Hi all,
as a almost newby with openLDAP, I encounter following problem and would like if there is someone to help me to clarify few things.
So the state of a problem follows.
I have request from a client (e.g. client name as foo) to establish LDAP provider at my office while we are in process of development and once we are ready for acceptance then we will move our software to client machines.
Therefore I have a requirement to support user management using IBM Tivoly DS. Since I am not willing to pay for such solution and having in mind that LDAP providers should support common LDAP protocol and last I have a little knowledge how to set-up openLDAP I've decided to go with openLDAP while we are at development.
Now since they have some legacy directory structure, I've asked them to export existing data and to give me that file so I can import in LDAP. But as may guessed that would be the easy and often in practice this is not the case.
I've noticed that exported LDIF file contain some "custom" objectClasses and was under impression that this was something related to Tivoly DS. But after further investigation I was wondering if it is the case why I can have those objectClasses as well ???
Reading more on this theme, and in a communication with a client (legacy code was done by some external 3rd party company) I've came to conclusion that client has custom schema files. Let's call them foo.schema and foo_v3.schema
So two of them and now I thought that all of my problems are gone.
My intention was to change slapd.conf file so that these two are now included (include directive in the the top of the slapd.conf file).
So I have places these two files in /etc/openldap/schema directory and added these two lines in slapd.conf
include /etc/openldap/schema/foo.schema include /etc/openldap/schema/foo_v3.schema
As I've learned on my previous project that I have worked with openLDAP, now I have started slaptest command:
slaptest -d 4095 -f /etc/openldap/slapd.conf
And I've got following error (this is just a example, please be aware that names are different due to NDA):
eading config file /etc/openldap/schema/foo_v3.schema line 1 (objectClasses {) /etc/openldap/schema/foo_v3.schema: line 1: unknown directive <objectClasses> inside backend database definition (ignored).
And if I post here you the start of this foo_v3.schema the first line really starts with:
objectClasses { ( 1.3.18.0.2.6.398 NAME 'os400-root' DESC 'Root node for OS/400 system projection suffix.' SUP top STRUCTURAL MAY os400-sys ) ( 1.3.18.0.2.6.399 NAME 'os400-usrprf' DESC 'Projected OS/400 user profile.' SUP top STRUCTURAL MUST os400-profile MAY userPassword ) ...
To be honest, all examples that I have encounter (openLDAP and Apache DS) that was addressing customizing schema NEVER HAD objectClasses, but rather objectClass.
And finally my question is, Is this what I am trying to do really feasable, and if it is what is wrong with this foo_v3.schema file and why this is not working ?
Thank you for help
On Thu, Mar 03, 2011 at 12:28:03AM +0100, Aleksandar Stoisavljevic wrote:
I've came to conclusion that client has custom schema files. Let's call them foo.schema and foo_v3.schema
My intention was to change slapd.conf file so that these two are now included (include directive in the the top of the slapd.conf file).
Unfortunately each LDAP server has a slightly different internal format for storing schema definitions. You cannot generally take files from TDS and use them directly in OpenLDAP, though the edits required to make them compatible may not be too large.
You could try extracting the schema from TDS via LDAP and then loading it into OpenLDAP the same way (you need an OpenLDAP server with the 'config' backend for this). Here are some commands that might help you to extract the existing schema:
SCHEMA=`ldapsearch -LLL \ -H "ldap://${servername}:${serverport}/" \ -s base \ -b '' \ -x '(objectclass=*)' subschemasubentry | sed -n -e 's/^subschemasubentry: //ip'`
ldapsearch -LLL \ -H "ldap://${servername}:${serverport}/" \ -s base \ -b "$SCHEMA" \ -x '(objectclass=*)' objectclasses
Note that you will get *all* the objectclasses this way, so you will need to edit the resulting list to contain only the ones you really need to add.
Note also that the flags I have given here assume the use of OpenLDAP versions of ldapsearch. The IBM ones differ in some respects.
To work out which attribute types and object classes were added to TDS after installation, look in .../etc/v3.modifiedschema - anything added through the LDAP protocol should end up in that file.
Andrew
Aleksandar Stoisavljevic wrote:
Therefore I have a requirement to support user management using IBM Tivoly DS. Since I am not willing to pay for such solution
Last time I've worked with IBM Tivoli DS one could download and install it at no cost. IIRC they charge you for support. Installation was a major pain though. Anyway if it's still possible that would be the way I do it in your case.
objectClasses { ( 1.3.18.0.2.6.398 NAME 'os400-root' DESC 'Root node for OS/400 system projection suffix.' SUP top STRUCTURAL MAY os400-sys ) ( 1.3.18.0.2.6.399 NAME 'os400-usrprf' DESC 'Projected OS/400 user profile.' SUP top STRUCTURAL MUST os400-profile MAY userPassword ) ...
To be honest, all examples that I have encounter (openLDAP and Apache DS) that was addressing customizing schema NEVER HAD objectClasses, but rather objectClass.
This seems like an copy/export of the subschema subentry in a custom format which indeed has an attribute multi-valued objectClasses listing all avaiable object classes.
I don't know what you're planning to do. But I'd add only the schema descriptions you need for the data you process. It's very unlikely that you need the object class in the above example. It's some work to extract the relevant schema. But working it out gives you a much clearer picture of what it's all about.
Using a LDAP client with a decent schema browser definitely helps digging into this. (Being the author of web2ldap I'm biased off course.)
Ciao, Michael.
openldap-technical@openldap.org