pwm icon indicating copy to clipboard operation
pwm copied to clipboard

Published 20 hours ago verified publisher icon pwm-project

ldif error with Managed AD

Open k1m0n3 opened this issue 6 years ago • 8 comments

Hello,

I'm using a Managed AD in AWS, when i try to execute the ldif script to add attributes, i got this error : image

Any one have idea about this ?

Many thanks in advance,

regards,

k1m0n3 avatar Jul 25 '18 16:07 k1m0n3

Please check line 140 in your LDIF file as described in the error message.

geekmichael avatar Aug 10 '18 01:08 geekmichael

Of course i did, it's like that :

137 #------------------------------------------------------ 138 #-- Update the schema now 139 #------------------------------------------------------ 140 dn: changetype: modify add: schemaUpdateNow schemaUpdateNow: 1 What choud i put in the dn variable ?

Thanks

k1m0n3 avatar Aug 14 '18 09:08 k1m0n3

I had to break the schema into 3 files. PWM User, PWM Aux, PWM User Attributes

Then apply them in order. It seems that you can't use the schemaUpdateNow command with AWS managed ad.

lancehudson avatar Sep 14 '18 22:09 lancehudson

Has this been solved? can this be used with AWS SimpleAD?

lodotek avatar Jan 14 '20 18:01 lodotek

With AWS Managed AD you can't run ldifde to make schema changes, you have to upload the LDIF files for the schema change through their console.

I also had to break up the file into three files and remove all the schemaUpdateNow blocks.

#------------------------------------------------------
#--  Update the schema now
#------------------------------------------------------
dn: 
changetype: modify
add: schemaUpdateNow
schemaUpdateNow: 1
-

AWS Managed AD also really doesn't like the lines with a:

-

unless they follow changetype: ntdsSchemaModify or changetype: modify entry and then it wants them.

It will pass validation with the dash (in the wrong place) or without the dash (in the right place), then apply the schema changes, then get an error b/c it sees or doesn't see the - and then it tries to rollback. The rollback doesn't seem to go well and the domain is in impaired state with message:

1 of 2 domain controllers are Impaired. Our team has been notified and is working to correct the issue. If you have any questions, please contact AWS support.

AWS fixed the domain impairment relatively quickly the first time it happened b/c I left the dashes in a file that didn't need it, now I am waiting for them to fix b/c I removed a dash from the third file that I should have left there.

hdeadman avatar Jun 03 '23 22:06 hdeadman

Wow 5 years later and this is still open! 🤦‍♂️

lodotek avatar Jun 03 '23 22:06 lodotek

If someone attaches a working file(s) or a pull request I'll be glad to update the repo. I don't have an AWS instance myself to test.

jrivard avatar Jun 03 '23 23:06 jrivard

To update, I abandoned my efforts to modify AWS Managed AD schema because once I had all the LDIFs imported, I wasn't able to modify the security on the various attributes which I assume I would need to do. AWS Managed AD doesn't give you the "Schema Admin" role so you can't set the permissions on the objects you imported. They have delegated roles for most of the standard roles like Domain Admin but they don't have one for "Schema Admin" so as to force schema changes through their console process. Presumably the permissions could be set in the LDIF but the syntax for that looks complicated and it would probably be easier to work that out on a regular AD domain and then export the objects with ldifde with security settings in place. Luckily AWS will snapshot your domain and let you rollback to the snapshot so I could remove the schema changes (which they otherwise do not allow). I am going to stick to using remote database instead of LDAP.

hdeadman avatar Jun 05 '23 20:06 hdeadman