Ldap – How to add a new attribute to an existing LDAP objectclass

edirectoryldapopenldap

I created a custom LDAP objectClass, but forgot a couple attributes before I added it to my OpenLDAP server. I followed the instructions on this Ubuntu doc page: https://help.ubuntu.com/12.04/serverguide/openldap-server.html I am running Ubuntu 12.04.

So, how do I add a new MAY attribute to an objectClass that is already applied to the server?

Specifically on OpenLDAP, but it would be good to know how for Novell eDirectory as well.

Best Answer

The short answer

Use ldapmodify exactly like you would on a regular ldap entry with multi-valued attributes.

That's pretty much what I expected, but I wasn't 100% sure, due to the {N} indexing that you see when you run an ldap search for the schema.

The long answer

First, find your schema's dn. Something like cn={4}test,cn=schema,cn=config Then write an ldif file and apply it to your directory. On Ubuntu 12.04 I applied it as root with:

ldapmodify -Q -Y EXTERNAL -H ldapi://  -f test.ldif

The part I had issues with was the ldif modify syntax, and what to do with the {N} indexes.

So, the start of your ldif file should be something like:

version: 1

dn: cn={N}test,cn=schema,cn=config
changetype: modify

To modify an objectClass:

delete: olcObjectClasses
olcObjectClasses: <old value>
-
add: olcObjectClasses
olcObjectClasses: <new value>

To modify an attribute:

delete: olcAttributeTypes
olcAttributeTypes: <old value>
-
add: olcAttributeTypes
olcAttributeTypes: <new value>

Some tips I figured out about syntax:

Ignore the {N} indexes in your ldif file. They get fixed automatically.
You do need the {N} in your schema's DN.
Remember the '-' between statements.
Don't put a new line after the '-'. ldapmodify stops at that new line, so anything after it will not be executed.
Add new attributes before you modify the objectClass to include them.
Eliminate all tab characters. They cause the system to produce gibberish.

Related Solutions

Ubuntu – LDAP System Authentication in Ubuntu

Can you ping/access the ldap server from the client ? What about the other way around ?

You'll also want to make sure that ports 389 (ldap) or 636 (ldapSSL) are opened. A tool like nmap (apt-get install nmap):

nmap <IP address> -p389 or
nmap <IP address> -p636

Will usually let you know if your ports are closed, filtered or opened.

Ldap – Cannot add custom attributes in OpenLDAP

It appears from the invalid structural object class chain error that there is a violation of the STRUCTURAL objectClass rule. Without declaration to the contrary your customAttributes objectClass is being seen as a STRUCTURAL objectClass which it can't be and still work along with inetOrgPerson. I would recommend try changing your schema to something along the lines of the following:

objectclass     ( 1.3.6.1.4.1.4203.666.100.1
    NAME 'customAttributes'
    AUXILIARY
    DESC 'Custom attributes class'
    MAY (dateofBirth $ IPPhone)
)

For a further explanation I'd read over common causes of errors in the LDAP Guide. Beyond that a cursory look of the schema you are trying to create could use some more thought into organization. Usually advisable to have objectClass entities under one tree and attributeType entities under another to avoid confusion and collision.