"error code 21 - objectClass: value #0 invalid per syntax" error running PWM with OpenLDAP
2,234 views
Skip to first unread message
Silvio Arcangeli
Jul 15, 2014, 7:23:07 AM7/15/14
to pwm-g...@googlegroups.com
Hello,
I'm a PWM newbie, last weekend I did setup PWM on Debian 7.5 / OpenLDAP 2.4.31 / OpenJDK JRE 1.7.0_55 / Tomcat 7.0.28 / PWM 1.7.0 for a non-profit association.
I followed the admin guide, and I added the PWM specific objects to the schema (I just had to convert the schema file to ldif but I finally managed to get it working), and the access control lists in the static configuration file (/etc/ldap/ldap.conf).
New user creation works fine: I was able to register a new user for myself, and then after adding that user to the admins group in the LDAP i was recognized by PWM as an administrator and I was able to close the configuration.
Now, when I try to set challenge responses I get an error ("LDAP: error code 65 - attribute 'pwmResponseSet' not allowed").
I've noticed that there were actually logs also concerning the other pwm-specific attributes right after authentication:
I guess that root cause of the issue with writing the challenge response is actually that PWM doesn't succeed in attaching the pwmUser auxiliary class... but on the access list in ldap.conf I just wrote everything that was mentioned in the doc, how can I troubleshoot this problem?
thanks!
Silvio
I'm a PWM newbie, last weekend I did setup PWM on Debian 7.5 / OpenLDAP 2.4.31 / OpenJDK JRE 1.7.0_55 / Tomcat 7.0.28 / PWM 1.7.0 for a non-profit association.
I followed the admin guide, and I added the PWM specific objects to the schema (I just had to convert the schema file to ldif but I finally managed to get it working), and the access control lists in the static configuration file (/etc/ldap/ldap.conf).
New user creation works fine: I was able to register a new user for myself, and then after adding that user to the admins group in the LDAP i was recognized by PWM as an administrator and I was able to close the configuration.
Now, when I try to set challenge responses I get an error ("LDAP: error code 65 - attribute 'pwmResponseSet' not allowed").
I've noticed that there were actually logs also concerning the other pwm-specific attributes right after authentication:
2014-07-15 12:44:56, INFO , operations.UserAuthenticator, {6o} successful ssl authentication for cn=utentetest2,ou=People,dc=mydomain,dc=org (7ms)
2014-07-15 12:44:56, ERROR, util.Helper, {6o} error adding objectclass 'pwmUser' to user cn=utentetest2,ou=People,dc=mydomain,dc=org: com.novell.ldapchai.exception.ChaiOperationException: [LDAP: error code 21 - objectClass: value #0 invalid per syntax]
2014-07-15 12:44:56, INFO , event.AuditManager, audit event: {"eventCode":"AUTHENTICATE","perpetratorID":"utentetest2","perpetratorDN":"cn\u003dutentetest2,ou\u003dPeople,dc\u003dmydomain,dc\u003dorg","timestamp":"Jul 15, 2014 12:44:56 PM","message":"AUTHENTICATED","targetID":"utentetest2","targetDN":"cn\u003dutentetest2,ou\u003dPeople,dc\u003dmydomain,dc\u003dorg","sourceAddress":"xx.xx.xx.xx","sourceHost":"myhost"}
2014-07-15 12:44:56, ERROR, event.UserLdapHistory, ldap error writing user event log: [LDAP: error code 65 - attribute 'pwmEventLog' not allowed]
I guess that root cause of the issue with writing the challenge response is actually that PWM doesn't succeed in attaching the pwmUser auxiliary class... but on the access list in ldap.conf I just wrote everything that was mentioned in the doc, how can I troubleshoot this problem?
thanks!
Silvio
Silvio Arcangeli
Jul 15, 2014, 10:16:00 AM7/15/14
to pwm-g...@googlegroups.com
Ok, I found the issue.
the OpenLDAP schema provided in the current Administration guide is missing a closing parentheses at the end, which causes the fact that the pwmUser class is not created.
Fixing that mistake the issue is resolved.
For future reference, in order to be able to import the schema provided in the doc (which I saved to /etc/ldap/schema/pwm.schema as specified) in our system we had to convert it to an LDIF file, with the following commands:
the LDIF we obtained eventually is the following:
which we moved to /etc/ldap/schema/pwm.ldif, and then imported with the command:
the OpenLDAP schema provided in the current Administration guide is missing a closing parentheses at the end, which causes the fact that the pwmUser class is not created.
Fixing that mistake the issue is resolved.
For future reference, in order to be able to import the schema provided in the doc (which I saved to /etc/ldap/schema/pwm.schema as specified) in our system we had to convert it to an LDIF file, with the following commands:
echo include /etc/ldap/schema/pwm.schema > /var/tmp/schema_convert.conf
WeI then edited the generated file (/var/tmp/ldif_output/cn\=config/cn\=schema/cn\=\{0\}pwm.ldif), editing the dn and cn lines, and removing the dynamic attributes at the end.mkdir /var/tmp/ldif_output
slaptest -f /var/tmp/schema_convert.conf -F /var/tmp/ldif_output
the LDIF we obtained eventually is the following:
dn: cn=pwm,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: pwm
olcAttributeTypes: {0}( 1.3.6.1.4.1.591242.2.2010.04.16.1 NAME 'pwmEventLog' S
YNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.591242.2.2010.04.16.2 NAME 'pwmResponseSet
' SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.591242.2.2010.04.16.3 NAME 'pwmLastPwdUpda
te' SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.591242.2.2010.04.16.4 NAME 'pwmGUID' SYNTA
X 1.3.6.1.4.1.1466.115.121.1.15 )
olcObjectClasses: {0}( 1.3.6.1.4.1.591242.1.2010.04.16.1 NAME 'pwmUser' AUXILI
ARY MAY ( pwmLastPwdUpdate $ pwmEventLog $ pwmResponseSet $ pwmGUID ) )
which we moved to /etc/ldap/schema/pwm.ldif, and then imported with the command:
ldapadd -c -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/pwm.ldif
It seems to work now, I hope this is a "legitimate" way to create the schema, and I hope the doc gets fixed too. ;)
ciao,
Silvio
Silvio Arcangeli
Jul 15, 2014, 10:47:03 AM7/15/14
to pwm-g...@googlegroups.com
p.s. I was still having another error:
[LDAP: error code 18 - modify/delete: pwmEventLog: no equality matching rule]
This is also caused by something missing in the pwm.schema file provided in the Administration guide, as documented here: https://code.google.com/p/pwm/issues/detail?id=89
The pwmEventLog attribute should actually be:
[LDAP: error code 18 - modify/delete: pwmEventLog: no equality matching rule]
This is also caused by something missing in the pwm.schema file provided in the Administration guide, as documented here: https://code.google.com/p/pwm/issues/detail?id=89
The pwmEventLog attribute should actually be:
attributetype (
1.3.6.1.4.1.591242.2.2010.04.16.1
NAME 'pwmEventLog'
EQUALITY octetStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
So the corresponding LDIF file will be:
dn: cn=pwm
objectClass: olcSchemaConfig
cn: pwm
olcAttributeTypes: {0}( 1.3.6.1.4.1.591242.2.2010.04.16.1 NAME 'pwmEventLog' E
QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
objectClass: olcSchemaConfig
cn: pwm
olcAttributeTypes: {0}( 1.3.6.1.4.1.591242.2.2010.04.16.1 NAME 'pwmEventLog' E
QUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
Reply all
Reply to author
Forward
0 new messages