[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP enhancements

On Mon, 9 Aug 1999, Mark Valence wrote:

> The basic idea is to expose the Schema and ACLs via LDAP, and eventually
> to allow these configs to be changed via LDAP.

I don't know about the ACLs part, but isn't exposing the schema via LDAP just
the implementation of the "subschemasubentry" from LDAPv3?  If OpenLDAP 2.x is
going to support LDAPv3 then presumably this would already be implemented (or
at least, on the drawing board).  Particularly allowing the schema to be
changed via LDAP is a writable RootDSE.

> If the schema and acls are to be part of an LDAP directory, then
> where would they go?

The subschemasubentry.  To locate this, query the RootDSE:

% ldapsearch -L -h ldapv3-server -b "" -s base "objectclass=*"
namingcontexts: cn=schema
subschemasubentry: cn=schema

Now query the subschemasubentry to learn the LDAP server's schema:

% ldapsearch -L -h ldapv3-server -b "cn=schema" -s base "objectclass=*"
dn: cn=schema
objectclass: top
objectclass: subschema
objectclasses: ( NAME 'top' [...]
attributetypes: ( abstract-oid NAME 'abstract' [...]

Note, this is LDAPv3 - won't work with an LDAPv2 server.

> What would their DNs look like, and what attributes would they have?

As above - all object classes and attribute types are attributes of the