thank you for reply
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
You should not change the definitions of standard attributes or objectclasses.
I remember that, though I wasn't able to get that working without patching ...
That does not stop you from setting up an index for the attribute though, and most LDAP servers will then allow you to search for it even if the published schema does not allow for the possibility.
here is my story, what I tryed and what worked:
================================================================================================================ 1. INDEX SUB ================================================================================================================ index authorizedService sub,eq
in line 180 of slapd.conf and original ldapns.schema, slapd doesn't start and complains with:
/usr/local/etc/openldap/slapd.conf: line 180: substr index of attribute "authorizedService" disallowed
================================================================================================================ 2. ORIGINAL ldapns.schema - no substring search result ================================================================================================================
---[ slapd.conf ]------------------------------------------- index default eq,sub index authorizedService eq ---[ slapd.conf ]-------------------------------------------
---[ slapd.log with original ldapns.schema ]---------------------------------------- Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH base="ou=People,dc=foo" scope=2 deref=0 filter="(?authorizedService=web@*)" Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= ---[ slapd.log with original ldapns.schema ]----------------------------------------
================================================================================================================ 3. PATCHED ldapns.schema - successful substring search ================================================================================================================
---[ ldapns.schema.patch ]------------------------------------------- --- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300 +++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200 @@ -1,6 +1,7 @@ attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' ---[ ldapns.schema.patch ]-------------------------------------------
---[ slapd.conf ]------------------------------------------- index default eq,sub index authorizedService sub,eq ---[ slapd.conf ]-------------------------------------------
---[ slapd.log with patched ldapns.schema ]------------------------------------------- Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH base="ou=People,dc=foo" scope=2 deref=0 filter="(authorizedService=web@*)" Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SEARCH RESULT tag=101 err=0 nentries=8 text= ---[ slapd.log with patched ldapns.schema ]-------------------------------------------