[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to initialize cn=schema,cn=config with the system schema

On Tue, Jul 08, 2008 at 09:01:19PM -0700, Howard Chu wrote:
> Mathias Gug wrote:
>> I'm currently working on adding support for the config backend to the
>> Ubuntu openldap package (2.4.10). While creating a new configuration, I
>> run into the problem of loading the system schema into
>> /etc/ldap/slapd.d/cn=config/cn=schema.ldif. Using the example from the
>> slapd-config man page doesn't work: the system schema isn't created in
>> cn=schema.ldif. Comparing with a slapd.conf conversion, cn=schema.ldif
>> holds the system schema in the latter case.
> As documented in the Admin Guide:
> >>>
> 5.2.3 cn=schema
> The cn=schema entry holds all of the schema definitions that are 
> hard-coded in slapd. As such, the values in this entry are generated by 
> slapd so no schema values need to be provided in the config file. The 
> entry must still be defined though, to serve as a base for the 
> user-defined schema to add in underneath. Schema entries must have the 
> olcSchemaConfig objectClass.
> <<<
> In other words, just make a blank entry. See the example in

I've attache the three ldif files that I'm using to create a new
configuration. Here are the steps that I'm following to initialize a new

# mkdir /etc/ldap/slapd.d/
# slapadd -F /etc/ldap/slapd.d/ -n 0 -l slapd.d.init.ldif
# slapadd -F /etc/ldap/slapd.d/ -n 0 -l slapd.d.load_hdb_module.ldif
# slapadd -F /etc/ldap/slapd.d/ -n 0 -l slapd.d.new-db.ldif
slapadd: could not add entry dn="olcDatabase=hdb,cn=config" (line=1):
autocreation of "olcDatabase={-1}frontend" failed

Mathias Gug
Ubuntu Developer  http://www.ubuntu.com
dn: cn=config
objectClass: olcGlobal
cn: config
# Features to permit
# olcAllows: bind_v2
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
olcPidFile: /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
olcArgsFile: /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
olcLogLevel: none
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
olcToolThreads: 1

dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema

#include: file:///etc/ldap/schema/system.ldif

include: file:///etc/ldap/schema/core.ldif

dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
# The maximum number of entries that is returned for a search operation
olcSizeLimit: 500
# Protect passwords.  See slapd.access(5).
#olcAccess: to attrs=userPassword  by * auth
# Read access to other attributes and entries.
#olcAccess: to * by * read

dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcRootDN: cn=admin,cn=config
olcRootPW: NykV9DDfvuOIA
#olcAccess: to * by * none

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: /usr/lib/ldap/back_hdb
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
# The base of your directory
olcSuffix: dc=vmnet
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
# olcRootDN: cn=admin,dc=vmnet
# Where the database file are physically stored
olcDbDirectory: /var/lib/ldap
# The dbconfig settings are used to generate a DB_CONFIG file the first
# time slapd starts.  They do NOT override existing an existing DB_CONFIG
# file.  You should therefore change these settings in DB_CONFIG directly
# or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
olcDbConfig: set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057 for more
# information.
# Number of objects that can be locked at the same time.
olcDbConfig: set_lk_max_objects 1500
# Number of locks (both requested and granted)
olcDbConfig: set_lk_max_locks 1500
# Number of lockers
olcDbConfig: set_lk_max_lockers 1500
# Indexing options
olcDbIndex: objectClass eq
# Save the time that the entry gets modified
olcLastMod: TRUE
# Checkpoint the BerkeleyDB database periodically in case of system
# failure and to speed slapd shutdown.
olcDbCheckpoint: 512 30
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=vmnet" write by anonymous auth by self write by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work 
# happily.
olcAccess: to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
olcAccess: to * by dn="cn=admin,dc=vmnet" write by * read
# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#olcAccess: to dn=".*,ou=Roaming,o=morsnet" by dn="cn=admin,dc=vmnet" write by dnattr=owner write