Daniel Maher | 1 Jul 12:35 2010
Picon

object class violation, attribute "uidNumber" not allowed when adding group

Hello all,

When i attempt to create a group via LAM i receive the following error 
in the web interface :

Was unable to create DN: cn=test,ou=group,dc=domain,dc=net.
Object class violation

Which corresponds with the following error message in the "errors" log :

Entry "cn=test,ou=group,dc=domain,dc=net" -- attribute "uidNumber" not 
allowed

The error is quite specific of course - clearly that attribute is not 
allowed.  What i'm not sure of is *why*, and how to fix it.  Tools -> 
Tests -> Schema test detects no errors (every item says "No problems 
found").

I would appreciate any advice or nods in the right direction.

Further details :

[root <at> test-dma-36 ~]# cat /etc/redhat-release
CentOS release 5.4 (Final)

[root <at> test-dma-36 ~]# rpm -qa | grep ldap-account-manager
ldap-account-manager-3.1.0-0.fedora.1
ldap-account-manager-lamdaemon-3.1.0-0.fedora.1

[root <at> test-dma-36 ~]# rpm -qa | grep 389-ds-1
(Continue reading)

Frank Van Damme | 1 Jul 13:39 2010
Picon

group membership

Hi,

I have a bunch of users in ldap (posixAccount, shadowAccount, inetOrgPerson) 
and a group of two. There is one user that I can not add to a certain group. 
It doesn't show up in the list of available users when I edit the members of 
that group. I have to say that the group has a samba profile, and that I can 
add said user to a group that does not have a samba profile. 

I tried to remove the sambaSamAccount and all samba-related attribute from 
the user using an ldap editor, at no avail. I have other users without samba 
account, I can add them to the group without problems. 

How does ldap-account-manager decide what users are "available" for 
membership to a certain group X? I really can not see it. 

--

-- 
Frank Van Damme

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
Roland Gruber | 3 Jul 14:34 2010
Picon

Re: Need help getting past constraint errors


Hi Raymond,

Am 30.06.2010 21:49, schrieb Raymond Norton:
> I am getting the following error when attempting to create my first user 
> via LAM:
> 
> "LAM was unable to create account cn=myuser2,ou=People,dc=lctn,dc=org! 
> An LDAP error occured.
> Object class violation"

do you have the Samba modules activated? If yes, did you also install
the Samba schema file on you LDAP server?
You can check this by running Tools -> Tests -> Schema test in LAM.
If the test shows no errors please upgrade to LAM 3.1.0 if you run an
older release.

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
Roland Gruber | 3 Jul 14:35 2010
Picon

Re: object class violation, attribute "uidNumber" not allowed when adding group


Hi Daniel,

Am 01.07.2010 12:35, schrieb Daniel Maher:
> When i attempt to create a group via LAM i receive the following error 
> in the web interface :
> 
> Was unable to create DN: cn=test,ou=group,dc=domain,dc=net.
> Object class violation
> 
> Which corresponds with the following error message in the "errors" log :
> 
> Entry "cn=test,ou=group,dc=domain,dc=net" -- attribute "uidNumber" not 
> allowed

please send me your server profile (e.g. lam.conf). Remove the password
entry before sending.
The profiles are stored in /var/www/html/lam/config or
/srv/www/htdocs/lam/config.

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
(Continue reading)

Roland Gruber | 3 Jul 14:41 2010
Picon

Re: group membership


Hi Frank,

Am 01.07.2010 13:39, schrieb Frank Van Damme:
> I have a bunch of users in ldap (posixAccount, shadowAccount, inetOrgPerson) 
> and a group of two. There is one user that I can not add to a certain group. 
> It doesn't show up in the list of available users when I edit the members of 
> that group. I have to say that the group has a samba profile, and that I can 
> add said user to a group that does not have a samba profile. 
> 
> I tried to remove the sambaSamAccount and all samba-related attribute from 
> the user using an ldap editor, at no avail. I have other users without samba 
> account, I can add them to the group without problems. 
> 
> How does ldap-account-manager decide what users are "available" for 
> membership to a certain group X? I really can not see it. 

the list contains all user accounts that have the object class posixAccount.

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
(Continue reading)

Daniel Maher | 5 Jul 10:28 2010
Picon

Re: object class violation, attribute "uidNumber" not allowed when adding group

On 07/03/2010 02:35 PM, Roland Gruber wrote:

> Am 01.07.2010 12:35, schrieb Daniel Maher:
>> When i attempt to create a group via LAM i receive the following error
>> in the web interface :
>>
>> Was unable to create DN: cn=test,ou=group,dc=domain,dc=net.
>> Object class violation
>>
>> Which corresponds with the following error message in the "errors" log :
>>
>> Entry "cn=test,ou=group,dc=domain,dc=net" -- attribute "uidNumber" not
>> allowed
>
> please send me your server profile (e.g. lam.conf). Remove the password
> entry before sending.
> The profiles are stored in /var/www/html/lam/config or
> /srv/www/htdocs/lam/config.

Upon further inspection, i've isolated the problem : it had nothing to 
do with LAM, and everything to do with a plug-in for 389 DS called 
"DNA", which is used to auto-increment numerical values (such as userids 
and the like).  It causes the error noted above when attemping to attach 
posixGroup as a value for a given LDAP group.  If the plugin is not 
activated, the error does not occur.

The relavent thread on the 389-users list is here :
http://lists.fedoraproject.org/pipermail/389-users/2010-July/011693.html

--

-- 
(Continue reading)

delpheye | 7 Jul 18:31 2010
Picon

"insufficient access" when adding users

Whenever I try to save a new user in LAM, it returns "Insufficient access."  The server logs say:

ERROR: [uid=root,ou=Users,dc=domain,dc=com] Unable to create DN: uid=testuser,ou=Users,dc=domain,dc=com (Insufficient access).

However I can add users manually with smbldap-useradd.  I've looked at ldap and LAM directory permissions and they're both correct(ldap and apache, respectively).

What should I be checking instead?

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Roland Gruber | 7 Jul 19:54 2010
Picon

Re: "insufficient access" when adding users


Hi,

Am 07.07.2010 18:31, schrieb delpheye:
> Whenever I try to save a new user in LAM, it returns "Insufficient access."
> The server logs say:
> 
> ERROR: [uid=root,ou=Users,dc=domain,dc=com] Unable to create DN:
> uid=testuser,ou=Users,dc=domain,dc=com (Insufficient access).
> 
> However I can add users manually with smbldap-useradd.  I've looked at ldap
> and LAM directory permissions and they're both correct(ldap and apache,
> respectively).

insufficient access usually means that either the LDAP user that you use
for LAM is not the admin or that you try to create entries in
non-existing parts of the LDAP tree.
Does LAM report any missing suffixes after login? Is "dc=domain,dc=com"
your right LDAP suffix?

--

-- 

Best regards

Roland Gruber

LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
delpheye | 7 Jul 22:44 2010
Picon

Re: "insufficient access" when adding users

Just realized I didn't reply to the list...

LAM doesn't report any errors after login, and the root user is listed in the Domain Admins group.  So far it and nobody are the only two users in LDAP. 

Also, I'm running LAM 2.9.0 on CentOS 5.5.  I tried to install 3.0 and 3.1, but there were pcre compatibility issues that I couldn't resolve.

On Wed, Jul 7, 2010 at 12:54 PM, Roland Gruber <post-qF4ddCv+L6t7S1K2b6EZKQ@public.gmane.org> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Am 07.07.2010 18:31, schrieb delpheye:
> Whenever I try to save a new user in LAM, it returns "Insufficient access."
> The server logs say:
>
> ERROR: [uid=root,ou=Users,dc=domain,dc=com] Unable to create DN:
> uid=testuser,ou=Users,dc=domain,dc=com (Insufficient access).
>
> However I can add users manually with smbldap-useradd.  I've looked at ldap
> and LAM directory permissions and they're both correct(ldap and apache,
> respectively).

insufficient access usually means that either the LDAP user that you use
for LAM is not the admin or that you try to create entries in
non-existing parts of the LDAP tree.
Does LAM report any missing suffixes after login? Is "dc=domain,dc=com"
your right LDAP suffix?


- --

Best regards

Roland Gruber


LDAP Account Manager
http://www.ldap-account-manager.org/

Want more? Get LDAP Account Manager Pro!
http://www.ldap-account-manager.org/lamcms/lamPro
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkw0v04ACgkQq/ywNCsrGZ7KagCdEFIo22oB4u7Q7q+lCsZvpFF3
RKcAmwem7S3SpWk01vTXoZAYxBHj4PXa
=Dr43
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Lam-public mailing list
Lam-public-5NWGOfrQmncRDUWM+popnw@public.gmane.orgforge.net
https://lists.sourceforge.net/lists/listinfo/lam-public

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
_______________________________________________
Lam-public mailing list
Lam-public@...
https://lists.sourceforge.net/lists/listinfo/lam-public
Tim Rice | 8 Jul 00:48 2010
Picon

Re: "insufficient access" when adding users

On Wed, 7 Jul 2010, delpheye wrote:

> Just realized I didn't reply to the list...
> 
> LAM doesn't report any errors after login, and the root user is listed in
> the Domain Admins group.  So far it and nobody are the only two users in
> LDAP.

The "Domain Admins group" really doesn't have anything to to with
OpenLDAP allowing writes to the ldap database. You've got an LDAP
issue not a LAM issue.

Perhaps send your slapd.conf to the list so we can see what's going on.
Be sure to sanitize the password.

> Also, I'm running LAM 2.9.0 on CentOS 5.5.  I tried to install 3.0 and 3.1,
> but there were pcre compatibility issues that I couldn't resolve.
> 
> On Wed, Jul 7, 2010 at 12:54 PM, Roland Gruber <post@...> wrote:
> 
> > Am 07.07.2010 18:31, schrieb delpheye:
> > > Whenever I try to save a new user in LAM, it returns "Insufficient
> > access."
> > > The server logs say:
> > >
> > > ERROR: [uid=root,ou=Users,dc=domain,dc=com] Unable to create DN:
> > > uid=testuser,ou=Users,dc=domain,dc=com (Insufficient access).
> > >
> > > However I can add users manually with smbldap-useradd.  I've looked at
> > ldap
> > > and LAM directory permissions and they're both correct(ldap and apache,
> > > respectively).
> >
> > insufficient access usually means that either the LDAP user that you use
> > for LAM is not the admin or that you try to create entries in
> > non-existing parts of the LDAP tree.
> > Does LAM report any missing suffixes after login? Is "dc=domain,dc=com"
> > your right LDAP suffix?
> >
> > - --
> >
> > Best regards
> >
> > Roland Gruber

--

-- 
Tim Rice				Multitalents	(707) 887-1469
tim@...

------------------------------------------------------------------------------
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first

Gmane