# ldif invalid per syntax



## bluethundr (Oct 7, 2010)

Hello again FreeBSD!!

I am having a bit of trouble importing an ldif into openldap, tho the syntax looks a-ok to me. I am attempting to import my sudoers list into ldap on FreeBSD 8.1 and I used an application called sudoers2ldif to generate the ldif.

I used the following command in an attempt import the file:


```
[root@bluethundr-desktop:~/txt/ldif ] $:ldapadd -h ldap -a -W -x -D
"cn=Manager,dc=summitnjhome,dc=com" -f
/home/bluethundr/txt/sudoers2.ldif
Enter LDAP Password:
adding new entry "cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"
ldap_add: Invalid syntax (21)
       additional info: objectClass: value #1 invalid per syntax
```

And this is the file I am trying to import (sudoers2.ldif):


```
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here

dn: cn=root,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: root
sudoUser: root
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL

dn: cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %wheel
sudoUser: %wheel
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate

dn: cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: %summitnjops
sudoUser: %summitnjops
sudoHost: ALL
sudoRunAsUser: ALL
sudoCommand: ALL
sudoOption: !authenticate
```

my My ldap schema looks like so:


```
# extended LDIF
#
# LDAPv3
# base <dc=summitnjhome,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# summitnjhome.com
dn: dc=summitnjhome,dc=com
dc: summitnjhome
objectClass: dcObject
objectClass: organization
o: Summit NJ Home

# staff, summitnjhome.com
dn: ou=staff,dc=summitnjhome,dc=com
ou: staff
objectClass: organizationalUnit

# summitnjops, staff, summitnjhome.com
dn: ou=summitnjops,ou=staff,dc=summitnjhome,dc=com
ou: summitnjops
objectClass: organizationalUnit

# people, summitnjhome.com
dn: ou=people,dc=summitnjhome,dc=com
ou: customers
ou: people
objectClass: organizationalUnit

# Services, summitnjhome.com
dn: ou=Services,dc=summitnjhome,dc=com
ou: services
objectClass: organizationalUnit

# pam_ldap, Services, summitnjhome.com
dn: cn=pam_ldap,ou=Services,dc=summitnjhome,dc=com
cn: pam_ldap
objectClass: top
objectClass: inetOrgPerson
sn: PAM
userPassword:: secretPass

# sudoers, Services, summitnjhome.com
dn: ou=sudoers,ou=Services,dc=summitnjhome,dc=com
ou: sudoers
objectClass: organizationalUnit

# search result
search: 2
result: 0 Success

# numResponses: 8
# numEntries: 7
```

ould Could someone please suggest how to get around this error?

thanks!

Tim


----------



## gordon@ (Oct 7, 2010)

Is sudoRole a valid objectclass in your LDAP installation? Is there some sort of schema you have imported to support it?


----------



## bluethundr (Oct 8, 2010)

*stuck on sudoRole*

Well, if I'm not mistaken copying this file to my shchema directory and referencing it in my slapd.conf file should have taken care of this objectClass:


```
cp /usr/local/share/doc/sudo/schema.OpenLDAP /usr/local/etc/openldap/schema/openldap.schema
```

And, as mentioned, I made sure to include this in my slapd.conf file:


```
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/openldap.schema
```

The _last_ thing I added to my ldap database was this entry (using ldapvi)


```
# sudoers, Services, summitnjhome.com
dn: ou=sudoers,ou=Services,dc=summitnjhome,dc=com
ou: sudoers
objectClass: organizationalUnit
```

I then set the appropriate environment variable  (I'm partial to C Shell these days):


```
setenv SUDOERS_BASE ou=sudoers,ou=Services,dc=summitnjhome,dc=com
```

And exported my sudoers list to an ldif file using this command:


```
/usr/local/share/doc/sudo/sudoers2ldif /usr/local/etc/sudoers > /home/bluethundr/txt/ldif/sudoers.ldif
```

And that is when I run into the error that I described earlier:


```
LBSD2# ldapadd -h ldap -a -W -x -D "cn=Manager,dc=summitnjhome,dc=com" -f /home/bluethundr/txt/ldif/sudoers.ldif
Enter LDAP Password: 
adding new entry "cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"
ldap_add: Invalid syntax (21)
	additional info: objectClass: value #1 invalid per syntax
```


For refresher, this is the entry it's having trouble with:


```
dn: cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com
objectClass: top
objectClass: sudoRole
cn: defaults
description: Default sudoOption's go here
```

As far as I can gather, sudoRole (which is where the problem appears to lie) was supposed to have been included in the openldap.schema that I included in slapd.conf.

Thanks for the help so far...


----------



## bluethundr (Oct 9, 2010)

*grepping sudo in shcema dir*

Nothing found with this grep


```
[root@LBSD2:/usr/local/etc/openldap]#grep -ri sudoRole /usr/local/etc/openldap/schema/
[root@LBSD2:/usr/local/etc/openldap]#grep -ri sudo /usr/local/etc/openldap/schema/
[root@LBSD2:/usr/local/etc/openldap]#
```

I would appreciate any insight anyone may have into this lack of sudo info in my schemas or where to download an openldap schema that has a decent sudo class that would enable me to import my sudoers list into ldap.


----------



## aragon (Oct 9, 2010)

http://www.sudo.ws/sudo/sudoers.ldap.man.html


----------



## bluethundr (Oct 9, 2010)

*that was it!!*

That was a WIN!!!
:stud


```
[bluethundr@bluethundr-desktop:~/txt/ldif ] $:ldapadd -h ldap -a -W -x -D "cn=Manager,dc=summitnjhome,dc=com" -f /home/bluethundr/txt/sudoers2.ldif
Enter LDAP Password: 
adding new entry "cn=defaults,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"

adding new entry "cn=root,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"

adding new entry "cn=%wheel,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"

adding new entry "cn=%summitnjops,ou=sudoers,ou=Services,dc=summitnjhome,dc=com"
```

Sorry for the trouble confusion!!!


----------



## shab (Nov 14, 2011)

Hi bluethundr,

I'm using the same configuration as yours and getting the same error. I have also checked the url http://www.sudo.ws/sudo/sudoers.ldap.man.html but couldn't able to resolve the issue.

Can you please let me know where exactly you have changed the configuration or the steps you have modified.

Any help in this regard is highly appreciated.

Thanks and regards,
Shaibal


----------

