'LDAP error 19 LDAP_CONSTRAINT_VIOLATION - <entryDN: no user modification allowed> <>')

Sassy Natan sassyn at gmail.com
Mon Dec 22 12:16:49 GMT 2008

Hi All

Did someone had the problem when running the openchange_provision and
getting the following error:
./openchange_provision --password=admin --username=samba-admin

NOTE: This operation can take several minutes
[+] Step 1: Register Exchange OIDs
[+] Step 2: Add new Exchange classes and attributes to Samba schema
Traceback (most recent call last):
File "./openchange_provision", line 53, in <module>
openchange.provision(setup_path, lp, creds, firstorg=opts.firstorg,
File "/usr/lib/python2.5/site-packages/openchange/provision.py", line 309,
in provision install_schemas(setup_path, names, lp, creds)
File "/usr/lib/python2.5/site-packages/openchange/provision.py", line 144,
in install_schemas "SCHEMADN": names.schemadn
File "/usr/lib/python2.5/site-packages/samba/provision.py", line 163, in
setup_add_ldif  ldb.add_ldif(data)
File "/usr/lib/python2.5/site-packages/samba/__init__.py", line 188, in
add_ldif self.add(msg)
_ldb.LdbError: (19, 'LDAP error 19 LDAP_CONSTRAINT_VIOLATION -  <entryDN: no
user modification allowed> <>')

In the OpenLDAP (running –d-1 debug level) I getting the following:

<<< dnNormalize:
>>> dnPretty:

<<< dnPretty:

>>> dnNormalize:

<<< dnNormalize:



<= hdb_dn2id: get failed: DB_NOTFOUND: No matching key/data pair found
hdb_referrals: tag=104


I'm quite sure it's not a security issue since my samba-admin user as full
permission on the entire LDAP DB. But maybe the samba-admin can't write to
this DN?

Or maybe I should run this command with no OpenLDAP backend? Cause if I
change the username to Administrator like this :
--simple-bind-dn=cn=Administrator,cn=users,dc=edu,dc=local then I gettting:

Failed to bind - LDAP error 49 LDAP_INVALID_CREDENTIALS -  <> <>
Failed to connect to 'ldapi://%2Fvar%2Flib%2Fsamba-4.0%2Fldap%2Fldapi'
module partition initialization failed

Which is true cause User Like Administrator can only login to LDAP://server
name and not to the 'ldapi://%2Fvar%2Flib%2Fsamba-4.0%2Fldap%2Fldapi'.

maybe I should check from where the python script get the value:
ldapi://%2Fvar%2Flib%2Fsamba-4.0%2Fldap%2Fldapi' and change it to ldap://

Someone can help?


More information about the samba-technical mailing list