[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schemacheck off ignored



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt D. Zeilenga wrote :
> At 06:53 AM 1/3/2006, Bruno Bzeznik wrote:
> 
>>some other servers are using the ldap directories and thez add
>>supplementary attributes to entries independently of the attributes I manage in my
>>schemas.
> 
> 
> BTW, the standard way of enabling the addition of values of
> any (user application) attribute to an object is to use
> the extensibleObject mechanism.  This mechanism is supported
> for years in OpenLDAP Software.
> 
> Kurt 

Well, I'm not an LDAP expert, but I don't think that it will help me. Here's an example of
a problem that I may encounter with schemachecking.

I've got 2 servers using the same LDAP service:
- - "A" is a unix host, with a simple unix mail service and it hosts the openldap server.
- - "B" is a samba server, using the same accounts that are hosted into the ldap server of
"A".

When I create an account on "A", it's a "posixAccount,account"
But for server "B", it must be a "sambaAccount".
Objectclasses account and sambaAccount are not compatible: invalid structural object class
chain (account/sambaAccount)
So, server "A" must create sambaAccounts, even if it is not managing attributes of this
class. But a sambaAccount needs a "rid" attribute: object class 'sambaAccount' requires
attribute 'rid'
Only "B" knows how to create this attribute.

So, we used schemacheck off, and let A creating accounts and B modifying accounts into
sambaAccounts.

How can I do now with schemacheck mandatory on?

I know that perhaps, the way we use LDAP is not very clean. But it worked for years... by
using LDAP, we were able to provide the same login/password to users over different
services. We upgraded only for security reasons (Fedora Core 3 update). We could not
imagine that you change this feature in a minor release, there's a very little info about
that and the feature has disapeared silently, no warning about a future deprecating.

We can change our way, but we have got a lot of work to do so and we can not do that in
our stable environnement, but in a testing one before, and plan the change for the future.
So, for the moment, we need an up to date secure openldap 2.2.x with schemachecking off.
I don't think that we are using the "DIT content rules code" that you talked about here:
http://www.openldap.org/lists/openldap-software/200509/msg00476.html
So, do you think I can patch openldap to re-add the "global_schemacheck = 0;" line into
the source code without having troubles?

========================================
Bruno Bzeznik - Bruno@ac-grenoble.fr
Systemes et reseaux
Academie de Grenoble
http://slis.ac-grenoble.fr
========================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDu63MKIejyyHkRlIRAvzvAJ49mo+snvDffXsqvnqsU2eDSNqbSACgg746
bITuQqRUjGKvG+DZekvErOo=
=NMkJ
-----END PGP SIGNATURE-----