10

I get an OBJECT_CLASS_VIOLATION when trying to add an attribute. Modifying an existing attribute works just fine (even this same attribute, if I add it from AD first, then mod it).

First I kinit as a domain admin, then:

import ldap, ldap.sasl
l = ldap.initialize('ldap://TEST.DOM.DE')
auth_tokens = ldap.sasl.gssapi('')
l.sasl_interactive_bind_s('', auth_tokens)
l.add_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [('gecos', ['something'])])

Which returns this error:

ldap.OBJECT_CLASS_VIOLATION: {'info': '0000207B: UpdErr: DSID-0305124B, problem 6002 (OBJ_CLASS_VIOLATION), data 0\n', 'desc': 'Object class violation'}

This command is successful though, if I create the attribute ahead of time within ADUC:

l.modify_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [(1, 'gecos', None), (0, 'gecos', ['something'])])

And the add command does work with ldapmodify:

> ldapmodify -x -h TEST.DOM.DE -D Administrator@TEST.DOM.DE 
dn:CN=dmulder,CN=Users,DC=test,DC=dom,DC=de
changetype: modify
add: gecos
gecos: something
modifying entry "CN=dmulder,CN=Users,DC=test,DC=dom,DC=de"

Any idea what I'm doing wrong here?

David Mulder
  • 7,595
  • 11
  • 45
  • 61
  • The schema allows rfc2307 attributes. Obviously, since ldapmodify *is* able to perform an add, only the python module fails to do the same thing – David Mulder Aug 28 '17 at 20:19
  • 1
    my exception is`ldap.OBJECT_CLASS_VIOLATION: {'info': 'no objectClass attribute', 'desc': 'Object class violation'}`,and can fix by add objectClass.i am on ubuntu16,all the package are install by apt. – obgnaw Aug 29 '17 at 03:57
  • @obgnaw could you explain what you mean? Including the objectClass attribute in the add_s() operation does nothing for me. If you've found a solution, post the details in an answer. – David Mulder Aug 29 '17 at 14:41
  • the User class is different between Server 2008 and Server 2003,so please post your system version. – obgnaw Aug 30 '17 at 15:38
  • 1
    I'm using Server 2008 – David Mulder Aug 31 '17 at 12:08

2 Answers2

6

l.add_s is used to add an object, not an attribute.

In this case you are attempting to create a new object, and you are missing multiple required attributes for object creation. You ought to be using

l.modify_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [(0, 'gecos', 'something')])

to just add a new attribute to the object.

To clarify: When the attribute isn't already set, this syntax is wrong: l.modify_s('CN=dmulder,CN=Users,DC=test,DC=dom,DC=de', [(1, 'gidNumber', None), (0, 'gidNumber', ['1000'])]) The above syntax (without a previous value) is correct.

David Mulder
  • 7,595
  • 11
  • 45
  • 61
Vince
  • 645
  • 4
  • 10
  • 1
    Ah, I had tried a modify, which failed with a ldap.NO_SUCH_ATTRIBUTE error. Now I see why. I was providing a previous value (albeit empty), which was not correct. – David Mulder Aug 31 '17 at 12:16
1

I follow guide and install the OpenLDAP server daemon in ubuntu 16.and below is my attempt.

import ldap
l = ldap.initialize('ldap://localhost',trace_level=3)
l.simple_bind_s('CN=admin,DC=example,DC=com','381138')#my setting
base_dn = 'DC=example,DC=com'
filter = '(objectclass=person)'
attrs = ['gecos']

add_record = [
('objectclass', ['inetOrgPerson']),
('gecos', ['Bacon'] ),
]
#l.modify_s('CN=dmulder,ou=people,dc=example,dc=com', [(1, 'gecos', None), (0, 'gecos', ['something'])])
l.add_s('cn=dmulder,ou=people,dc=example,dc=com', add_record)
l.search_s( base_dn, ldap.SCOPE_SUBTREE, filter, attrs )

if you are not violate the schema,then it must be a bug of ldapclient.python-ldap just a wrapper.

For example, if no structural object class is specified in the attributes, an OTHER exception will be raised. If a record does not contain the attributes used in the UID, a NAMING_VIOLATION will be raised. If a record is missing an attribute required by a structural object class, an OBJECT_CLASS_VIOLATION will be raised, and so on.

Please use the dump_record.pyprovided bya series of python-ldapto dump the new entry to find what is miss.

obgnaw
  • 3,007
  • 11
  • 25