Solved ldap_add: Naming violation (64) on

[Ferocious1881]

I am following this LDAP introductory tutorial https://www.zytrax.com/books/ldap/ch5/, and when trying to apply the 5.1.4 LDIF File
/tmp/ea

## DEFINE DIT ROOT/BASE/SUFFIX ####
## uses RFC 2377 format
## replace my and domain as necessary below
## or for experimentation leave as is

## dcObject is an AUXILLIARY objectclass and MUST
## have a STRUCTURAL objectclass (organization in this case)
# this is an ENTRY sequence and is preceded by a BLANK line

dn: dc=my,dc=domain
dc: exampleuiae
description: My wonderful domainpany as much text as you want to place
 in this line up to 32K continuation data for the line above must
 have <CR> or <CR><LF> i.e. ENTER works
 on both Windows and *nix system - new line MUST begin with ONE SPACE
objectClass: dcObject
objectClass: organization
o: Example, Inc.

## FIRST Level hierarchy - people
## uses mixed upper and lower case for objectclass
# this is an ENTRY sequence and is preceded by a BLANK line

dn: ou=people, dc=my,dc=domain
ou: people
description: All people in organisation
objectclass: organizationalunit

## SECOND Level hierarchy
## ADD a single entry under FIRST (people) level
# this is an ENTRY sequence and is preceded by a BLANK line
# the ou: Human Resources is the department name

dn: cn=Robert Smith,ou=people,dc=my,dc=domain
objectclass: inetOrgPerson
cn: Robert Smith
cn: Robert J Smith
cn: bob  smith
sn: smith
uid: rjsmith
userpassword: rJsmitH
carlicense: HISCAR 123
homephone: 555-111-2222
mail: r.smith@my.domain
mail: rsmith@my.domain
mail: bob.smith@my.domain
description: swell guy
ou: Human Resources

with the command ldapadd -D "cn=admin,dc=my,dc=domain" -x -w dirtysecret -f /tmp/ea I am getting the error:

# ldapadd -D "cn=admin,dc=my,dc=domain" -x -w dirtysecret -f /tmp/ea
adding new entry "dc=my,dc=domain"
ldap_add: Naming violation (64)
        additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry

My setup is in a clean bsdinstall jail /jails/ldap, the following config files:
/usr/local/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my,dc=domain
URI     ldap://probe.my.domain ldap://probe.my.domain:666

#SIZELIMIT      12
#TIMELIMIT      15
#DEREF          never

/usr/local/etc/openldap/slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /usr/local/etc/openldap/schema/core.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath      /usr/local/libexec/openldap
moduleload      back_mdb
# moduleload    back_ldap

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# config database definitions
#######################################################################
database config
# Uncomment the rootpw line to allow binding as the cn=config
# rootdn so that temporary modifications to the configuration can be made
# while slapd is running. They will not persist across a restart.
# rootpw secret

#######################################################################
# MDB database definitions
#######################################################################

database        mdb
maxsize         1073741824
suffix          "dc=my,dc=domain"
rootdn          "cn=admin,dc=my,dc=domain"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          dirtysecret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/db/openldap-data
# Indices to maintain
index   objectClass     eq

#######################################################################
# monitor database definitions
#######################################################################
database monitor

/usr/local/etc/openldap/slapd.ldif

#
# See slapd-config(5) for details on configuration options.
# This file should NOT be world readable.
#
dn: cn=config
objectClass: olcGlobal
cn: config
#
#
# Define global ACLs to disable default read access.
#
olcArgsFile: /var/run/openldap/slapd.args
olcPidFile: /var/run/openldap/slapd.pid
#
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#olcReferral:   ldap://root.openldap.org
#
# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 64-bit encryption for simple bind
#olcSecurity: ssf=1 update_ssf=112 simple_bind=64


#
# Load dynamic backend modules:
#
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath:  /usr/local/libexec/openldap
olcModuleload:  back_mdb.la
#olcModuleload: back_ldap.la
#olcModuleload: back_passwd.la

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

include: file:///usr/local/etc/openldap/schema/core.ldif
include: file:///usr/local/etc/openldap/schema/cosine.ldif
include: file:///usr/local/etc/openldap/schema/inetorgperson.ldif

# Frontend settings
#
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
#
# Sample global access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#
#olcAccess: to dn.base="" by * read
#olcAccess: to dn.base="cn=Subschema" by * read
#olcAccess: to *
#       by self write
#       by users read
#       by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#


#######################################################################
# LMDB database definitions
#######################################################################
#
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=my,dc=domain
olcRootDN: cn=admin,dc=my,dc=domain
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd-config(5) for details.
# Use of strong authentication encouraged.
olcRootPW: dirtysecret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
olcDbDirectory: /var/db/openldap-data
# Indices to maintain
olcDbIndex: objectClass eq

dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcRootDN: cn=config
olcMonitoring: FALSE

And it's dns name is probe.my.domain

 

[Ferocious1881]

Nor slapadd -n 0 -F /usr/local/etc/openldap/ -l /tmp/ea -u works, with error

# slapadd -n 0 -F /usr/local/etc/openldap/ -l /tmp/ea -u
PROXIED attributeDescription "DC" inserted.
<= str2entry: str2ad(dc): attribute type undefined
slapadd: could not parse entry (line=1)
Closing DB...

 

[Ferocious1881]

I am getting the error

# ldapadd -H ldap://ldap.my.domain -x -D "cn=Manager,dc=my,dc=domain" -w secret
ldap_bind: Invalid credentials (49)

Full replication instructions:
1. Install FreeBSD-14.1-RELEASE-amd64-dvd1 in a Virtual Machine, with ZFS, sshd, ntpd and crasch dumps, all hardening enabled.
2. Optionally follow https://eengstrom.github.io/musings/serial-console-under-freebsd
3. run

zfs create zroot/jails
zfs create zroot/jails/template
zfs set mountpoint=/jails zroot/jails
bsdinstall jail /jails/template # Chose nothing in the first prompt (only base.txz). No root passwort (It is a VM), choose sshd, ntpd, and dumpdev in the services prompt. And don't add users
zfs snapshot zroot/jails/template@first
zfs clone zroot/jails/template@first zroot/jails/ldap
cat > /root/ldap.conf <<EOF
ldap {
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_console_${name}.log";

allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 5;

path = "/jails/ldap";
host.hostname = "ldap.my.domain";

ip4.addr = "192.168.122.63"; // Change for some IP in your VM's network
interface = vtnet0;
}
EOF
jail -crm -f ldap.conf
pkg -j ldap install openldap26-server
echo 192.168.122.63          ldap.my.domain >> /jails/ldap/etc/hosts
sed -i bkp -e 's/dc=my-domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i bkp -e 's/dc=my-domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
sed -i bkp -e 's/dc=my/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i bkp -e 's/dc=my/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
awk 'NR==6{print "include         /usr/local/etc/openldap/schema/cosine.schema"}1' /jails/ldap/usr/local/etc/openldap/slapd.conf > /tmp/tmp && cat /tmp/tmp > /jails/ldap/usr/local/etc/openldap/slapd.conf
awk 'NR==7{print "include         /usr/local/etc/openldap/schema/inetorgperson.schema"}1' /jails/ldap/usr/local/etc/openldap/slapd.conf> /tmp/tmp && cat /tmp/tmp > /jails/ldap/usr/local/etc/openldap/slapd.conf
cat > /tmp/tmp <<EOF
# unique id so equality match only
index    uid    eq
# allows general searching on commonname, givenname and email
index    cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber
EOF
{ head -n 76 /jails/ldap/usr/local/etc/openldap/slapd.conf; cat /tmp/tmp; tail -n +77 /jails/ldap/usr/local/etc/openldap/slapd.conf; } > /tmp/tmp2
cat /tmp/tmp2 > /jails/ldap/usr/local/etc/openldap/slapd.conf
jexec ldap service slapd onestart

Now enter the jail with jexec ldap, then enter the ldapadd interactive prompt with ldapadd -H ldap://ldap.my.domain -x -D "cn=Manager,dc=my,dc=domain" -w secret

 

[SirDice]

dn: dc=my,dc=domain 
dc: exampleuiae

This doesn't add up.

 

[Ferocious1881]

This doesn't add up.

I am not sure what would be, but is not beffer first focusing in this fully replicable attempt?

I am getting the error

# ldapadd -H ldap://ldap.my.domain -x -D "cn=Manager,dc=my,dc=domain" -w secret
ldap_bind: Invalid credentials (49)

Full replication instructions:
1. Install FreeBSD-14.1-RELEASE-amd64-dvd1 in a Virtual Machine, with ZFS, sshd, ntpd and crasch dumps, all hardening enabled.
2. Optionally follow https://eengstrom.github.io/musings/serial-console-under-freebsd
3. run

zfs create zroot/jails
zfs create zroot/jails/template
zfs set mountpoint=/jails zroot/jails
bsdinstall jail /jails/template # Chose nothing in the first prompt (only base.txz). No root passwort (It is a VM), choose sshd, ntpd, and dumpdev in the services prompt. And don't add users
zfs snapshot zroot/jails/template@first
zfs clone zroot/jails/template@first zroot/jails/ldap
cat > /root/ldap.conf <<EOF
ldap {
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_console_${name}.log";

allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 5;

path = "/jails/ldap";
host.hostname = "ldap.my.domain";

ip4.addr = "192.168.122.63"; // Change for some IP in your VM's network
interface = vtnet0;
}
EOF
jail -crm -f ldap.conf
pkg -j ldap install openldap26-server
echo 192.168.122.63          ldap.my.domain >> /jails/ldap/etc/hosts
sed -i bkp -e 's/dc=my-domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i bkp -e 's/dc=my-domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
sed -i bkp -e 's/dc=my/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i bkp -e 's/dc=my/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
awk 'NR==6{print "include         /usr/local/etc/openldap/schema/cosine.schema"}1' /jails/ldap/usr/local/etc/openldap/slapd.conf > /tmp/tmp && cat /tmp/tmp > /jails/ldap/usr/local/etc/openldap/slapd.conf
awk 'NR==7{print "include         /usr/local/etc/openldap/schema/inetorgperson.schema"}1' /jails/ldap/usr/local/etc/openldap/slapd.conf> /tmp/tmp && cat /tmp/tmp > /jails/ldap/usr/local/etc/openldap/slapd.conf
cat > /tmp/tmp <<EOF
# unique id so equality match only
index    uid    eq
# allows general searching on commonname, givenname and email
index    cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber
EOF
{ head -n 76 /jails/ldap/usr/local/etc/openldap/slapd.conf; cat /tmp/tmp; tail -n +77 /jails/ldap/usr/local/etc/openldap/slapd.conf; } > /tmp/tmp2
cat /tmp/tmp2 > /jails/ldap/usr/local/etc/openldap/slapd.conf
jexec ldap service slapd onestart

Now enter the jail with jexec ldap, then enter the ldapadd interactive prompt with ldapadd -H ldap://ldap.my.domain -x -D "cn=Manager,dc=my,dc=domain" -w secret

Just checked again that is replicable.

 

[fr0xk]

The issue seems to be causing from conflicting values in the `dc` attribute. The `dc: exampleuiae` under `dn: dc=my,dc=domain` is causing the error. Double check the `dc` values match between your LDIF file and `slapd.conf`. Align the `dc` value in the LDIF file with the `suffix` value in `slapd.conf` with proper credentials in `ldapadd -D "cn=admin,dc=my,dc=domain"` and match those in `slapd.conf`.

 

[Ferocious1881]

When I enter the ldapadd interactive prompt with

ldapadd -H ldap://ldap.my.domain -x -D "cn=Manager,dc=my,dc=domain" -w secret

and then enter

dn: dc=my,dc=domain
dc: example
description: some description
objectClass: dcObject
objectClass: organization
o: Example, Inc.

as in https://www.zytrax.com/books/ldap/ch5/index.html#step1 we get

ldap_add: Naming violation (64)
        additional info: value of single-valued naming attribute 'dc' conflicts 
with value present in entry

Full replication instructions:
1. Install FreeBSD-14.1-RELEASE-amd64-dvd1 in a Virtual Machine, with ZFS, sshd, ntpd and crasch dumps, all hardening enabled.
2. Optionally follow https://eengstrom.github.io/musings/serial-console-under-freebsd
3. run

zfs create zroot/jails
zfs create zroot/jails/template
zfs set mountpoint=/jails zroot/jails
bsdinstall jail /jails/template # Chose nothing in the first prompt (only base.txz). No root passwort (It is a VM), choose sshd, ntpd, and dumpdev in the services prompt. And don't add users
zfs snapshot zroot/jails/template@first
zfs clone zroot/jails/template@first zroot/jails/ldap
cat > /root/ldap.conf <<EOF
ldap {
exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown";
exec.consolelog = "/var/log/jail_console_${name}.log";

allow.raw_sockets;
exec.clean;
mount.devfs;
devfs_ruleset = 5;

path = "/jails/ldap";
host.hostname = "ldap.my.domain";

ip4.addr = "192.168.122.63"; // Change for some IP in your VM's network
interface = vtnet0;
}
EOF
jail -crm -f ldap.conf
pkg -j ldap install openldap26-server
echo 192.168.122.63          ldap.my.domain >> /jails/ldap/etc/hosts
sed -i .bkp -e 's/dc=my-domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i .bkp -e 's/dc=my-domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
sed -i .bkp -e 's/dc=my/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i .bkp -e 's/dc=my/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
sed -i .bkp -e 's/dc=domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i .bkp -e 's/dc=domain/dc=my/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
sed -i .bkp -e 's/dc=com/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.conf
sed -i .bkp -e 's/dc=com/dc=domain/g' /jails/ldap/usr/local/etc/openldap/slapd.ldif
awk 'NR==6{print "include         /usr/local/etc/openldap/schema/cosine.schema"}1' /jails/ldap/usr/local/etc/openldap/slapd.conf > /tmp/tmp && cat /tmp/tmp > /jails/ldap/usr/local/etc/openldap/slapd.conf
awk 'NR==7{print "include         /usr/local/etc/openldap/schema/inetorgperson.schema"}1' /jails/ldap/usr/local/etc/openldap/slapd.conf> /tmp/tmp && cat /tmp/tmp > /jails/ldap/usr/local/etc/openldap/slapd.conf
cat > /tmp/tmp <<EOF
# unique id so equality match only
index    uid    eq
# allows general searching on commonname, givenname and email
index    cn,gn,mail eq,sub
# allows multiple variants on surname searching
index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# indices missing - uses default eq,sub
index telephonenumber
EOF
{ head -n 76 /jails/ldap/usr/local/etc/openldap/slapd.conf; cat /tmp/tmp; tail -n +77 /jails/ldap/usr/local/etc/openldap/slapd.conf; } > /tmp/tmp2
cat /tmp/tmp2 > /jails/ldap/usr/local/etc/openldap/slapd.conf
jexec ldap service slapd onestart

Now enter the jail with

jexec ldap

, then enter the ldapadd interactive prompt with

ldapadd -H ldap://ldap.my.domain -x -D "cn=Manager,dc=my,dc=domain" -w secret

Now enter

dn: dc=my,dc=domain
dc: example
description: some description
objectClass: dcObject
objectClass: organization
o: Example, Inc.

as in https://www.zytrax.com/books/ldap/ch5/index.html#step1 we get

ldap_add: Naming violation (64)
        additional info: value of single-valued naming attribute 'dc' conflicts 
with value present in entry

 

[SirDice]

dn: dc=my,dc=domain 
dc: example

as in https://www.zytrax.com/books/ldap/ch5/index.html#step1 we get

Take a real close look at the example, because you're making the exact same mistake as with your first post.

The example has this:

dn: dc=example,dc=com
dc: example

Notice how the dc on the second line matches with the dc=example of the first? That's not accidental, that's intentional. That first bit defines what dc=example is.