Pages

Tuesday, 29 May 2012

How to add a new schema to openLDAP 2.4+

I tried to stay away from the new config type in LDAP introduced in v.2.3 as much as I could but today I had to face it.

I understand the reasons behind but I have to say that the docs are pretty scarce and any newbie has a pretty steep learning curve ahead especially if used to the old way of configuring LDAP.

The configuration now is in ldif format and it follows a pretty logical scheme which is clearly shown in this picture
What you find inside these trees (which are also directories inside /etc/ldap/slapd.d dir) is all your LDAP server knows about, all the rest in the /etc/ldap is not really that interesting.

Anyway you are to read something else, I know. I could not honestly find a straight answer to the question which gives the title to this post, even though there are a lot of places that contain bits of info but as usual the amount of work needed to get everything in place is still some. That's why I am writing this post.

[UPDATE: just found this which is pretty close to what I needed.]

I will start with a practical real-life example: Adding the sshPublicKey schema kindly provided here to your LDAP server. [I am basing my example on a Debian Squeeze installation]

Now you will find in /etc/ldap/schema/ a lot of .schema files. And there is where you will start to get confused... so forget the schema files.

Copy paste the openssh-lpk_openldap.schema in /etc/ldap/schema/ directory (just to keep them happy together):
#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau@phear.org>
# 
# Based on the proposal of : Mark Ruijter
#


# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
 DESC 'MANDATORY: OpenSSH Public key' 
 EQUALITY octetStringMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
 DESC 'MANDATORY: OpenSSH LPK objectclass'
 MAY ( sshPublicKey $ uid ) 
 )

Create a tmp directory, e.g. /tmp/ldapstuff and create a dummy file there called for instance slapd.conf which simply has this line
include /etc/ldap/schema/openssh-lpk_openldap.schema
Run
cd /tmp/ldapstuff && slaptest -f slapd.conf -F .
This will create in place a dir called cn=config and a file cn=config.ldif.

Run
cd cn=config/cn=schema && vim cn={0}openssh-lpk_openldap.ldif 
 The only interesting things that need to stay in that file are the  following:
dn:
cn:
objectClass:
olcAttributeTypes:
olcObjectClasses: 
So remove everything else and edit dn and cn. This is a schema so it will need to be inside the cn=schema,cn=config LDAP tree, so the result should be
dn: cn=openssh-lpk_openldap,cn=schema,cn=config
cn: openssh-lpk_openldap
Now you are ready to add this to your LDAP server:
ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn=config/cn=schema/cn={0}openssh-lpk_openldap.ldif
That's it, you can verify that it's really there by
ldapsearch -xLLL -D cn=admin,cn=config -W -b cn=config cn=*ssh*
This should give you some result. This is pretty much applicable to any other schema.

4 comments:

  1. Nice post and thanks for the effort!

    I am used to the old file-based configuration layout and was desperately looking for a quick tutorial on adding a new schema. All I found was this and it perfectly clarified things for me.

    ReplyDelete
  2. Hello, thanks for clarifying this!

    Just want to add something:
    After running "ldapadd" I got the following output:
    # ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn\=config/cn\=schema/cn\=\{0\}openssh-lpk_openldap.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    Then I followed Chris' reply and added olcRootDN and olcRootPW:
    http://serverfault.com/questions/377762/user-not-found-for-cn-config-in-openldap

    Everything worked fine after that.
    OS: Ubuntu 12.04

    Thanks for sharing!

    ReplyDelete
  3. Hello thanks for your post ! I'm right with ddesani ! I have the same problem. Just use this : ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f /tmp/ldapstuff/cn\=config/cn\=schema/cn\=\{0\}openssh-lpk_openldap.ldif

    ReplyDelete