On Thu, 2008-01-17 at 17:27 +1100, Andrew Bartlett wrote:
I'm not quite sure what I'm looking for here, sorry:
In Samba4, we don't yet have full schema validation. In some ways it just has not been a priority - we validate that the attribute and objectClasses exist, but not that they match up.
In using OpenLDAP, I'm hoping to avoid having to write that logic, so I stopped adding extensibleObject to all our objectClass values, and replaced it with samba4Top, contaning all the things that AD's top contains, but OpenLDAPs does not.
So far so good, but AD has: dn: CN=Domain-DNS,${SCHEMADN} objectClass: top objectClass: classSchema subClassOf: domain systemAuxiliaryClass: samDomain
Looking at http://www.grotan.com/ldap/microsoft.ext.schema
I created entries in my schema file like:
dITContentRule ( 1.2.840.113556.1.5.67 NAME 'domainDNS' AUX ( samDomain ) )
dITContentRule ( 1.2.840.113556.1.5.3 NAME 'samDomain' AUX ( samDomainBase ) )
This created two problems: It appears that you cannot create a ditContentRule for a non-structural objectClass (samDomain is AUXILIARY), and even if I do, I can't tack on the samba4Top on the end, because of:
Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail) ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION - <class 'samba4Top' not allowed by content rule 'domainDNS'> <>
Is there a different approach I should be taking? I need to extend 'top' without extending OpenLDAP's hardcoded top, and I need something that looks like dITcontentRule without the restrictions. Any hints?
I suppose I could just calculate the resultant set of (structuralclass | top | auxilirayclasses) and merge them into the MUST and MAY of that structural class.
Would this be the best (if ugly) way forward?
Andrew Bartlett