Glenn Faden's Blog

  • April 11, 2013

Adding Users with OpenLDAP

Guest Author

In my previous blog I described how I had configured OpenLDAP with Oracle Solaris 11.1. After some more testing, I found a strange problem with useradd(1)

root# useradd -S ldap foo
ldap: operation failed.
ldap shadow database update failed for foo.
UX: useradd: ERROR: Cannot update system - login cannot be created.

Despite the error message, the account was actually created. After some debugging and with some help from my colleague Michen Chang, we found the root cause. Apparently OpenLDAP is stricter than ODSEE when interpreting INTEGER attributes, and rejects unspecified values. In particular, the attributes shadowInactive and shadowExpire in nis.schema must be specified. These correspond to the useradd option -f and -e, but I didn't want these options to be required.

An easy workaround is to set defaults for these attributes, as follows:

root# useradd -D -e 1/17/2038 -f 365 
group=staff,10  project=default,3  basedir=/export/home  
skel=/etc/skel  shell=/usr/bin/bash  inactive=365  
expire=1/19/2038  auths=  profiles=  roles=  limitpriv=  
defaultpriv=  lock_after_retries=

Now I can easily create accounts without getting that error message. The accounts will be valid until 2038 (when the 32 bit UNIX system time overflows) as long as the user logs in at least once a year.

Join the discussion

Comments ( 1 )
  • venkat Sunday, September 22, 2013


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.