOrgPerson

ldap_add: Object class violation (65) additional info: object class 'inetOrgPerson' requires attribute 'sn'

Stop, I don't really want to do that, I want to just add an attribute type that is available to ldap, and can be added to an object when and if necessary. I don't want to specify the single object or an entry at this point. Is this possible? If so how? Any further advice really appreciated.

Thanks to @grawity, the final soluiton is as follows:

dn: cn=test,cn=schema,cn=config
changetype: add
olcAttributeTypes: ( 2.25.247072656268950430024439664556757516066
  NAME ( 'ecdvisibility' 'ecdvis' )
  DESC 'The visibility of the object'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  USAGE userApplications )
objectClass: olcSchemaConfig

I changed the OID number to one of the open unique numbers, as I was using an invalid public one. The attribute type was added successfully and can be used elsewhere.

1
  • The original OID wasn't invalid, but it's good practice to avoid using someone else's range when getting your own from IANA (the 1.3.6.1.4.1 arc) takes just a day.
    – grawity
    Commented Sep 13, 2016 at 10:46

1 Answer 1

3

The basics

what I see is a mysterious error like the following:

ldap_add: Undefined attribute type (17) additional info: add: attribute type undefined

I don't understand this error, the attribute type is not defined, I'm trying to add it!

It's not talking about your attribute. It's talking about the line add: attributetypes – it doesn't know an attribute named add.

In LDIF, the add:, replace:, delete: attributes are only needed when modifying an entry (i.e. with changetype: modify). But if you want to add a new entry, you only need to provide raw data, nothing else.

See the 'ldif' manpage for examples and differences between "add" LDIFs and "modify" LDIFs.

Also just before that line it says:

adding new entry "dc=myorg,dc=co,dc=uk"

Why is it adding this, it already exists.

Because you used changetype: add – in other words, you asked ldapmodify to create a new entry.

To clarify, "add new entry" is completely separate from "modify entry, adding new attributes". The possible actions are:

  • changetype: add – creates a new entry, exactly as specified.
  • changetype: modify – edits attributes of an existing entry, accepts a combination of:
    • add: ... – add new attribute (or add more values)
    • replace: ... – add or fully overwrite an attribute
    • delete: ... – delete attribute (or specific values)
  • changetype: modrdn – changes the DN (renames or moves entry)
  • changetype: delete – deletes the whole entry.

See this documentation.

I'm also not sure whether I should be using ldapadd or ldapmodify.

The only difference between them is which changetype they use if you don't specify any. That is, ldapadd will default to changetype: add and ldapmodify will default to changetype: modify.

If you manually specify a changetype: in your LDIF, both commands become identical.

Now, schema

Schema configuration varies greatly between LDAP servers, and your LDIF is entirely wrong for OpenLDAP. The actual attribute description is fine, but it needs to be stored at a different DN, in a different attribute.

To start with, you don't add schema directly to your regular database, but to a special config tree – OpenLDAP uses sub-entries below cn=schema,cn=config, with one olcSchemaConfig entry per schema.

The attributes also start with olc – that is, olcAttributeTypes and olcObjectClasses.

So to add a new schema with 1 attribute and zero objectClasses, use:

dn: cn=ecd,cn=schema,cn=config
changetype: add
objectClass: olcSchemaConfig
olcAttributeTypes: ( 2.2.980.1.1
  NAME ( 'ecdvisibility' 'ecdvis' )
  DESC 'The visibility of the object'
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
  SINGLE-VALUE
  USAGE userApplications )

Note that OpenLDAP will automatically add a number to the RDN, e.g. cn={5}ecd. Afterwards, you can add more attributes or classes to the same schema:

dn: cn={5}ecd,cn=schema,cn=config
changetype: modify
add: olcAttributeTypes
olcAttributeTypes: ( 4.5.6.7 NAME 'foo' ... )
olcAttributeTypes: ( 4.5.6.8 NAME 'bar' ... )
-
add: olcObjectClasses
olcObjectClasses: ( 4.5.6.9
  NAME 'ecdwhatever'
  AUXILIARY
  MAY ( ecdvisibility $ foo $ bar ) )
-

(Does the 2.2.980.* OID really belong to you? If it doesn't, then better get your own from IANA.)

4
  • Thanks for the large reply, lots to check there and yes I was doing a lot wrong. Will check through and see if I can get this working.
    – PeterS
    Commented Sep 8, 2016 at 15:47
  • many thanks for your input, it has meant I progressed, quite well. However please see my update 2, as you can see, I don't want to add types to specific objects. I also couldn't get the cn=ecd thing working either, I can provide that error in due course.
    – PeterS
    Commented Sep 12, 2016 at 7:51
  • @PeterS: You need to use the olcSchemaConfig objectClass. See docs. (Also, the cn=schema,cn=config DN is reserved to system schema – you'll need to use a child entry, either way.)
    – grawity
    Commented Sep 12, 2016 at 7:58
  • Yep that has worked, many thanks. I'll update my answer with the final solution.
    – PeterS
    Commented Sep 13, 2016 at 9:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .