thank you for reply Andrew Findlay <andrew.findlay@skills-1st.co.uk> wrote: > You should not change the definitions of standard attributes or > objectclasses. I remember that, though I wasn't able to get that working without patching ... > That does not stop you from setting up an index for the > attribute though, and most LDAP servers will then allow you to search > for it even if the published schema does not allow for the possibility. here is my story, what I tryed and what worked: ================================================================================================================ 1. INDEX SUB ================================================================================================================ index authorizedService sub,eq in line 180 of slapd.conf and original ldapns.schema, slapd doesn't start and complains with: /usr/local/etc/openldap/slapd.conf: line 180: substr index of attribute "authorizedService" disallowed ================================================================================================================ 2. ORIGINAL ldapns.schema - no substring search result ================================================================================================================ ---[ slapd.conf ]------------------------------------------- index default eq,sub index authorizedService eq ---[ slapd.conf ]------------------------------------------- ---[ slapd.log with original ldapns.schema ]---------------------------------------- Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH base="ou=People,dc=foo" scope=2 deref=0 filter="(?authorizedService=web@*)" Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= ---[ slapd.log with original ldapns.schema ]---------------------------------------- ================================================================================================================ 3. PATCHED ldapns.schema - successful substring search ================================================================================================================ ---[ ldapns.schema.patch ]------------------------------------------- --- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300 +++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200 @@ -1,6 +1,7 @@ attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' ---[ ldapns.schema.patch ]------------------------------------------- ---[ slapd.conf ]------------------------------------------- index default eq,sub index authorizedService sub,eq ---[ slapd.conf ]------------------------------------------- ---[ slapd.log with patched ldapns.schema ]------------------------------------------- Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH base="ou=People,dc=foo" scope=2 deref=0 filter="(authorizedService=web@*)" Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH attr=* createTimestamp creatorsName modifiersName modifyTimestamp Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SEARCH RESULT tag=101 err=0 nentries=8 text= ---[ slapd.log with patched ldapns.schema ]------------------------------------------- -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)
Attachment:
signature.asc
Description: PGP signature