Can't import ldap schema provided in ldap howto

Dusty Doris freeradius at mail.doris.cc
Thu Jan 26 18:14:53 CET 2006 

> I've been following the instructions in ldap_howto.txt, and I created
> the schema.ldif file exactly as outlined in the doc. But when I run the
> ldapadd command it gives the following error:
>
> [root at myserver]# ldapadd -f schema.ldif -x -D
> "cn=root,dc=mydomain,dc=com" -w secret
> adding new entry "dc=mydomain,dc=com"
>
> adding new entry "ou=radius,dc=mydomain,dc=com"
>
> adding new entry "ou=profiles,ou=radius,dc=mydomain,dc=com"
>
> adding new entry "ou=users,ou=radius,dc=mydomain,dc=com"
>
> adding new entry "ou=admins,ou=radius,dc=mydomain,dc=com"
>
> adding new entry "uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com"
> ldap_add: Object class violation (65)
>        additional info: no structural object class provided
>
> I do have the include statement for "RADIUS-LDAPv3.schema" configured in
> my slapd.conf, and I already verified that it is readable by the user
> ldap (and that the path is correct). Here is the entry ldapadd is
> erroring on:
>
> dn: uid=dial,ou=profiles,ou=radius,dc=mydomain,dc=com
> objectclass: radiusprofile
> uid: dial
> radiusServiceType: Framed-User
> radiusFramedProtocol: PPP
> radiusFramedIPNetmask: 255.255.255.0
> radiusFramedRouting: None
>

I apologize, I wrote that document and it hasn't been updated in some 
time.  The ldap_howto uses the uid attribute instead of the cn.  This was 
changed a few years ago in the default ldap schema that came with 
freeradius, but I haven't updated that doc.  Here are some choices for 
you.

1. Use cn instead of uid.  If you haven't yet built your ldap schema, then 
this will be the easiest route.  It will also be compatiable with upgrades 
w/out having to mess with the ldap schema.  Just change your ldap section 
in radiusd.conf to use cn instead of uid and then add your users to the 
directory using cn instead of uid.

2. Modify RADIUS-LDAPv3.schema to use the uid attribute.  In the 
objectclass of radiusprofile change the MUST (cn) to Must (uid).  If you 
already have your directory built and you aren't using cn, but are using 
uid, then this will work for you.

However, remember if you ever upgrade and copy the new 
RADIUS-LDAPv3.schema to your openldap instance, you will need to modify 
the file again.

More information about the Freeradius-Users mailing list