3

On a Debian Buster installation I have just installed the OpenLDAP server slapd with:

~$ sudo apt install slapd ldap-utils ~$ sudo dpkg-reconfigure slapd

On its setup with default options I was prompted to give an organisation name. I used home, so I get

~$ ldapsearch -x -LLL -b dc=hoeft-online,dc=de dn: dc=hoeft-online,dc=de objectClass: top objectClass: dcObject objectClass: organization o: home dc: hoeft-online dn: cn=admin,dc=hoeft-online,dc=de objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator

Now I try to add an organisational unit (ou) to the organisation o: home as shown in the output but without success:

~$ cat add.ldif dn: ou=posix,o=home,dc=hoeft-online,dc=de objectClass: organizationalUnit ou: posix ~$ ldapadd -xWD cn=admin,dc=hoeft-online,dc=de -f add.ldif Enter LDAP Password: adding new entry "ou=posix,o=home,dc=hoeft-online,dc=de" ldap_add: No such object (32) matched DN: dc=hoeft-online,dc=de

Adding an ou to the domainComponent (dc) works:

~$ cat add.ldif dn: ou=posix,dc=hoeft-online,dc=de objectClass: organizationalUnit ou: posix ~$ ldapadd -xWD cn=admin,dc=hoeft-online,dc=de -f add.ldif Enter LDAP Password: adding new entry "ou=posix,dc=hoeft-online,dc=de"

What I'm missing here? Isn't it possible to add an organizationalUnit (ou) to an organisation (o)? If not, why? Where is it defined?

Improve this question
5
  • Long time since I last used slapd. Still do you have an ou on the o on the schemas? Commented Aug 10, 2019 at 23:59
  • @vfbsilva No, there is nothing else on the ldap server. It's a virgin installation from the default setup. I have updated the question. Commented Aug 11, 2019 at 8:30
  • 1
    I would have thought O was a terminal node (like DN). Looking at my configuration (AD/LDAP, admittedly), the OUs all hang off DC. Commented Aug 11, 2019 at 9:44
  • @roaima Thanks for feedback about your setup. "o" is a legal attribute from the core.schema. Commented Aug 11, 2019 at 10:12
  • 2
    Yes I know it's a legal attribute; that doesn't mean you can add OUs to it though. Looking at zytrax.com/books/ldap/ch3 tail end of section 3.3 and beginning of 3.6 it shows you can have O,DC,DC (i.e. a human-readable name for the DC,DC hierarchy) and OU,DC,DC (a container within DC,DC hierarchy) but not OU,O,DC,DC. Commented Aug 11, 2019 at 10:32

1 Answer 1

Reset to default
4

Are you certain that your LDAP directory contains the dn o=home,dc=hoeft-online,dc=de? The error suggests that it does not, but as you have not pasted the output of an appropriate ldapsearch command it's hard to tell. Is suspect that is the issue, because otherwise I am unable to reproduce your problem.

I'm starting with OpenLDAP 2.4.47 on Debian Stretch. I have a database for dc=example,dc=com; I start with:

$ ldapsearch ... -D cn=admin,dc=example,dc=com -x -w admin -b dc=example,dc=com -LLL dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Inc. dc: example

I can then add a new o=home using this LDIF:

dn: o=home,dc=example,dc=com objectClass: organization o: home

Which looks like:

$ ldapadd -D cn=admin,dc=example,dc=com -x -W -f add-org.ldif Enter LDAP Password: adding new entry "o=home,dc=example,dc=com"

And then I can add an ou=posix like this:

dn: ou=posix,o=home,dc=example,dc=com objectClass: organizationalUnit ou: posix

Which looks like:

$ ldapadd -D cn=admin,dc=example,dc=com -x -W -f add-ou.ldif Enter LDAP Password: adding new entry "ou=posix,o=home,dc=example,dc=com"

And when I'm done:

$ ldapsearch ... -D cn=admin,dc=example,dc=com -x -w admin -b dc=example,dc=com -LLL dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: Example Inc. dc: example dn: o=home,dc=example,dc=com objectClass: organization o: home dn: ou=posix,o=home,dc=example,dc=com objectClass: organizationalUnit ou: posix
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.