openldap错误提示，寻求帮助

comcn2

最近在做openldap和heimdal的配置，初始化heimdal的时候总是出现如下错误，请大家帮看看，如何解决


[root@kerberos ~]# kadmin  -l
kadmin> init EXAMPLE.COM
Realm max ticket life [unlimited]:
Realm max renewable ticket life [unlimited]:
kadmin: create_random_entry([email=krbtgt/EXAMPLE.COM@EXAMPLE.COM]krbtgt/EXAMPLE.COM@EXAMPLE.COM[/email]): randkey failed: ldap_add_ext_s: [email=krbtgt/EXAMPLE.COM@EXAMPLE.COM]krbtgt/EXAMPLE.COM@EXAMPLE.COM[/email] ([email=DN=krb5PrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=krbtgt/EXAMPLE.COM@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax
kadmin: create_random_entry([email=kadmin/changepw@EXAMPLE.COM]kadmin/changepw@EXAMPLE.COM[/email]): randkey failed: ldap_add_ext_s: [email=kadmin/changepw@EXAMPLE.COM]kadmin/changepw@EXAMPLE.COM[/email] ([email=DN=krb5PrincipalName=kadmin/changepw@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=kadmin/changepw@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax
kadmin: create_random_entry([email=kadmin/admin@EXAMPLE.COM]kadmin/admin@EXAMPLE.COM[/email]): randkey failed: ldap_add_ext_s: [email=kadmin/admin@EXAMPLE.COM]kadmin/admin@EXAMPLE.COM[/email] ([email=DN=krb5PrincipalName=kadmin/admin@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=kadmin/admin@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax
kadmin: create_random_entry([email=changepw/kerberos@EXAMPLE.COM]changepw/kerberos@EXAMPLE.COM[/email]): randkey failed: ldap_add_ext_s: [email=changepw/kerberos@EXAMPLE.COM]changepw/kerberos@EXAMPLE.COM[/email] ([email=DN=krb5PrincipalName=changepw/kerberos@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=changepw/kerberos@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax
kadmin: create_random_entry([email=kadmin/hprop@EXAMPLE.COM]kadmin/hprop@EXAMPLE.COM[/email]): randkey failed: ldap_add_ext_s: [email=kadmin/hprop@EXAMPLE.COM]kadmin/hprop@EXAMPLE.COM[/email] ([email=DN=krb5PrincipalName=kadmin/hprop@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=kadmin/hprop@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax
kadmin: create_random_entry([email=WELLKNOWN/ANONYMOUS@EXAMPLE.COM]WELLKNOWN/ANONYMOUS@EXAMPLE.COM[/email]): randkey failed: ldap_add_ext_s: [email=WELLKNOWN/ANONYMOUS@EXAMPLE.COM]WELLKNOWN/ANONYMOUS@EXAMPLE.COM[/email] ([email=DN=krb5PrincipalName=WELLKNOWN/ANONYMOUS@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=WELLKNOWN/ANONYMOUS@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax
kadmin: kadm5_create_principal: ldap_add_ext_s: default@EXAMPLE.COM ([email=DN=krb5PrincipalName=default@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com]DN=krb5PrincipalName=default@EXAMPLE.COM,ou=KerberosPrincipal,dc=example,dc=com[/email]) Invalid syntax: objectClass: value #1 invalid per syntax



my slapd.conf:
[root@kerberos ~]# cat /etc/openldap/slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/krb5-kdc.schema
# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/lib/run/slapd.pid
argsfile        /var/lib/run/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/sbin/openldap
# moduleload    back_bdb.la
# moduleload    back_ldap.la
# moduleload    back_ldbm.la
# moduleload    back_passwd.la
# moduleload    back_shell.la

# Sample security restrictions
#       Require integrity protection (prevent hijacking)
#       Require 112-bit (3DES or better) encryption for updates
#       Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#       Root DSE: allow anyone to read it
#       Subschema (sub)entry DSE: allow anyone to read it
#       Other DSEs:
#               Allow self write access
#               Allow authenticated users read access
#               Allow anonymous users to authenticate
#       Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#       by self write
#       by users read
#       by anonymous auth
#
acess to *
        by sockurl="^ldapi:///$" write

access to attrs=userPassword
      by self write
      by * auth
access to *
      by * read
loglevel  296
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read"
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        bdb
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd( and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          "secret"
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/openldap-data
# Indices to maintain
index   objectClass     eq


my krb5.conf
[root@kerberos ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes

[realms]
EXAMPLE.COM = {
  kdc = kerberos.example.com:88
  admin_server = kerberos.example.com:749
  default_domain = example.com
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]

        database = {
                dbname = ldapu=KerberosPrincpals,dc=example,dc=com
                mkey_file = /path/to/mkey
        }
[appdefaults]
pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
}

[ 本帖最后由 comcn2 于 2010-1-16 02:05 编辑 ]

forxy

1.调试openldap(服务端)肯定可以解决;
2.看你的日子应该是添加的时候，有一个属性不符合语法规范,你试试逐个减少属性的个数来定位是那个属性

aaaaaa

http://www.openldap.org/faq/data/cache/648.html

同意楼上的回答，应该看看slapd服务器端的日志，如没有信息不够，可以把loglevel设置为： loglevel stats stats2 parse 再试试