Made on IRCNow

Commit Diff

Commit:: 15a83e6cfe7efe4b9f1d19dd632ade9b873616f7
From:: jrmu <jrmu@ircnow.org>
Date:: Sat Oct 21 04:00:28 2023 UTC
Message:: Daily backup
Actions:: Patch | Tree
commit - 2ad9667a22bf613789122b5da4c93db1c302b08f
commit + 15a83e6cfe7efe4b9f1d19dd632ade9b873616f7
blob - /dev/null
blob + 6fd2303bbccc8a5577c5a8d4cd93e7deca2b4947 (mode 644)
--- /dev/null
+++ wiki.d/OpenBSD.LDAPd-Draft
@@ -0,0 +1,21 @@
+version=pmwiki-2.3.20 ordered=1 urlencoded=1
+agent=Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0
+author=Maddie
+charset=UTF-8
+csum=
+ctime=1697737723
+host=2a0b:f4c1:2::253
+name=OpenBSD.LDAPd-Draft
+rev=3
+targets=
+text=-----------------------------------------------------------------------%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a!! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0aI'm really not proud of this, I want to improve it, its a dumpster fire.%0a-----------------------------------------------------------------------%0a%0a!! Introduction%0aI had a multi-conversation-conversation in #thunderirc and peoples wanted to know to LDAP.%0aSo, ehh, heres a basic guide on how to get LDAP setup on base OpenBSD and a little extra information that I found useful.%0a%0aLDAP stands for Lightweight Directory Access Protocol and is basically a write few, read meany, kind of database. \%0aIts useful for if you want to have a central place (directory) to store some information like account credentials for instance and have and have meany other peices of software hook into it for loging in (binds).%0a%0aIn this guide I'll only be focusing on how to get the LDAP daemon included with OpenBSD setup and running and how to test it manually.  Future articales may include how to setup access control, how to make prosody use it for logins, and how to make SMTPd use it for logins.  No promises on delivery though (spam me (Maddie) if you want it sooner).%0a%0a!! Hows%0a!!! Namespace%0aFirst we'll start with picking a namespace, there are basically 2 main types and the one you pick doesn't matter at all, its all functionally the same.%0a%0aDC type (recommended because thats what I use; and aparently also by some RFC):%0a-> The domain name you want to use (probably your teams homepage) with dc= between each part of the domain.  Heres an example: example.com is my team's domain, so I'll use dc=example,dc=com as my namespace.%0a%0aO type (good if you're lazy):%0a-> This one is much simpler but aparently not best pratice.  Its just o=any regular string, so if my team is called Example team X, I would use `o=Example team X` as my namespace.%0a%0aThis guide will use "ircnow.org" as our pseudo team and the DC type, so our namespace will be `dc=ircnow,dc=org`%0a%0a!!! Abbreviations%0aIn LDAP, abbreviations are used often, so it helps alot to know what thay stand for.  Heres a table for reference:%0a%0a||dn||Distinquished Name||%0a||dc||Domain Component||%0a||o||Organization||%0a||ou||Organizational Unit||%0a||cn||Common Name||%0a%0a!! Hows%0a%0aWe'll start with editing `/etc/ldapd.conf`.%0a%0aBy default it contains 2x listen, in this guide I will be useing `listen on ::1 secure` whitch limits access to the local system over IPv6 and asumes all connections to be secure. \%0aThen you can just uncomment the example namespace and replace it with your own namespace as discussed earlier.%0a%0aI recommend changeing rootdn to `cn=admin,''your namespace here''`.\%0aThen chnage rootpw to a password that you will remember for the remainder of this guide.  Merely entering a password will make LDAP asume its in plaintext but it could be hash aswell, writeing {CRYPT} in front of it will make LDAP treat it as any string returned by $ encrypt%0a%0a/etc/ldapd.conf should look a like this by now.%0a[@%0aschema "/etc/ldap/core.schema"%0aschema "/etc/ldap/inetorgperson.schema"%0aschema "/etc/ldap/nis.schema"%0aschema "/etc/ldap/bsd.schema"%0a%0alisten on ::1 secure%0a%0anamespace "dc=ircnow,dc=org" {%0a	rootdn		"cn=admin,dc=ircnow,dc=org"%0a	rootpw		"{CRYPT}$2b$09$zwo7EEy6Kov96eFzY7mj3OdwlD52qjOAMY.9F8KQV/.b3vqCOwkfa"%0a	index		sn%0a	index		givenName%0a	index		cn%0a	index		mail%0a}%0a@]%0aRun `$ ldapd -n` to check for any configuration errors (possible typos).\%0aThen start and enable LDAPd at boot by running `$ rcctl start ldapd` and `$ rcctl enable ldapd`.%0a%0a-----------------------------------------------------------------------%0a%0aNow the last thing required for LDAP to fully work is to add an entry to the root of the namespace.%0a%0aSimply run `$ ldapadd -x -H ldap://[::1] -D %3cyour ldap root dn> -w %3cyour ldap root password>` and write an%0aentry then press enter.%0a%0aMVP:%0a%0a[@%0adn: %3cyour namespace here>%0aobjectclass: dcObject%0aobjectclass: organization%0ao: %3cthe name of your team>%0a%3clast component set>%0a@]%0a%0aFilled in example:%0a[@%0adn: dc=ircnow,dc=org%0aobjectclass: dcObject%0aobjectclass: organization%0ao: ircnow%0adc: ircnow%0a@]%0a%0aTHIS IS A DRAFT, but now you should technically have a working LDAPd, add a user or something and search for records.%0a%0aTo add a random guy, run the ldapadd command from above and paste something like this:%0a[@%0adn: cn=dude,%3cyour namespace here>%0a%3clast component set>%0asn: %3ca surname>%0aobjectclass: person%0a@]%0a%0aTo search the LDAP manually  `$ ldapsearch -x -H ldap://[::1] -D %3cyour ldap root dn> -w %3cyour ldap root password> -b "%3cdistinquished name>"`%0a%0a%0a%0a-----------------------------------------------------------------------%0a-----------------------------------------------------------------------%0a-----------------------------------------------------------------------%0a-----------------------------------------------------------------------%0a-----------------------------------------------------------------------%0a#######################################################################%0a# Regular notes below                                                 #%0a#######################################################################%0a%0a# LDAP%0a## Resources%0ahttps://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format#LDIF_fields%0ahttps://ldap.com/ldap-oid-reference-guide/%0ahttps://openldap.org/doc/admin20/schema.html%0ahttps://www.rfc-editor.org/rfc/rfc2252%0a! https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.501-201910-I!!PDF-E&type=items%0a! https://www.openldap.org/doc/admin26/appendix-common-errors.html%0a!! https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names%0a%0aExplamation point (!) denotes that the resource is really good IMO.%0a%0a## Notes themself%0a%0aObjects:%0a```LDIF%0athis: is%0aan: entry%0a%0aheres: another%0aldap: entry%0a```%0aThease key-value pairs are called attributes.%0a%0aUseing ": " means set this key's value.  Useing "=" is refering to a key%0awith that value.%0a%0aTODO: Find out if attributes are case sensitive (I think not).%0a%0aThere is some weird magic data thing called "objectclass", objectclasses%0ain LDIF specify whitch objectclasses you want to subscribe to, you must%0asubscribe to atleast one STRUCTURAL objectclass.%0a%0aSuplementing the above statement: The LDAP daemon / system itself is%0ainterpreting some of the attributes, so thay are special/magical, those%0aattributes include but is probably not limited to: dc and objectclass.%0a%0a### LDAP classes%0a%0a#### Abstract%0aNo entry can use only 1 abstract class.%0a%0aAbstract class is abstract?%0a%0aIgnore this type, really only the 'top' object uses it.%0a%0aSee also: ITU X.501 8.3.1 for additional information.%0a%0a#### Structural%0aEach entry must have exactly 1 structural class.%0a%0aTells you what you may and must use in the entry.%0a%0aSee also: ITU X.501 8.3.2 for additional information.%0a%0a#### Auxiliary%0a0 or more per entry.%0a%0aBascially structural but is not the main structure.%0a%0aSee also: ITU X.501 8.3.3 for additional information.%0a%0a### Copy paste%0a%0a```%0amaddie# cat /root/teacup%0adn: dc=maddie,dc=host,dc=bsdforall,dc=org%0aobjectclass: dcObject%0aobjectclass: organization%0adc: maddie%0ao: maddie.host.bsdforall.org LDAP Server%0adescription: Root entry for maddie.host.bsdforall.org%0a%0adn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org%0acn: Very annoyied tea cup%0aobjectclass: thuser%0aaccountName: teacup8biscuit%0auserPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%0adn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org%0acn: Very annoyied tea cup 2%0aobjectclass: thuser%0aaccountName: teacup8biscuit2%0auserPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%0amaddie# cat /etc/ldap/test%0adn: dc=maddie,dc=host,dc=bsdforall,dc=org%0aobjectclass: dcObject%0aobjectclass: organization%0ao: maddie.host.bsdforall.org%0adc: maddie%0a%0adn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org%0acn: Very annoyied tea cup%0aobjectclass: thuser%0aaccountName: teacup8biscuit%0auserPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%0adn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org%0acn: Very annoyied tea cup 2%0aobjectclass: thuser%0aaccountName: teacup8biscuit2%0auserPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%0a```%0a%0a### Trouble shooting%0a%0a#### Object class violation (65)%0a%0aProblem: Incorrect class usage.%0a%0aPossible solution: Make sure you're subscribed to the correct classes as%0adefined above.%0a%0aPossible solution: Make sure you're complying with the objectclass's%0arules%0a%0a#### Naming violation (64)%0a%0a%3c!--%0aThis error has annoyied me for a long ass time%0a%0aFrom what I gather the entry isn't unique enough and can be remedied by%0aadding a unique dc (for root), ou (for groups / orginaizational units)%0aor cn (for leafs, I.E. user/peoples/things being identified).%0a%0aNone PG answer I got from a high professional: when 2 *redacted* have%0athe same cn.%0a-->%0a%0aProblem: Either 2 DNs are identical or you forgot to add the left most%0acomponent to the entry.%0a%0aPossible solution: Make sure you have the left most component of the DN%0ain the entry and that it is identical.%0a%0aPossible solution: You have 2 identical DNs.%0a%0a
+time=1697739207
+author:1697739207=Maddie
+diff:1697739207:1697737841:=83c83%0a%3c Simply run `$ ldapadd -x -H ldap://[::1] -D %3cyour ldap root dn> -w %3cyour ldap root password>` and write an%0a---%0a> Simply run `$ ldap aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` and write an%0a88,92c88,91%0a%3c [@%0a%3c dn: %3cyour namespace here>%0a%3c objectclass: dcObject%0a%3c objectclass: organization%0a%3c o: %3cthe name of your team>%0a---%0a> ```ldif%0a> dc: %3cyour namespace here>%0a> objectClass: organization%0a> objectClass: dcObject%0a94,123c93,99%0a%3c @]%0a%3c %0a%3c Filled in example:%0a%3c [@%0a%3c dn: dc=ircnow,dc=org%0a%3c objectclass: dcObject%0a%3c objectclass: organization%0a%3c o: ircnow%0a%3c dc: ircnow%0a%3c @]%0a%3c %0a%3c THIS IS A DRAFT, but now you should technically have a working LDAPd, add a user or something and search for records.%0a%3c %0a%3c To add a random guy, run the ldapadd command from above and paste something like this:%0a%3c [@%0a%3c dn: cn=dude,%3cyour namespace here>%0a%3c %3clast component set>%0a%3c sn: %3ca surname>%0a%3c objectclass: person%0a%3c @]%0a%3c %0a%3c To search the LDAP manually  `$ ldapsearch -x -H ldap://[::1] -D %3cyour ldap root dn> -w %3cyour ldap root password> -b "%3cdistinquished name>"`%0a%3c %0a%3c %0a%3c %0a%3c -----------------------------------------------------------------------%0a%3c -----------------------------------------------------------------------%0a%3c -----------------------------------------------------------------------%0a%3c -----------------------------------------------------------------------%0a%3c -----------------------------------------------------------------------%0a---%0a> ```%0a> Filled in:%0a> ```ldif%0a> dc: %3cyour namespace here>%0a> ```%0a> %0a> %0a
+host:1697739207=2a0b:f4c1:2::253
+author:1697737841=Maddie
+diff:1697737841:1697737723:=59c59%0a%3c [@%0a---%0a> ```config%0a75c75%0a%3c @]%0a---%0a> ```%0a
+host:1697737841=2a03:e600:100::6
+author:1697737723=Maddie
+diff:1697737723:1697737723:=1,242d0%0a%3c -----------------------------------------------------------------------%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c !! SORRY I DIDNT HAVE THAT MUCH TIME TO WRITE THIS: THIS IS A DRAFT!%0a%3c I'm really not proud of this, I want to improve it, its a dumpster fire.%0a%3c -----------------------------------------------------------------------%0a%3c %0a%3c !! Introduction%0a%3c I had a multi-conversation-conversation in #thunderirc and peoples wanted to know to LDAP.%0a%3c So, ehh, heres a basic guide on how to get LDAP setup on base OpenBSD and a little extra information that I found useful.%0a%3c %0a%3c LDAP stands for Lightweight Directory Access Protocol and is basically a write few, read meany, kind of database. \%0a%3c Its useful for if you want to have a central place (directory) to store some information like account credentials for instance and have and have meany other peices of software hook into it for loging in (binds).%0a%3c %0a%3c In this guide I'll only be focusing on how to get the LDAP daemon included with OpenBSD setup and running and how to test it manually.  Future articales may include how to setup access control, how to make prosody use it for logins, and how to make SMTPd use it for logins.  No promises on delivery though (spam me (Maddie) if you want it sooner).%0a%3c %0a%3c !! Hows%0a%3c !!! Namespace%0a%3c First we'll start with picking a namespace, there are basically 2 main types and the one you pick doesn't matter at all, its all functionally the same.%0a%3c %0a%3c DC type (recommended because thats what I use; and aparently also by some RFC):%0a%3c -> The domain name you want to use (probably your teams homepage) with dc= between each part of the domain.  Heres an example: example.com is my team's domain, so I'll use dc=example,dc=com as my namespace.%0a%3c %0a%3c O type (good if you're lazy):%0a%3c -> This one is much simpler but aparently not best pratice.  Its just o=any regular string, so if my team is called Example team X, I would use `o=Example team X` as my namespace.%0a%3c %0a%3c This guide will use "ircnow.org" as our pseudo team and the DC type, so our namespace will be `dc=ircnow,dc=org`%0a%3c %0a%3c !!! Abbreviations%0a%3c In LDAP, abbreviations are used often, so it helps alot to know what thay stand for.  Heres a table for reference:%0a%3c %0a%3c ||dn||Distinquished Name||%0a%3c ||dc||Domain Component||%0a%3c ||o||Organization||%0a%3c ||ou||Organizational Unit||%0a%3c ||cn||Common Name||%0a%3c %0a%3c !! Hows%0a%3c %0a%3c We'll start with editing `/etc/ldapd.conf`.%0a%3c %0a%3c By default it contains 2x listen, in this guide I will be useing `listen on ::1 secure` whitch limits access to the local system over IPv6 and asumes all connections to be secure. \%0a%3c Then you can just uncomment the example namespace and replace it with your own namespace as discussed earlier.%0a%3c %0a%3c I recommend changeing rootdn to `cn=admin,''your namespace here''`.\%0a%3c Then chnage rootpw to a password that you will remember for the remainder of this guide.  Merely entering a password will make LDAP asume its in plaintext but it could be hash aswell, writeing {CRYPT} in front of it will make LDAP treat it as any string returned by $ encrypt%0a%3c %0a%3c /etc/ldapd.conf should look a like this by now.%0a%3c ```config%0a%3c schema "/etc/ldap/core.schema"%0a%3c schema "/etc/ldap/inetorgperson.schema"%0a%3c schema "/etc/ldap/nis.schema"%0a%3c schema "/etc/ldap/bsd.schema"%0a%3c %0a%3c listen on ::1 secure%0a%3c %0a%3c namespace "dc=ircnow,dc=org" {%0a%3c 	rootdn		"cn=admin,dc=ircnow,dc=org"%0a%3c 	rootpw		"{CRYPT}$2b$09$zwo7EEy6Kov96eFzY7mj3OdwlD52qjOAMY.9F8KQV/.b3vqCOwkfa"%0a%3c 	index		sn%0a%3c 	index		givenName%0a%3c 	index		cn%0a%3c 	index		mail%0a%3c }%0a%3c ```%0a%3c Run `$ ldapd -n` to check for any configuration errors (possible typos).\%0a%3c Then start and enable LDAPd at boot by running `$ rcctl start ldapd` and `$ rcctl enable ldapd`.%0a%3c %0a%3c -----------------------------------------------------------------------%0a%3c %0a%3c Now the last thing required for LDAP to fully work is to add an entry to the root of the namespace.%0a%3c %0a%3c Simply run `$ ldap aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa` and write an%0a%3c entry then press enter.%0a%3c %0a%3c MVP:%0a%3c %0a%3c ```ldif%0a%3c dc: %3cyour namespace here>%0a%3c objectClass: organization%0a%3c objectClass: dcObject%0a%3c %3clast component set>%0a%3c ```%0a%3c Filled in:%0a%3c ```ldif%0a%3c dc: %3cyour namespace here>%0a%3c ```%0a%3c %0a%3c %0a%3c #######################################################################%0a%3c # Regular notes below                                                 #%0a%3c #######################################################################%0a%3c %0a%3c # LDAP%0a%3c ## Resources%0a%3c https://en.wikipedia.org/wiki/LDAP_Data_Interchange_Format#LDIF_fields%0a%3c https://ldap.com/ldap-oid-reference-guide/%0a%3c https://openldap.org/doc/admin20/schema.html%0a%3c https://www.rfc-editor.org/rfc/rfc2252%0a%3c ! https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.501-201910-I!!PDF-E&type=items%0a%3c ! https://www.openldap.org/doc/admin26/appendix-common-errors.html%0a%3c !! https://learn.microsoft.com/en-us/previous-versions/windows/desktop/ldap/distinguished-names%0a%3c %0a%3c Explamation point (!) denotes that the resource is really good IMO.%0a%3c %0a%3c ## Notes themself%0a%3c %0a%3c Objects:%0a%3c ```LDIF%0a%3c this: is%0a%3c an: entry%0a%3c %0a%3c heres: another%0a%3c ldap: entry%0a%3c ```%0a%3c Thease key-value pairs are called attributes.%0a%3c %0a%3c Useing ": " means set this key's value.  Useing "=" is refering to a key%0a%3c with that value.%0a%3c %0a%3c TODO: Find out if attributes are case sensitive (I think not).%0a%3c %0a%3c There is some weird magic data thing called "objectclass", objectclasses%0a%3c in LDIF specify whitch objectclasses you want to subscribe to, you must%0a%3c subscribe to atleast one STRUCTURAL objectclass.%0a%3c %0a%3c Suplementing the above statement: The LDAP daemon / system itself is%0a%3c interpreting some of the attributes, so thay are special/magical, those%0a%3c attributes include but is probably not limited to: dc and objectclass.%0a%3c %0a%3c ### LDAP classes%0a%3c %0a%3c #### Abstract%0a%3c No entry can use only 1 abstract class.%0a%3c %0a%3c Abstract class is abstract?%0a%3c %0a%3c Ignore this type, really only the 'top' object uses it.%0a%3c %0a%3c See also: ITU X.501 8.3.1 for additional information.%0a%3c %0a%3c #### Structural%0a%3c Each entry must have exactly 1 structural class.%0a%3c %0a%3c Tells you what you may and must use in the entry.%0a%3c %0a%3c See also: ITU X.501 8.3.2 for additional information.%0a%3c %0a%3c #### Auxiliary%0a%3c 0 or more per entry.%0a%3c %0a%3c Bascially structural but is not the main structure.%0a%3c %0a%3c See also: ITU X.501 8.3.3 for additional information.%0a%3c %0a%3c ### Copy paste%0a%3c %0a%3c ```%0a%3c maddie# cat /root/teacup%0a%3c dn: dc=maddie,dc=host,dc=bsdforall,dc=org%0a%3c objectclass: dcObject%0a%3c objectclass: organization%0a%3c dc: maddie%0a%3c o: maddie.host.bsdforall.org LDAP Server%0a%3c description: Root entry for maddie.host.bsdforall.org%0a%3c %0a%3c dn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org%0a%3c cn: Very annoyied tea cup%0a%3c objectclass: thuser%0a%3c accountName: teacup8biscuit%0a%3c userPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%3c %0a%3c dn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org%0a%3c cn: Very annoyied tea cup 2%0a%3c objectclass: thuser%0a%3c accountName: teacup8biscuit2%0a%3c userPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%3c %0a%3c maddie# cat /etc/ldap/test%0a%3c dn: dc=maddie,dc=host,dc=bsdforall,dc=org%0a%3c objectclass: dcObject%0a%3c objectclass: organization%0a%3c o: maddie.host.bsdforall.org%0a%3c dc: maddie%0a%3c %0a%3c dn: cn=Very annoyied tea cup,dc=maddie,dc=host,dc=bsdforall,dc=org%0a%3c cn: Very annoyied tea cup%0a%3c objectclass: thuser%0a%3c accountName: teacup8biscuit%0a%3c userPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%3c %0a%3c dn: cn=Very annoyied tea cup 2,dc=maddie,dc=host,dc=bsdforall,dc=org%0a%3c cn: Very annoyied tea cup 2%0a%3c objectclass: thuser%0a%3c accountName: teacup8biscuit2%0a%3c userPassword: teaCupsAlwaysUseInsecurePasswordsAparently%0a%3c %0a%3c ```%0a%3c %0a%3c ### Trouble shooting%0a%3c %0a%3c #### Object class violation (65)%0a%3c %0a%3c Problem: Incorrect class usage.%0a%3c %0a%3c Possible solution: Make sure you're subscribed to the correct classes as%0a%3c defined above.%0a%3c %0a%3c Possible solution: Make sure you're complying with the objectclass's%0a%3c rules%0a%3c %0a%3c #### Naming violation (64)%0a%3c %0a%3c %3c!--%0a%3c This error has annoyied me for a long ass time%0a%3c %0a%3c From what I gather the entry isn't unique enough and can be remedied by%0a%3c adding a unique dc (for root), ou (for groups / orginaizational units)%0a%3c or cn (for leafs, I.E. user/peoples/things being identified).%0a%3c %0a%3c None PG answer I got from a high professional: when 2 *redacted* have%0a%3c the same cn.%0a%3c -->%0a%3c %0a%3c Problem: Either 2 DNs are identical or you forgot to add the left most%0a%3c component to the entry.%0a%3c %0a%3c Possible solution: Make sure you have the left most component of the DN%0a%3c in the entry and that it is identical.%0a%3c %0a%3c Possible solution: You have 2 identical DNs.%0a%3c %0a
+host:1697737723=2a03:e600:100::6