[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD-style AUX classes

On Thu, 2008-01-17 at 17:27 +1100, Andrew Bartlett wrote:
> I'm not quite sure what I'm looking for here, sorry:
> In Samba4, we don't yet have full schema validation.  In some ways it
> just has not been a priority - we validate that the attribute and
> objectClasses exist, but not that they match up.
> In using OpenLDAP, I'm hoping to avoid having to write that logic, so I
> stopped adding extensibleObject to all our objectClass values, and
> replaced it with samba4Top, contaning all the things that AD's top
> contains, but OpenLDAPs does not.
> So far so good, but AD has:
> dn: CN=Domain-DNS,${SCHEMADN}
> objectClass: top
> objectClass: classSchema
> subClassOf: domain
> systemAuxiliaryClass: samDomain
> Looking at http://www.grotan.com/ldap/microsoft.ext.schema
> I created entries in my schema file like:
> dITContentRule (
>   1.2.840.113556.1.5.67
>   NAME 'domainDNS'
>   AUX ( samDomain )
>   )
> dITContentRule (
>   1.2.840.113556.1.5.3
>   NAME 'samDomain'
>   AUX ( samDomainBase )
>   )
> This created two problems:  It appears that you cannot create a
> ditContentRule for a non-structural objectClass (samDomain is
> AUXILIARY), and even if I do, I can't tack on the samba4Top on the end,
> because of:
> Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail)
> ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION -  <class
> 'samba4Top' not allowed by content rule 'domainDNS'> <>
> Is there a different approach I should be taking?  I need to extend
> 'top' without extending OpenLDAP's hardcoded top, and I need something
> that looks like dITcontentRule without the restrictions.  Any hints?

I suppose I could just calculate the resultant set of (structuralclass |
top | auxilirayclasses) and merge them into the MUST and MAY of that
structural class.

Would this be the best (if ugly) way forward?

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed message part