Ldap – how to modify schema in openldap

ldapschema

So I have a fresh installation of openldap on a debian 9 machine which currently looks like

this

It's going to be a database for telephone numbers, too keep it easy, I'll use this example: The database will be splitted into the city – the streets – and the people who live in this streets.

It should look like this: dc=city -> ou=street -> cn=nameofperson

So far so good, I try to create the first dc, for example New York like this:

root@ldap-test:/etc/ldap/ldif-import# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif-import/createcn.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=NewYork"
ldap_add: Server is unwilling to perform (53)
        additional info: no global superior knowledge

and thats how the ldif file looks like:

dn: cn=NewYork
dc: NewYork
distinguishedName: dc=NewYork
name: NewYork
objectClass: top
objectClass: dcObject

As this didn't work I thought of another way, to put the streets into nodomain, just to check if it will work this way, but it seems that the schema is missing
distinguishedName and name. I looked into the default schemas and core.ldif has these entries, but they are commented out.

So I cant load this ldif:

dn: ou=broadway,dc=nodomain
distinguishedName: ou=broadway,dc=nodomain
name: broadway
objectClass: top
objectClass: organizationalUnit
ou: broadway

root@ldap-test:/etc/ldap/ldif-import# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/ldif-import/broadway.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "ou=broadway,dc=nodomain"
ldap_add: Object class violation (65)
        additional info: attribute 'distinguishedName' not allowed

So loading distinguishedName into the schema but it shows adding new entry

"cn=core,cn=schema,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
        additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.49"

I dont understand why, because it's not even loaded in /etc/ldap/slapd.d/cn=config/cn=schema/cn={*}*.ldif

Anybody knows what to do?

Best Answer

name isn't a generally used attribute, though cn (commonName) is.
Don't attempt to add distinguishedName. dn already handles this. dn and distinguishedName are aliases for the same attribute, but only dn should be used for ldapmodify operations. This includes ldapadd.

Your first ldif is failing because:

Your ldap server is not configured to handle the cn=NewYork namingContext. 2 You are attempting to add a distinguishedName attribute.
objectClass: dcObject has no attribute name

Your second ldif is failing because:

You are attempting to add a distinguishedName attribute.
objectClass: organizationalUnit has no attribute name

Side note: ldap attributes, including the parts used in rdn's, can have spaces in them. Use quotes as appropriate.

Related Solutions

Ldap – Unable to modify schema in OpenLDAP using run-time configuration cn=config

If there are other olcAttributeTypes in the entry then you have to do a replace not add and list all the other attributes already in LDAP.

Try to use ldapvi for editing, it will do it automatically.

EDIT: If that doesn't work, then you'll need to stop slapd and edit files in /etc/ldap/slap.d/ manually. That certainly isn't a solution when the changes are relatively often...

Editing schema in cn=config is a new feature, you may have found a bug (possibly already fixed in newest version). Check OpenLDAP ChangeLog and try using newest version.

Centos – How to add ACIs to OpenLDAP properly

Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.

olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read

What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.

dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net

Of course, this requires the memberOf overlay.

The memberOf overlay I used is below:

% vi modules.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof

% vi memberof.ldif

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Best Answer

Related Solutions

Ldap – Unable to modify schema in OpenLDAP using run-time configuration cn=config

Centos – How to add ACIs to OpenLDAP properly

Related Topic