On Thu, 2008-01-17 at 17:27 +1100, Andrew Bartlett wrote:
I'm not quite sure what I'm looking for here, sorry:
In Samba4, we don't yet have full schema validation. In some ways it
just has not been a priority - we validate that the attribute and
objectClasses exist, but not that they match up.
In using OpenLDAP, I'm hoping to avoid having to write that logic, so I
stopped adding extensibleObject to all our objectClass values, and
replaced it with samba4Top, contaning all the things that AD's top
contains, but OpenLDAPs does not.
So far so good, but AD has:
Looking at http://www.grotan.com/ldap/microsoft.ext.schema
I created entries in my schema file like:
AUX ( samDomain )
AUX ( samDomainBase )
This created two problems: It appears that you cannot create a
ditContentRule for a non-structural objectClass (samDomain is
AUXILIARY), and even if I do, I can't tack on the samba4Top on the end,
Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail)
ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION - <class
'samba4Top' not allowed by content rule 'domainDNS'> <>
Is there a different approach I should be taking? I need to extend
'top' without extending OpenLDAP's hardcoded top, and I need something
that looks like dITcontentRule without the restrictions. Any hints?
I suppose I could just calculate the resultant set of (structuralclass |
top | auxilirayclasses) and merge them into the MUST and MAY of that
Would this be the best (if ugly) way forward?
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.