Pages

Tuesday 29 May 2012

How to add a new schema to openLDAP 2.4+

I tried to stay away from the new config type in LDAP introduced in v.2.3 as much as I could but today I had to face it.

I understand the reasons behind but I have to say that the docs are pretty scarce and any newbie has a pretty steep learning curve ahead especially if used to the old way of configuring LDAP.

The configuration now is in ldif format and it follows a pretty logical scheme which is clearly shown in this picture
What you find inside these trees (which are also directories inside /etc/ldap/slapd.d dir) is all your LDAP server knows about, all the rest in the /etc/ldap is not really that interesting.

Anyway you are to read something else, I know. I could not honestly find a straight answer to the question which gives the title to this post, even though there are a lot of places that contain bits of info but as usual the amount of work needed to get everything in place is still some. That's why I am writing this post.

[UPDATE: just found this which is pretty close to what I needed.]

I will start with a practical real-life example: Adding the sshPublicKey schema kindly provided here to your LDAP server. [I am basing my example on a Debian Squeeze installation]

Now you will find in /etc/ldap/schema/ a lot of .schema files. And there is where you will start to get confused... so forget the schema files.

Copy paste the openssh-lpk_openldap.schema in /etc/ldap/schema/ directory (just to keep them happy together):
#
# LDAP Public Key Patch schema for use with openssh-ldappubkey
# Author: Eric AUGE <eau@phear.org>
# 
# Based on the proposal of : Mark Ruijter
#


# octetString SYNTAX
attributetype ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' 
 DESC 'MANDATORY: OpenSSH Public key' 
 EQUALITY octetStringMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

# printableString SYNTAX yes|no
objectclass ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY
 DESC 'MANDATORY: OpenSSH LPK objectclass'
 MAY ( sshPublicKey $ uid ) 
 )

Create a tmp directory, e.g. /tmp/ldapstuff and create a dummy file there called for instance slapd.conf which simply has this line
include /etc/ldap/schema/openssh-lpk_openldap.schema
Run
cd /tmp/ldapstuff && slaptest -f slapd.conf -F .
This will create in place a dir called cn=config and a file cn=config.ldif.

Run
cd cn=config/cn=schema && vim cn={0}openssh-lpk_openldap.ldif 
 The only interesting things that need to stay in that file are the  following:
dn:
cn:
objectClass:
olcAttributeTypes:
olcObjectClasses: 
So remove everything else and edit dn and cn. This is a schema so it will need to be inside the cn=schema,cn=config LDAP tree, so the result should be
dn: cn=openssh-lpk_openldap,cn=schema,cn=config
cn: openssh-lpk_openldap
Now you are ready to add this to your LDAP server:
ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn=config/cn=schema/cn={0}openssh-lpk_openldap.ldif
That's it, you can verify that it's really there by
ldapsearch -xLLL -D cn=admin,cn=config -W -b cn=config cn=*ssh*
This should give you some result. This is pretty much applicable to any other schema.

11 comments:

  1. Nice post and thanks for the effort!

    I am used to the old file-based configuration layout and was desperately looking for a quick tutorial on adding a new schema. All I found was this and it perfectly clarified things for me.

    ReplyDelete
  2. Hello, thanks for clarifying this!

    Just want to add something:
    After running "ldapadd" I got the following output:
    # ldapadd -Dcn=admin,cn=config -W -f /tmp/ldapstuff/cn\=config/cn\=schema/cn\=\{0\}openssh-lpk_openldap.ldif
    Enter LDAP Password:
    ldap_bind: Invalid credentials (49)

    Then I followed Chris' reply and added olcRootDN and olcRootPW:
    http://serverfault.com/questions/377762/user-not-found-for-cn-config-in-openldap

    Everything worked fine after that.
    OS: Ubuntu 12.04

    Thanks for sharing!

    ReplyDelete
  3. Hello thanks for your post ! I'm right with ddesani ! I have the same problem. Just use this : ldapadd -Q -Y EXTERNAL -H ldapi:/// -W -f /tmp/ldapstuff/cn\=config/cn\=schema/cn\=\{0\}openssh-lpk_openldap.ldif

    ReplyDelete
  4. Debock Pierre8 May 2015 at 17:24

    Thank you man, it works very well :)

    ReplyDelete
    Replies
    1. I am still quite surprised that after 3 years it still does work... :)

      Delete
  5. Amazing site, Distinguished input that I can handle. Im advancing and might apply to my present place of employment as a pet sitter, which is exceptionally pleasant, yet I have to extra grow. Respects.

    Organization

    ReplyDelete
  6. This comment has been removed by the author.

    ReplyDelete
  7. Uttar Pradesh Maadhyamik Shiksha Parishad every year conducts UP Board Exams for High School & Intermediate. UPMSP conducts assessments for UP Board 10th Class Exams. UPMSP 10th Model Paper 2021 This Year UPMSP has a turn around things very quickly. Candidates who are going to seem in UP Board Exams should be seeking out UP Board Model Papers 2021 for Class 10th Exam, Practice Papers for High School Intermediate Board Exams.

    ReplyDelete
  8. Bank of Baroda Net Banking facility which is very easy to access International banking facilities, Register with required as BOB retail user for corporate banking, Check the login facilities of BOB Internet banking and use the online system to pay the credit card bill and more services. bank of baroda net banking Bank of Baroda is a multinational Indian bank with the best online banking services which is known to be one of the top public sector banking services all across the world, and there are very few and simple browser requirements for Bank of Baroda Internet Banking (BOB Net Banking) usage, for that the retailer or corporate user needs to follow in order to login to the online net banking facility.

    ReplyDelete
  9. With the proliferation of blogs and articles Dark Web Understanding content curation has become an essential aspect of digital media consumption.

    ReplyDelete