[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: schema checking cannot be disabled

On Thu, 2005-09-29 at 15:01 -0400, matthew sporleder wrote:
> 'schemacheck off'
> if your slapd.conf?  I'm not sure if this is still around, but it's
> mentioned in some mailing list archives.  schemachecking is an option
> for syncrepl, but I don't think it will help you.

As I mentioned in my subject, schema checking can no longer be turned
off.  If you try, openldap reports that this has been disabled.  I think
this move is short-sighted, since the schemas and RFCs haven't quite
caught up yet.  The competing ldap servers in the industry get around
this by simply not enforcing strict schema constraints.
> Also- you might be able to hack the schema file and make it look like
> the redhat/osx server.

I would except that changing the officially distributed, RFC-compliant
schemas is not the best thing to do.  I'll do it if I have to.  

I should note that OS X server uses the exact same schema files as
OpenLDAP 2.2.28.  However 2.2.28 does not allow disabling schema
checking and OS X (and from what I can tell most people who need to
employ posixGroups and do ACLs with grouOfUniqueNames) uses the schemas
in a way that violates the constraints.  So technically the posix RFCs
need to be fixed.  Specifically, RFC 2307bis proposed that posixGroup be
made an auxiliary object class, rather than structural.  However, do to
lack of interest or whatever, this RFC expired and has been withdrawn,
even though it seems to be the best solution.


> Good luck,
> _Matt
> On 9/29/05, Michael Torrie <torriem@chem.byu.edu> wrote:
> > I need to run openldap with schema checking off.  This is because in the
> > real work, things are not always ideal.  I have to be able to declare an
> > object to be of objectClass posixGroup *and* GroupOfUniqueNames.  This
> > data is being imported from another directory service (Apple OS X
> > server) and as such I can't just alter these group definitions
> > arbitrarily.
> >
> > I've been doing a lot of research and it appears that RedHat's directory
> > server is also implementing this, even though it is a schema violation.
> > Apparently RFC 2307bis has died, which would have corrected this
> > problem.
> >
> > Can OpenLDAP 2.2.28 be hacked to turn schema checking back off?  Or
> > better yet, how can I reconcile the posixGroup/groupOfUniqueNames
> > objectClasses?  I'm not opposed to altering the schemas, but altering an
> > official schema (nis.schema or core.schema) could be problematic.  How
> > are people dealing with this problem?
> >
> > Michael
> >
> > --
> > Michael Torrie <torriem@chem.byu.edu>
> >
Michael Torrie <torriem@chem.byu.edu>