CODEWITHSUNDEEP
phpldap
Jono
Jono

Reputation: 1750

ldap_add error too vague

I am using php-ldap to manage posix accounts on a linux machine. I am able to search the database in php. And I am able to add users via the command line "ldapadd". However, when I try to add a user via PHP ldap_add, I get an "Object class violation" error (errno 65).

I have tried everything I can think of, but the error has not changed. I have even looked to see if there is an alternative to php-ldap, but have not found one.

The problem is when I look up that error in the general LDAP guide, it says "This error is returned with the entry to be added or the entry as modified violates the object class schema rules. Normally additional information is returned the error detailing the violation." And then it lists 8 possible causes.

I need this more in depth error, but cannot find it. ldap_error was also no help. Any ideas how to dig deaper here?

Upvotes: 1

Views: 980

Answers (5)

Josef Kufner
Josef Kufner

Reputation: 2989

A comment under ldap_error documentation says that to obtain additional info you can call this:

ldap_get_option($conn, LDAP_OPT_DIAGNOSTIC_MESSAGE, $err);
// $err now contains the additional info

Upvotes: 0

JLo
JLo

Reputation: 5

We had the same problems, so we used the following bash command:

sudo tail -f syslog |grep slapd

So you will have an real time window to show you the detail reactions on your LDAP manipulations.

Upvotes: -1

superdupersheep
superdupersheep

Reputation: 501

Object class violation always means the object you created violated the expectations of the schema.

slapd provides a metric ton of logging if you simply set the debug level to some arbitarily high number.

Upvotes: 1

Jono
Jono

Reputation: 1750

I figured out how to dig deeper. I am using Ubuntu which was dumping logs to /var/log/{debug,syslog}

In order to get more info I had to increase the log level to 424 in /etc/ldap/slapd.d/cn=config.ldif

Then I was able to see the error in the logs which told me what I was doing wrong... using a dc attribute with an inetOrgPerson objectClass.

Thanks.

Upvotes: 2

geoffc
geoffc

Reputation: 4100

PosixAccount (the class that is needed for Linux users) has some mandatory attributes. You must provide in the same operation the:

  • uid
  • uidNumber
  • gidNumber
  • homeDirectory

Perhaps in one approach you are, one you are not?

Upvotes: 0

Related Questions