Tuesday, 29 May 2012

How to add a new schema to openLDAP 2.4+

I tried to stay away from the new config type in LDAP introduced in v.2.3 as much as I could but today I had to face it.

I understand the reasons behind but I have to say that the docs are pretty scarce and any newbie has a pretty steep learning curve ahead especially if used to the old way of configuring LDAP.

The configuration now is in ldif format and it follows a pretty logical scheme which is clearly shown in this picture
What you find inside these trees (which are also directories inside /etc/ldap/slapd.d dir) is all your LDAP server knows about, all the rest in the /etc/ldap is not really that interesting.

Anyway you are to read something else, I know. I could not honestly find a straight answer to the question which gives the title to this post, even though there are a lot of places that contain bits of info but as usual the amount of work needed to get everything in place is still some. That's why I am writing this post.

[UPDATE: just found this which is pretty close to what I needed.]

I will start with a practical real-life example: Adding the sshPublicKey schema kindly provided here to your LDAP server. [I am basing my example on a Debian Squeeze installation]

Now you will find in /etc/ldap/schema/ a lot of .schema files. And there is where you will start to get confused... so forget the schema files.

Copy paste the openssh-lpk_openldap.schema in /etc/ldap/schema/ directory (just to keep them happy together):
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <>
# Based on the proposal of : Mark Ruijter

# octetString SYNTAX
attributetype ( NAME 'sshPublicKey' 
 DESC 'MANDATORY: OpenSSH Public key' 
 EQUALITY octetStringMatch

# printableString SYNTAX yes|no
objectclass ( NAME 'ldapPublicKey' SUP top AUXILIARY
 DESC 'MANDATORY: OpenSSH LPK objectclass'
 MAY ( sshPublicKey $ uid ) 

Create a tmp directory, e.g. /tmp/ldapstuff and create a dummy file there called for instance slapd.conf which simply has this line
include /etc/ldap/schema/openssh-lpk_openldap.schema
cd /tmp/ldapstuff && slaptest -f slapd.conf -F .
This will create in place a dir called cn=config and a file cn=config.ldif.

cd cn=config/cn=schema && vim cn={0}openssh-lpk_openldap.ldif 
 The only interesting things that need to stay in that file are the  following:
So remove everything else and edit dn and cn. This is a schema so it will need to be inside the cn=schema,cn=config LDAP tree, so the result should be
dn: cn=openssh-lpk_openldap,cn=schema,cn=config
cn: openssh-lpk_openldap
Now you are ready to add this to your LDAP server:
ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn=config/cn=schema/cn={0}openssh-lpk_openldap.ldif
That's it, you can verify that it's really there by
ldapsearch -xLLL -D cn=admin,cn=config -W -b cn=config cn=*ssh*
This should give you some result. This is pretty much applicable to any other schema.


  1. Nice post and thanks for the effort!

    I am used to the old file-based configuration layout and was desperately looking for a quick tutorial on adding a new schema. All I found was this and it perfectly clarified things for me.

  2. Hello, thanks for clarifying this!

    Just want to add something:
    After running "ldapadd" I got the following output:
    # ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn\=config/cn\=schema/cn\=\{0\}openssh-lpk_openldap.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    Then I followed Chris' reply and added olcRootDN and olcRootPW:

    Everything worked fine after that.
    OS: Ubuntu 12.04

    Thanks for sharing!

  3. Hello thanks for your post ! I'm right with ddesani ! I have the same problem. Just use this : ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f /tmp/ldapstuff/cn\=config/cn\=schema/cn\=\{0\}openssh-lpk_openldap.ldif

  4. Debock Pierre8 May 2015 at 17:24

    Thank you man, it works very well :)

    1. I am still quite surprised that after 3 years it still does work... :)