thank you for reply
Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> wrote:
You should not change the definitions of standard attributes or
objectclasses.
I remember that, though I wasn't able to get that working without patching ...
That does not stop you from setting up an index for the
attribute though, and most LDAP servers will then allow you to search
for it even if the published schema does not allow for the possibility.
here is my story, what I tryed and what worked:
================================================================================================================
1. INDEX SUB
================================================================================================================
index authorizedService sub,eq
in line 180 of slapd.conf and original ldapns.schema, slapd doesn't
start and complains with:
/usr/local/etc/openldap/slapd.conf: line 180: substr index of attribute
"authorizedService" disallowed
================================================================================================================
2. ORIGINAL ldapns.schema - no substring search result
================================================================================================================
---[ slapd.conf ]-------------------------------------------
index default eq,sub
index authorizedService eq
---[ slapd.conf ]-------------------------------------------
---[ slapd.log with original ldapns.schema ]----------------------------------------
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH base="ou=People,dc=foo"
scope=2 deref=0 filter="(?authorizedService=web@*)"
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH attr=* createTimestamp creatorsName
modifiersName modifyTimestamp
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=0
text=
---[ slapd.log with original ldapns.schema ]----------------------------------------
================================================================================================================
3. PATCHED ldapns.schema - successful substring search
================================================================================================================
---[ ldapns.schema.patch ]-------------------------------------------
--- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300
+++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200
@@ -1,6 +1,7 @@
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
---[ ldapns.schema.patch ]-------------------------------------------
---[ slapd.conf ]-------------------------------------------
index default eq,sub
index authorizedService sub,eq
---[ slapd.conf ]-------------------------------------------
---[ slapd.log with patched ldapns.schema ]-------------------------------------------
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH base="ou=People,dc=foo"
scope=2 deref=0 filter="(authorizedService=web@*)"
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH attr=* createTimestamp creatorsName
modifiersName modifyTimestamp
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SEARCH RESULT tag=101 err=0 nentries=8
text=
---[ slapd.log with patched ldapns.schema ]-------------------------------------------
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)