RE: Unable to ldapadd Kerberos schema in LDIF format

[Marc]

> I'm currently experimenting with (MIT) Kerberos and got to the point where
> I need to add the Kerberos definitions to
> LDAP (krb5-kdc.ldif). (This is on Rocky Linux 9 with symas-openldap-
> servers-2.6.6-1.el9.x86_64.)
> 
> First question: is this the correct schema file or should I use the one
> provided by MIT Kerberos 1.20.1
> (/usr/share/doc/krb5-server-ldap/kerberos.ldif) ?
> 
> 
> If I use krb5-kdc.ldif I get the following:
> 
> [root@gateway ~]# cd /opt/symas/etc/openldap/schema/
> [root@gateway schema]# ldapadd -Y EXTERNAL -H ldapi:/// -f krb5-kdc.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> adding new entry "cn=krb5-kdc,cn=schema,cn=config"
> ldap_add: Constraint violation (19)
>          additional info: structuralObjectClass: no user modification
> allowed
> 

This is what works (recently tested) when I create containers, see if this one 
works (this is everything on one line)

ldapadd -Q -D "cn=admin,cn=config" -Y EXTERNAL -H ldapi:/// -f sendmail.ldif


dn: cn=sendmail,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: sendmail
olcAttributeTypes: {0}( 1.3.6.1.4.1.6152.10.3.1.10 NAME 'sendmailMTACluster' 
DESC 'cluster name associated with a set of MTAs' EQUALITY caseIgnoreIA5Match 
SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {1}( 1.3.6.1.4.1.6152.10.3.1.11 NAME 'sendmailMTAHost' DESC 
'host name associated with a MTA cluster' EQUALITY caseIgnoreIA5Match SUBSTR 
caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {2}( 1.3.6.1.4.1.6152.10.3.1.13 NAME 'sendmailMTAKey' DESC 
'key (left hand side) of an aliases or map entry' EQUALITY caseIgnoreMatch 
SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
olcAttributeTypes: {3}( 1.3.6.1.4.1.6152.10.3.1.14 NAME 'sendmailMTAMapName' 
DESC 'identifier for the particular map' EQUALITY caseIgnoreMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {4}( 1.3.6.1.4.1.6152.10.3.1.16 NAME 'sendmailMTAMapValue' 
DESC 'value (right hand side) of a map entry' EQUALITY caseIgnoreMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {5}( 1.3.6.1.4.1.6152.10.3.1.24 NAME 'sendmailMTAMapSearch' 
DESC 'recursive search for values of a map entry' EQUALITY caseExactMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {6}( 1.3.6.1.4.1.6152.10.3.1.25 NAME 'sendmailMTAMapURL' 
DESC 'recursive search URL for values of a map entry' EQUALITY caseExactMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {7}( 1.3.6.1.4.1.6152.10.3.1.18 NAME 
'sendmailMTAAliasGrouping' DESC 'name that identifies a particular aliases 
grouping' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {8}( 1.3.6.1.4.1.6152.10.3.1.20 NAME 'sendmailMTAAliasValue' 
DESC 'value (right hand side) of an alias' EQUALITY caseIgnoreMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {9}( 1.3.6.1.4.1.6152.10.3.1.26 NAME 
'sendmailMTAAliasSearch' DESC 'recursive search for values of an alias' 
EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {10}( 1.3.6.1.4.1.6152.10.3.1.27 NAME 'sendmailMTAAliasURL' 
DESC 'recursive search URL for values of an alias' EQUALITY caseExactMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {11}( 1.3.6.1.4.1.6152.10.3.1.22 NAME 'sendmailMTAClassName' 
DESC 'identifier for the class' EQUALITY caseIgnoreMatch SYNTAX 
1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
olcAttributeTypes: {12}( 1.3.6.1.4.1.6152.10.3.1.23 NAME 
'sendmailMTAClassValue' DESC 'member of a class' EQUALITY caseIgnoreMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {13}( 1.3.6.1.4.1.6152.10.3.1.28 NAME 
'sendmailMTAClassSearch' DESC 'recursive search for members of a class' 
EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcAttributeTypes: {14}( 1.3.6.1.4.1.6152.10.3.1.29 NAME 'sendmailMTAClassURL' 
DESC 'recursive search URL for members of a class' EQUALITY caseExactMatch 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.6152.10.3.2.10 NAME 'sendmailMTA' DESC 
'Sendmail MTA definition' SUP top STRUCTURAL MAY ( sendmailMTACluster $ 
sendmailMTAHost $ Description ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.6152.10.3.2.11 NAME 'sendmailMTAMap' DESC 
'Sendmail MTA map definition' SUP sendmailMTA STRUCTURAL MUST 
sendmailMTAMapName MAY ( sendmailMTACluster $ sendmailMTAHost $ Description ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.6152.10.3.2.12 NAME 'sendmailMTAMapObject' 
DESC 'Sendmail MTA map object' SUP sendmailMTAMap STRUCTURAL MUST ( 
sendmailMTAMapName $ sendmailMTAKey ) MAY ( sendmailMTACluster $ 
sendmailMTAHost $ sendmailMTAMapValue $ sendmailMTAMapSearch $ 
sendmailMTAMapURL $ Description ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.6152.10.3.2.13 NAME 'sendmailMTAAlias' DESC 
'Sendmail MTA alias definition' SUP sendmailMTA STRUCTURAL MAY ( 
sendmailMTAAliasGrouping $ sendmailMTACluster $ sendmailMTAHost $ Description ) 
)
olcObjectClasses: {4}( 1.3.6.1.4.1.6152.10.3.2.14 NAME 'sendmailMTAAliasObject' 
DESC 'Sendmail MTA alias object' SUP sendmailMTAAlias STRUCTURAL MUST 
sendmailMTAKey MAY ( sendmailMTAAliasGrouping $ sendmailMTACluster $ 
sendmailMTAHost $ sendmailMTAAliasValue $ sendmailMTAAliasSearch $ 
sendmailMTAAliasURL $ Description ) )
olcObjectClasses: {5}( 1.3.6.1.4.1.6152.10.3.2.15 NAME 'sendmailMTAClass' DESC 
'Sendmail MTA class definition' SUP sendmailMTA STRUCTURAL MUST 
sendmailMTAClassName MAY ( sendmailMTACluster $ sendmailMTAHost $ 
sendmailMTAClassValue $ sendmailMTAClassSearch $ sendmailMTAClassURL $ 
Description ) )
~