I'm not quite sure what I'm looking for here, sorry:
In Samba4, we don't yet have full schema validation. In some ways it
just has not been a priority - we validate that the attribute and
objectClasses exist, but not that they match up.
In using OpenLDAP, I'm hoping to avoid having to write that logic, so I
stopped adding extensibleObject to all our objectClass values, and
replaced it with samba4Top, contaning all the things that AD's top
contains, but OpenLDAPs does not.
So far so good, but AD has:
dn: CN=Domain-DNS,${SCHEMADN}
objectClass: top
objectClass: classSchema
subClassOf: domain
systemAuxiliaryClass: samDomain
Looking at http://www.grotan.com/ldap/microsoft.ext.schema
I created entries in my schema file like:
dITContentRule (
1.2.840.113556.1.5.67
NAME 'domainDNS'
AUX ( samDomain )
)
dITContentRule (
1.2.840.113556.1.5.3
NAME 'samDomain'
AUX ( samDomainBase )
)
This created two problems: It appears that you cannot create a
ditContentRule for a non-structural objectClass (samDomain is
AUXILIARY), and even if I do, I can't tack on the samba4Top on the end,
because of:
Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail)
ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION - <class
'samba4Top' not allowed by content rule 'domainDNS'> <>
Is there a different approach I should be taking? I need to extend
'top' without extending OpenLDAP's hardcoded top, and I need something
that looks like dITcontentRule without the restrictions. Any hints?
Thanks,
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part