greetings,
I'm wondering of search possibility lack for some attributes
my question is: is it correct/good/sane/e.t.c. to patch them this way? is there other way to get those attributes searchable?
for example I have to patch some schemes like this:
---[ PATCH SAMPLES START ]--------------------------------------------------- --- dhcp.schema.orig 2017-08-25 13:14:26.691570000 +0300 +++ dhcp.schema 2017-08-25 13:15:56.558980000 +0300 @@ -14,6 +14,7 @@ attributetype ( 2.16.840.1.113719.1.203. NAME 'dhcpStatements' EQUALITY caseIgnoreIA5Match DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.203.4.4 @@ -38,6 +39,7 @@ attributetype ( 2.16.840.1.113719.1.203. NAME 'dhcpOption' EQUALITY caseIgnoreIA5Match DESC 'Encoded option values to be sent to clients. Each value represents a single option and contains (OptionTag, Length, OptionValue) encoded in the format used by DHCP.' + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.203.4.8 @@ -199,6 +201,7 @@ attributetype ( 2.16.840.1.113719.1.203. attributetype ( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch DESC 'The clients hardware address that requested this IP address.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
--- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300 +++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200 @@ -1,6 +1,7 @@ attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
--- nis.schema.orig 2017-02-11 21:38:48.984906000 +0200 +++ nis.schema 2017-10-02 13:20:52.140691000 +0300 @@ -55,6 +55,7 @@ attributetype ( 1.3.6.1.1.1.1.2 NAME 'ge attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' ---[ PATCH SAMPLES STOP ]---------------------------------------------------
On Tue, Oct 03, 2017 at 11:35:56PM +0300, Zeus Panchenko wrote:
I'm wondering of search possibility lack for some attributes
my question is: is it correct/good/sane/e.t.c. to patch them this way? is there other way to get those attributes searchable?
You should not change the definitions of standard attributes or objectclasses. That does not stop you from setting up an index for the attribute though, and most LDAP servers will then allow you to search for it even if the published schema does not allow for the possibility.
Andrew
thank you for reply
Andrew Findlay andrew.findlay@skills-1st.co.uk wrote:
You should not change the definitions of standard attributes or objectclasses.
I remember that, though I wasn't able to get that working without patching ...
That does not stop you from setting up an index for the attribute though, and most LDAP servers will then allow you to search for it even if the published schema does not allow for the possibility.
here is my story, what I tryed and what worked:
================================================================================================================ 1. INDEX SUB ================================================================================================================ index authorizedService sub,eq
in line 180 of slapd.conf and original ldapns.schema, slapd doesn't start and complains with:
/usr/local/etc/openldap/slapd.conf: line 180: substr index of attribute "authorizedService" disallowed
================================================================================================================ 2. ORIGINAL ldapns.schema - no substring search result ================================================================================================================
---[ slapd.conf ]------------------------------------------- index default eq,sub index authorizedService eq ---[ slapd.conf ]-------------------------------------------
---[ slapd.log with original ldapns.schema ]---------------------------------------- Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH base="ou=People,dc=foo" scope=2 deref=0 filter="(?authorizedService=web@*)" Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= ---[ slapd.log with original ldapns.schema ]----------------------------------------
================================================================================================================ 3. PATCHED ldapns.schema - successful substring search ================================================================================================================
---[ ldapns.schema.patch ]------------------------------------------- --- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300 +++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200 @@ -1,6 +1,7 @@ attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' ---[ ldapns.schema.patch ]-------------------------------------------
---[ slapd.conf ]------------------------------------------- index default eq,sub index authorizedService sub,eq ---[ slapd.conf ]-------------------------------------------
---[ slapd.log with patched ldapns.schema ]------------------------------------------- Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH base="ou=People,dc=foo" scope=2 deref=0 filter="(authorizedService=web@*)" Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SEARCH RESULT tag=101 err=0 nentries=8 text= ---[ slapd.log with patched ldapns.schema ]-------------------------------------------
openldap-technical@openldap.org
-
Andrew Findlay -
Zeus Panchenko