Hi,


I am new to LDAP. Hence kindly do excuse if any of my terminology is
different.

Issue:
-----
I installed the openldap server through debian package. ie. did NOT get the source.
Was able to add the record and display them.
ie. the slaptest worked fine and also could able to search the database with ldapsearch
command also.

Also able to start and stop the daemon.

But i am having an issue regarding the retrieval of authFilterId attribute stored in
the LDAP database.

Is authFilterId and FilterId attribute same?? Tried to retrieve both of them but unable to get
the values of the attribute.

Added a schema by name auth.schema in the slapd.conf. This file was not present in the default
installation of the openldap.

The below are the details of the configuration:

openldap server version: OpenLDAP: slapd 2.4.9 
Operating System: Ubuntu 8.04

slapd.conf:

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
#auth.schema added by me. Did not get installed by default
include         /etc/ldap/schema/auth.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        none

# Where the dynamically loaded modules are stored
modulepath       /usr/lib/ldap
moduleload      back_hdb

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

#######################################################################
# Specific Backend Directives for hdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend          hdb

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                  <other>

#######################################################################
# Specific Directives for database #1, of type hdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        hdb

# The base of your directory in database #1
suffix          "dc=example,dc=com"

# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn          "cn=admin,dc=example,dc=com"
rootpw          secret123
# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts.  They do NOT override existing an existing DB_CONFIG
# file.  You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

# Indexing options for database #1
index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
checkpoint      512 30

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
        by dn="cn=admin,dc=nodomain" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=admin,dc=nodomain" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=admin,dc=nodomain" write
#        by dnattr=owner write

#######################################################################
end of slapd.conf

Auth.schema File

Auth.schema: Manually included by me in the slapd.conf. This schema file
added by me. It did not come in the default installation.
This is required as my proprietary ldap client needs it.
I am not sure of its exact use. but i guess its related to radius.

attributetype ( 1.3.6.1.4.1.3317.4.3.1.9
        NAME ( 'authFilterId' )
        DESC 'radiusSchema: authFilterId'
        EQUALITY  caseIgnoreIA5Match
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
        SINGLE-VALUE )

objectclass ( 2.16.840.1.113730.3.2.222
    NAME 'auth'
    DESC 'Authentication database'
    SUP top
    STRUCTURAL
        MUST (
                uid $ userPassword $ authFilterId))


########################################################
end of auth.schema

LDAP ldif file: init.ldif

dn: dc=example,dc=com
objectClass: dcObject
objectClass: organizationalUnit
dc: example
ou: Example Dot Com

dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: secret123

dn: ou=people,dc=example,dc=com
objectClass: organizationalUnit
ou: people

dn: ou=groups,dc=example,dc=com
objectClass: organizationalUnit
ou: groups

dn: uid=fsmith,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: radiusprofile
uid: fsmith
sn: Smith
givenName: Fred
cn: Fred Smith
displayName: Fred Smith
uidNumber: 1001
gidNumber: 1001
userPassword: secret123
gecos: Fred Smith
loginShell: /bin/bash
homeDirectory: /home/fsmith
shadowExpire: -1
shadowFlag: 0
shadowWarning: 7
shadowMin: 8
shadowMax: 999999
shadowLastChange: 10877
mail: fsmith@example.com
authFilterId: fsmith
initials: FS



Added the above records using the command:
$ slapadd -l init.ldif
Added successfully no errors on the command line.

When i searched the database using the command
$ ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)'

I was able to see all the details present in the init.ldif file
except the FilterId field:

authFilterId: fsmith

When i issue the command,
$ ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)' '(authFilterId=*)'
then also it does not display the authFilterId attribute.


The slaptest when run in the debug level 16783 does not show any errors.
The tail message of the slaptest o/p is:
....
slaptest startup: initiated.
backend_startup_one: starting "cn=config"
config_back_db_open
config_build_entry: "cn=config"
config_build_entry: "cn=module{0}"
config_build_entry: "cn=schema"
config_build_entry: "cn={0}core"
config_build_entry: "cn={1}cosine"
config_build_entry: "cn={2}nis"
config_build_entry: "cn={3}inetorgperson"
config_build_entry: "cn={4}auth"
config_build_entry: "olcDatabase={-1}frontend"
config_build_entry: "olcDatabase={0}config"
config_build_entry: "olcDatabase={1}hdb"
backend_startup_one: starting "dc=example,dc=com"
hdb_db_open: "dc=example,dc=com"
hdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap).
config file testing succeeded
slaptest shutdown: initiated
====> bdb_cache_release_all
slaptest destroy: freeing system resources.


Kindly do suggest of how to retrieve the authFilterId attribute value.


have a nice day,
navin