0

I would like to create my own schema in OpenLDAP 2.4.57. Here's the code (I changed the real name of schema and attributes)

dn: cn=myschema,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: myschema

olcAttributeTypes: ( 2.25.1234567.1
  NAME 'field1'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )

olcAttributeTypes: ( 2.25.1234567.2
  NAME 'field2'
  EQUALITY octetStringMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

olcObjectClasses: ( 2.25.1234567.3
  NAME 'myOwnFields'
  SUP top
  AUXILIARY
  MAY ( field1 $ field2 ) )

I tried to add this schema with the command (ldap response below) :

$ ldapadd -x -D cn=admin,cn=config -w password -H ldap://ldap-server -f myschema.ldif
adding new entry "cn=myschema,cn=schema,cn=config"

When I tried to check if the schema is correctly added to LDAP, OpenLDAP does not answer me it exists :

$ ldapsearch -x -D cn=admin,cn=config -w config -H ldap://ldap-server -b cn=schema,cn=config "(cn=myschema)"
# extended LDIF
#
# LDAPv3
# base <cn=schema,cn=config> with scope subtree
# filter: (cn=myschema)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

What's wrong ?

Some precisions : the password is good, URL of LDAP too. When I search a user in the LDAP, I got the response I expect.

Thanks in advance

Improve this question

1 Answer 1

Reset to default
0

The OpenLDAP "config" backend has special behavior when it comes to entries or attributes that would normally be ordered: it automatically adds an {xx} prefix to the respective value. For example, entries representing a schema or a database are automatically renamed from cn=foo to cn={3}foo. This would be matched by (cn=*foo) but not by (cn=foo).

$ ldapsearch -b cn=schema,cn=config dn | grep ^dn
SASL/GSSAPI authentication started
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}ldapns,cn=schema,cn=config
dn: cn={5}kerberos,cn=schema,cn=config
dn: cn={6}misc,cn=schema,cn=config
dn: cn={7}sudo,cn=schema,cn=config
dn: cn={8}samba,cn=schema,cn=config
dn: cn={9}nullroute,cn=schema,cn=config
dn: cn={10}sudo,cn=schema,cn=config

(The lesson is that if an exact search doesn't match anything, you should then try an inexact search – e.g. an unfiltered search or a GUI tool such as Apache Directory Studio – and grep the results using your eyes.)

The same applies to values of olcAttributeTypes and similar. LDAP does not normally preserve attribute order, so the OpenLDAP config backend will add line numbers to achieve that.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.