LDAP

October 25, 2006

"user-defined ObjectClass has inappropriate SUPerior"

This is mainly written for Google.

I've been engaged in building a custom LDAP directory with OpenLDAP on a Linux system, and it's been pretty slow slogging. The net is full of resources for how to use LDAP for authentication, or to hook a mailserver into an existing directory, but very little for building entirely new systems from scratch. Schema design is going to be mostly self taught.

Though I could do what I want with MySQL, I really believe that a hierarchical, non-relational system is a better fit to my application, (particularly because of better distributed, partitionable replication) but I still have a long learning curve ahead of me.

I had one particular error when defining a schema, and Google did not help me, so I'll plant the resolution here for the next one down this road.

After creating a schema to define the object of interest, trying to start the server produced an error message: 

user-defined ObjectClass has inappropriate SUPerior

I'm defining a network device to be monitored, and that includes a whole raft of attributes. Hostname, IP address, description, parameters to various types of monitoring, and so on. This also includes SNMP credentials to make these queries. 

objectclass ( myObjectClass:1
    NAME 'mySnmpCredentials'
    DESC 'All the stuff needed to access SNMP'
    AUXILIARY
    MAY ( mySnmpVersion
        $ mySnmpCommunity
        $ mySnmpUseTCP
        $ mySnmpAuthKey
        $ mySnmpEncrKey ) )

objectclass ( myObjectClass:2
    NAME 'myDevice'
    DESC 'A monitored device'
    SUP ( top $ mySnmpCredentials ) STRUCTURAL
    MUST ( cn $ myHostname )
    MAY ( myEnabled
        $ myDescription
        $ myComments
        $ myDnsIPAddress
        $ myDnsAliases
        $ myDnsTxtRecord
        $ myBGPRouteCountType
        $ myBGPRouteCountEnabled ) )

Though a myDevice object works fine when all the attributes are provided in a long list, attempting to abstract out the SNMP credentials (which are likely to be used elsewhere in this same form) produced the above error.

It turns out that using AUXILIARY for the mixin object is responsible for this: changing it to ABSTRACT fixed it right up.

It's not entirely clear to me what the difference is between STRUCTURAL and AUXILIARY object types, and it appears that some servers don't enforce a distinction.

Posted at 08:23 AM in LDAP | | Comments (1)

ABOUT STEVE

  • Steve Friedl is a software and network security consultant in Southern California. He has been a C and UNIX developer since 1981 and has an exceptionally broad background in this area. Some areas of expertise include:

    • C and C++ systems software development on the UNIX and Win32 platforms
    • Communications, including serial and TCP/IP based controllers
    • Enterprise internet security administration and configuration
    • Penetration tests, audits, and network reviews
    • Security forensics, reverse engineering, and tools development
    • General UNIX and Windows system/network administration
    • The Windows Printing System
    • Database software development
    • Technology problem solving and research
    • Technical writing and standup training

Recent Posts

Categories

Archives

Unix Wiz

Stephen J. FriedlSoftware ConsultantOrange County, CA USA[email protected]