Header Shadow Image


LDAP ldapmodify: additional info: attribute “ipaBaseID” not allowed

When modifying LDAP entries, you may get the following error:

[root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF
> dn: cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz
> changetype: modify
> replace: ipaBaseID
> ipaBaseID: 155600000
> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz"
ldap_modify: Object class violation (65)
        additional info: attribute "ipaBaseID" not allowed

What this means is that you cannot modify this entry without modifying it's dependent entries as well.  How do we find the dependent entries?  By looking at the schema using tools like jxplorer:

jXplorer Directory Listing

From the above, navigating to the ipaIDrange schema object tells us the dependencies:

LDAP Directory Schema

We can see that the objects are listed with a tag of MUST:

MUST
  • cn
  • ipaBaseID
  • ipaIDRangeSize
  • ipaRangeType

We check the other tag listed as well:

MUST
  • ipaBaseRID
  • ipaNTTrustedDomainSID

This tells us the objects we need to include alongside the one value we want to modify. (  NOTE: Since we don't want to modify any of the other values, we are simply copying and pasting the existing values into the same key / value pairs of the DIT.  ):

[root@idmipa03 ~]# ldapmodify -H ldapi://%2fvar%2frun%2fslapd-MWS-MDS-XYZ.socket << EOF
> dn: cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz
> changetype: modify
> replace: ipaBaseRID
> ipaBaseRID: 155600000
> –

> replace: ipaBaseID
> ipaBaseID: 155600000
> –
> replace: ipaIDRangeSize
> ipaIDRangeSize: 200000
> –
> replace: ipaNTTrustedDomainSID
> ipaNTTrustedDomainSID: S-1-5-21-1803828911-4163023034-2461700517
> –
> replace: ipaRangeType
> ipaRangeType: ipa-ad-trust-posix
> –

> EOF
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn=MDS.XYZ_id_range,cn=ranges,cn=etc,dc=mws,dc=mds,dc=xyz"

[root@idmipa03 ~]#
 

And we finally have a successful modification.

Cheers,
TK

One Response to “LDAP ldapmodify: additional info: attribute “ipaBaseID” not allowed”

  1. […] Free IPA Replication Verification Tool LDAP ldapmodify: additional info: attribute “ipaBaseID” not allowed […]

Leave a Reply

You must be logged in to post a comment.


     
  Copyright © 2003 - 2013 Tom Kacperski (microdevsys.com). All rights reserved.

Creative Commons License
This work is licensed under a Creative Commons Attribution 3.0 Unported License