[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Configuring OpenLDAP with a custom schema instead of default schemas

To: Ryan Tandy <ryan@nardis.ca>
Subject: Re: Configuring OpenLDAP with a custom schema instead of default schemas
From: Jon Smark <jon.smark@yahoo.com>
Date: Thu, 20 Jul 2017 16:15:35 +0000 (UTC)
Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1500567603; bh=uE5XHxba0XpzogDLY/UdH0LM/qgnnZNQN6MoWDzz1pQ=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=EyXMW6Xkuc91eh4kleezmoW1NNyEtKBYqYKL4kU9lcMBncOW0DKVWIrBe6Vv7fBe/Ta0UPZujR7xDY2AGtN3kAhg/jlHMwie6aLtxK2ZkXaJNr6ftgHwCZwqT2Q3gGOsfpI7evhA41for0dZKP3Hk4lzJa5PM7cv1JtBJYlzCxyw5a71rscTus6sYnRX0RcFWJCVp4MtY/LR9jpUP7rL4fmHsIX3M0C9PxydLknfWnvJYxxxTcxZj+t3ucQIEXi8DsxAq0frVXF5ya2m61jokmxFuN61uxK4xO+ZNNmepTpesrvxMLBMzu1TP1EQKlFO1JzBBBW89yx09KldWGttxw==
In-reply-to: <20170715011614.bena5zqhxdzvacbu@kiwi.nardis.ca>
References: <200461253.452162.1500043710085.ref@mail.yahoo.com> <200461253.452162.1500043710085@mail.yahoo.com> <20170715011614.bena5zqhxdzvacbu@kiwi.nardis.ca>

Hi,

A big thanks to you and all others who replied to my original question.
Sorry for my belated reply, as I was experimenting with various options
as per your suggestions.

Anyway, in the end the simplest way to achieve what I wanted was to stop
the existing Slapd daemon, remove the old database at /var/lib/ldap, and
modify the /usr/share/slapd/slapd.conf file which is used as the master
template by Debian/Ubuntu's installation scripts.  The one remaining step
was to invoke "dpkg-reconfigure slapd" which reconfigures the Slapd
package as if it had just been installed.

Also, in the end I decided to eschew all the default schemas (even core)
and just use mine.  There was just too much of an impedance mismatch
between them.

Best regards,
Jon

On Saturday, July 15, 2017 2:16 AM, Ryan Tandy <ryan@nardis.ca> wrote:

On Fri, Jul 14, 2017 at 02:48:30PM +0000, Jon Smark wrote:
>Anyway, I have defined a schema file with the custom attributes  
>and object classes relevant to my domain.  Starting from a fresh
>installation of OpenLDAP 2.4.42 running on Ubuntu 16.04, I want
>to configure my Slapd server to *only* consider my schema file and
>to ignore all the other schemas it's configured to use by default.

I have to assume you have good reasons for doing that; but please do 
consider that most applications out there are written with the existing 
standardized schemas in mind, and try to leverage them as much as it 
makes sense to.

You do most likely at least want the 'core' schema. Most things assume 
it is present.

>I thought it would be as simple as removing the old /etc/ldap/slapd.d
>and replacing it with the output of slaptest applied to my schema
>file.  This doesn't work, unfortunately, because slapd refuses to
>start afterwords.

The default configuration defines a bit more than just that. The 
template used by the installer is /usr/share/slapd/slapd.init.ldif but 
there are some placeholders that the maintainer scripts fill in.

The Debian/Ubuntu init script requires you to define olcPidFile at a 
minimum, so it can do process tracking. (You didn't explicitly say 
you're invoking the init script; I apologize in advance if I'm assuming 
incorrectly that you want to use it.)

I'm not completely sure (haven't tested recently) but I think slaptest 
works better on a skeleton slapd.conf that just "include"s the relevant 
schema than it does on the schema file itself.

>I apologize if this question seems basic, but I'm stuck on this very
>first step and I've been unable to find an up-to-date tutorial on how
>to configure a recent OpenLDAP server from scratch (ie, without all
>the default schemas).

http://www.openldap.org/doc/admin24/slapdconf2.html

hope this helps,
Ryan

References:
- Configuring OpenLDAP with a custom schema instead of default schemas
  - From: Jon Smark <jon.smark@yahoo.com>
- Re: Configuring OpenLDAP with a custom schema instead of default schemas
  - From: Ryan Tandy <ryan@nardis.ca>

Prev by Date: Re: Limiting Search Results By Group Membership
Next by Date: Antw: Re: OpenLDAP server sizing
Index(es):
- Chronological
- Thread