Hello all, I'm migrating a server from an older OpenLDAP 2.1 install to 2.4.21 and I've run into a (hopefully) small issue. On our old install we had added some attributes to organizationalUnit ("mail" is really the important one) just by editing the schema files, but I can't figure out how to do the same on 2.4.21 using the LDAP interface. I found this email on the list:
http://www.openldap.org/lists/openldap-technical/201106/msg00182.html
But it doesn't seem to have any replies. I've been fiddling with ldapmodify but I keep on getting strange errors:
root@lsmail:/etc/ldap/schema# ldapmodify -x -D cn=admin,dc=cpicorp,dc=com -W -f CPI-core.ldif Enter LDAP Password: modifying entry "cn=core,cn=schema,cn=config" ldap_modify: No such object (32) matched DN: cn=schema,cn=config
Is this possible with 2.4.21, or do I need to stick with an older version of OpenLDAP?
Thanks,
Derek
--On Tuesday, August 02, 2011 12:44 PM -0500 Derek Chen-Becker dbecker@cpicorp.com wrote:
Is this possible with 2.4.21, or do I need to stick with an older version of OpenLDAP?
Modifying the core LDAP schema is ill advised and should be avoided. I'm guessing you're getting a sane response from trying to do something insane.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Derek Chen-Becker wrote:
On our old install we had added some attributes to organizationalUnit ("mail" is really the important one) just by editing the schema files,
Editing shipped schema files is considered very bad practice. Don't do that.
but I can't figure out how to do the same on 2.4.21 using the LDAP interface.
Several options:
1. Use your own STRUCTURAL object class derived from organizationalUnit.
2. Use an additional AUXILIARY object class together with organizationalUnit.
3. Somewhat hackish: Define a DIT content rule for organizationalUnit and add the needed attributes to MAY in this.
1. and 2. requires you to transform your data.
3. does not require data changes but some rather naive schema-aware LDAP clients might refuse to handle the additional attributes.
Ciao, Michael.
On 08/03/2011 01:10 PM, Michael Ströder wrote:
Editing shipped schema files is considered very bad practice. Don't do that.
I'm fully aware of the overwhelming reasons against modification and just how bad it is that we've done this. I'm working with legacy software/data that was written years ago when we were all young and foolish and I'm just trying to figure out if it's even possible to replicate OpenLDAP 2.1's behavior (allowing the insanity) with OpenLDAP 2.4.1 :)
- Somewhat hackish: Define a DIT content rule for organizationalUnit and add
the needed attributes to MAY in this.
and 2. requires you to transform your data.
does not require data changes but some rather naive schema-aware LDAP
clients might refuse to handle the additional attributes.
The software that consumes this right now (postfix) seems blissfully ignorant of any schema since it handles our modified organizationalUnits just fine. If/when we get an opportunity to rewrite the software I'll definitely take a look at option #1, since that seems the cleanest, but for now where might I find more details on #3?
Thanks,
Derek
Derek Chen-Becker wrote:
Hello all, I'm migrating a server from an older OpenLDAP 2.1 install to 2.4.21 and I've run into a (hopefully) small issue. On our old install we had added some attributes to organizationalUnit ("mail" is really the important one) just by editing the schema files, but I can't figure out how to do the same on 2.4.21 using the LDAP interface. I found this email on the list:
http://www.openldap.org/lists/openldap-technical/201106/msg00182.html
But it doesn't seem to have any replies. I've been fiddling with ldapmodify but I keep on getting strange errors:
root@lsmail:/etc/ldap/schema# ldapmodify -x -D cn=admin,dc=cpicorp,dc=com -W -f CPI-core.ldif Enter LDAP Password: modifying entry "cn=core,cn=schema,cn=config" ldap_modify: No such object (32) matched DN: cn=schema,cn=config
Is this possible with 2.4.21,
Yes, it is, *but do not do this*
or do I need to stick with an older version of OpenLDAP?
No
The cleanest approach is to modify your OU entries:
objectClass: top objectClass: organizationalUnit objectClass: extensibleObject
Now, all attributes which are defined in any schema are allowed :-) .
Thanks,
Derek
harry.jede@arcor.de wrote:
The cleanest approach is to modify your OU entries:
objectClass: top objectClass: organizationalUnit objectClass: extensibleObject
Now, all attributes which are defined in any schema are allowed :-) .
That's what I consider bad advice and definitely not the cleanest approach.
Ciao, Michael.
Derek Chen-Becker wrote:
On 08/03/2011 01:10 PM, Michael Ströder wrote:
- Somewhat hackish: Define a DIT content rule for organizationalUnit and add
the needed attributes to MAY in this.
and 2. requires you to transform your data.
does not require data changes but some rather naive schema-aware LDAP
clients might refuse to handle the additional attributes.
The software that consumes this right now (postfix) seems blissfully ignorant of any schema since it handles our modified organizationalUnits just fine. If/when we get an opportunity to rewrite the software I'll definitely take a look at option #1, since that seems the cleanest, but for now where might I find more details on #3?
In your case:
dITContentRule ( 2.5.6.5 NAME 'organizationalUnit-dcr' MAY ( mail ) )
See RFC 4512 section 4.1.6. for details.
Ciao, Michael.
openldap-technical@openldap.org