[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schemacheck off ignored

To: openldap-software@OpenLDAP.org
Subject: Re: Schemacheck off ignored
From: Bruno Bzeznik <Bruno@ac-grenoble.fr>
Date: Wed, 04 Jan 2006 12:13:16 +0100
Cc: slis-devel <slis-devel@phobos.ac-grenoble.fr>, wawa@slis.fr
In-reply-to: <6.2.1.2.0.20060103115909.0291a9d8@mail.openldap.org>
Organization: Academie de Grenoble
References: <43BA8FEE.5010904@ac-grenoble.fr> <6.2.1.2.0.20060103115909.0291a9d8@mail.openldap.org>
User-agent: Mozilla Thunderbird 1.0.2 (X11/20051002)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kurt D. Zeilenga wrote :
> At 06:53 AM 1/3/2006, Bruno Bzeznik wrote:
> 
>>some other servers are using the ldap directories and thez add
>>supplementary attributes to entries independently of the attributes I manage in my
>>schemas.
> 
> 
> BTW, the standard way of enabling the addition of values of
> any (user application) attribute to an object is to use
> the extensibleObject mechanism.  This mechanism is supported
> for years in OpenLDAP Software.
> 
> Kurt 

Well, I'm not an LDAP expert, but I don't think that it will help me. Here's an example of
a problem that I may encounter with schemachecking.

I've got 2 servers using the same LDAP service:
- - "A" is a unix host, with a simple unix mail service and it hosts the openldap server.
- - "B" is a samba server, using the same accounts that are hosted into the ldap server of
"A".

When I create an account on "A", it's a "posixAccount,account"
But for server "B", it must be a "sambaAccount".
Objectclasses account and sambaAccount are not compatible: invalid structural object class
chain (account/sambaAccount)
So, server "A" must create sambaAccounts, even if it is not managing attributes of this
class. But a sambaAccount needs a "rid" attribute: object class 'sambaAccount' requires
attribute 'rid'
Only "B" knows how to create this attribute.

So, we used schemacheck off, and let A creating accounts and B modifying accounts into
sambaAccounts.

How can I do now with schemacheck mandatory on?

I know that perhaps, the way we use LDAP is not very clean. But it worked for years... by
using LDAP, we were able to provide the same login/password to users over different
services. We upgraded only for security reasons (Fedora Core 3 update). We could not
imagine that you change this feature in a minor release, there's a very little info about
that and the feature has disapeared silently, no warning about a future deprecating.

We can change our way, but we have got a lot of work to do so and we can not do that in
our stable environnement, but in a testing one before, and plan the change for the future.
So, for the moment, we need an up to date secure openldap 2.2.x with schemachecking off.
I don't think that we are using the "DIT content rules code" that you talked about here:
http://www.openldap.org/lists/openldap-software/200509/msg00476.html
So, do you think I can patch openldap to re-add the "global_schemacheck = 0;" line into
the source code without having troubles?

========================================
Bruno Bzeznik - Bruno@ac-grenoble.fr
Systemes et reseaux
Academie de Grenoble
http://slis.ac-grenoble.fr
========================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDu63MKIejyyHkRlIRAvzvAJ49mo+snvDffXsqvnqsU2eDSNqbSACgg746
bITuQqRUjGKvG+DZekvErOo=
=NMkJ
-----END PGP SIGNATURE-----

References:
- Schemacheck off ignored
  - From: Bruno Bzeznik <Bruno@ac-grenoble.fr>
- Re: Schemacheck off ignored
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: 2.3.14 problem?
Next by Date: Re: 2.3.14 problem?
Index(es):
- Chronological
- Thread