ldbdel error
Matthieu Patou
mat at samba.org
Thu Aug 18 17:18:15 MDT 2011
On 17/08/2011 04:44, Bob Miller wrote:
> Hi Matthieu
> Thanks for the reply. I think you have put me on the right track.
>
>>> delete of
>>> 'CN=qmailUser,CN=Schema,CN=Configuration,DC=computerisms,DC=ca' failed -
>>> (Unwilling to perform) LDAP error 53 LDAP_UNWILLING_TO_PERFORM -
>>> <00002035: Unwilling to perform - No Deleted Objects container for DN
>>> CN=qmailUser,CN=Schema,CN=Configuration,DC=computerisms,DC=ca> <>
>> There is no deleted object container in the Schema partition, I'm not
>> sure that in Microsoft implementation you can delete wrong schema
>> objects. You can just mark them as deprecated.
> According to this you are correct, microsoft does not allow you to
> delete schema objects:
> http://technet.microsoft.com/en-us/library/cc961741.aspx
>
>> Well mark them deprecated with isDefunct, although I'm not sure how well
>> we handle this ...
> So it would seem there is no deleting your mistakes and re-adding
> correct entries as one might do in openldap, instead use ldbmodify to
> correct mistakes. Thank you for providing information that led me stop
> imposing my presumptions on the software ;)
The thing is that the schema is replicated between different DCs, once
it has been replicated you can create an object on DC B with the
attribute foo and in the same time remove the object definition for
attribute foo (on DC A) then when DC B will try to replicate the change
object A won't understand on which attribute.
That's mostly why it's not authorized to remove an attribute.
> Matthieu, if I may ask a follow up question. Based on a couple of posts
> by you saying such things should be possible, I randomly picked the
> qmail-ldap schema to learn how I might use ldb as a SSO authentication
> ldap directory. So far, things have been going *almost* exactly as you
> predicted - good.
>
> When I first ran the qmail.schema file through oLschema2ldif, it would
> not convert the mailHost attribute. I ignored it and moved on till I
> got stuck again. Then, when I went over things again, I found that
> oLschema2ldif now gives an ldif of the mailHost attributetype and I can
> import it into ldb. But when I try add the attributetype to its parent
> qmailUser objectClass, I get an error:
>
> ERR: (Invalid attribute syntax) "LDAP error 21
> LDAP_INVALID_ATTRIBUTE_SYNTAX -<0000200B: Invalid attribute syntax -
> objectclass_attrs: attribute 'mayContain' on entry
> 'CN=qmailUser,CN=Schema,CN=Configuration,dc=computerisms,dc=ca' contains
> at least one invalid value!> <>" on DN
> CN=qmailUser,CN=Schema,CN=Configuration,dc=computerisms,dc=ca
Maybe you can post the LDIF transofrmed ?
>
> running with debug level 10 did not add anything useful to this message.
>
> Maybe it is clearer to show you what I mean this way:
>
> http://computerisms.ca/ldif.txt
>
> I fail to understand where/what the invalid value might be, or how or
> why ldbmodify arrives at the conclusion that there is one. If this
> means there is a syntax problem in the ldif file, I do not see how,
> since I use the same syntax successfully to add other attributes.
>
> On the thought that maybe an invalid value is a conflicting entry
> somewhere, for every attribute in the
> CN=mailHost,CN=Schema,CN=Configuration,DC=computerisms,DC=ca container,
> I searched the cn=Schema,CN=Configuration,DC=computerisms,DC=ca
> container for any entry that had a conflicting attribute. Each
> attribute is either common to all or unique to mailHost, the only
> exception being "attributeSyntax: 2.5.5.5", which is common to 71 other
> entries. 71 entries seems a lot to have only one conflict, so I am
> ruling that out for now.
>
> Do you have a suggestion as to how I might figure why this one attribute
> is being so stubborn?
Matthieu.
>
>
>>
>> Matthieu.
>>
--
Matthieu Patou
Samba Team http://samba.org
Private repo http://git.samba.org/?p=mat/samba.git;a=summary
More information about the samba-technical
mailing list