1:35 p.m.
greetings,
I'm wondering of search possibility lack for some attributes
my question is: is it correct/good/sane/e.t.c. to patch them this way?
is there other way to get those attributes searchable?
for example I have to patch some schemes like this:
---[ PATCH SAMPLES START
]---------------------------------------------------
--- dhcp.schema.orig 2017-08-25 13:14:26.691570000 +0300
+++ dhcp.schema 2017-08-25 13:15:56.558980000 +0300
@@ -14,6 +14,7 @@ attributetype ( 2.16.840.1.113719.1.203.
NAME 'dhcpStatements'
EQUALITY caseIgnoreIA5Match
DESC 'Flexible storage for specific data depending on what
object this exists in. Like conditional statements, server parameters,
etc. This allows the standard to evolve without needing to adjust the
schema.'
+ SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.203.4.4
@@ -38,6 +39,7 @@ attributetype ( 2.16.840.1.113719.1.203.
NAME 'dhcpOption'
EQUALITY caseIgnoreIA5Match
DESC 'Encoded option values to be sent to clients. Each value
represents a single option and contains (OptionTag, Length, OptionValue)
encoded in the format used by DHCP.'
+ SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.203.4.8
@@ -199,6 +201,7 @@ attributetype ( 2.16.840.1.113719.1.203.
attributetype ( 2.16.840.1.113719.1.203.4.34
NAME 'dhcpHWAddress'
EQUALITY caseIgnoreIA5Match
+ SUBSTR caseIgnoreIA5SubstringsMatch
DESC 'The clients hardware address that requested this IP
address.'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
--- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300
+++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200
@@ -1,6 +1,7 @@
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
--- nis.schema.orig 2017-02-11 21:38:48.984906000 +0200
+++ nis.schema 2017-10-02 13:20:52.140691000 +0300
@@ -55,6 +55,7 @@ attributetype ( 1.3.6.1.1.1.1.2 NAME 'ge
attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory'
DESC 'The absolute path to the home directory'
EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell'
---[ PATCH SAMPLES STOP
]---------------------------------------------------
--
IT dpt., I.B.S. LLC
2:34 a.m.
On Tue, Oct 03, 2017 at 11:35:56PM +0300, Zeus Panchenko wrote:
I'm wondering of search possibility lack for some attributes
my question is: is it correct/good/sane/e.t.c. to patch them this
way? is there other way to get those attributes searchable?
You should not change the definitions of standard attributes or
objectclasses. That does not stop you from setting up an index for the
attribute though, and most LDAP servers will then allow you to search
for it even if the published schema does not allow for the possibility.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
10:28 p.m.
thank you for reply
Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> wrote:
You should not change the definitions of standard attributes or
objectclasses.
I remember that, though I wasn't able to get that working without patching ...
That does not stop you from setting up an index for the
attribute though, and most LDAP servers will then allow you to search
for it even if the published schema does not allow for the possibility.
here is my story, what I tryed and what worked:
================================================================================================================
1. INDEX SUB
================================================================================================================
index authorizedService sub,eq
in line 180 of slapd.conf and original ldapns.schema, slapd doesn't
start and complains with:
/usr/local/etc/openldap/slapd.conf: line 180: substr index of attribute
"authorizedService" disallowed
================================================================================================================
2. ORIGINAL ldapns.schema - no substring search result
================================================================================================================
---[ slapd.conf ]-------------------------------------------
index default eq,sub
index authorizedService eq
---[ slapd.conf ]-------------------------------------------
---[ slapd.log with original ldapns.schema ]----------------------------------------
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH base="ou=People,dc=foo"
scope=2 deref=0 filter="(?authorizedService=web@*)"
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH attr=* createTimestamp creatorsName
modifiersName modifyTimestamp
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=0
text=
---[ slapd.log with original ldapns.schema ]----------------------------------------
================================================================================================================
3. PATCHED ldapns.schema - successful substring search
================================================================================================================
---[ ldapns.schema.patch ]-------------------------------------------
--- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300
+++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200
@@ -1,6 +1,7 @@
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
---[ ldapns.schema.patch ]-------------------------------------------
---[ slapd.conf ]-------------------------------------------
index default eq,sub
index authorizedService sub,eq
---[ slapd.conf ]-------------------------------------------
---[ slapd.log with patched ldapns.schema ]-------------------------------------------
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH base="ou=People,dc=foo"
scope=2 deref=0 filter="(authorizedService=web@*)"
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH attr=* createTimestamp creatorsName
modifiersName modifyTimestamp
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SEARCH RESULT tag=101 err=0 nentries=8
text=
---[ slapd.log with patched ldapns.schema ]-------------------------------------------
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
2231
days inactive
2247
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Andrew Findlay -
Zeus Panchenko