[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: AD-style AUX classes

To: openldap-technical <openldap-technical@openldap.org>
Subject: Re: AD-style AUX classes
From: Andrew Bartlett <abartlet@samba.org>
Date: Thu, 17 Jan 2008 19:25:44 +1100
In-reply-to: <1200551266.5772.137.camel@naomi>
References: <1200551266.5772.137.camel@naomi>

On Thu, 2008-01-17 at 17:27 +1100, Andrew Bartlett wrote:
> I'm not quite sure what I'm looking for here, sorry:
> 
> In Samba4, we don't yet have full schema validation.  In some ways it
> just has not been a priority - we validate that the attribute and
> objectClasses exist, but not that they match up.
> 
> In using OpenLDAP, I'm hoping to avoid having to write that logic, so I
> stopped adding extensibleObject to all our objectClass values, and
> replaced it with samba4Top, contaning all the things that AD's top
> contains, but OpenLDAPs does not.
> 
> So far so good, but AD has:
> dn: CN=Domain-DNS,${SCHEMADN}
> objectClass: top
> objectClass: classSchema
> subClassOf: domain
> systemAuxiliaryClass: samDomain
> 
> Looking at http://www.grotan.com/ldap/microsoft.ext.schema
> 
> I created entries in my schema file like:
> 
> dITContentRule (
>   1.2.840.113556.1.5.67
>   NAME 'domainDNS'
>   AUX ( samDomain )
>   )
> 
> dITContentRule (
>   1.2.840.113556.1.5.3
>   NAME 'samDomain'
>   AUX ( samDomainBase )
>   )
> 
> This created two problems:  It appears that you cannot create a
> ditContentRule for a non-structural objectClass (samDomain is
> AUXILIARY), and even if I do, I can't tack on the samba4Top on the end,
> because of:
> 
> Adding DomainDN: DC=samba,DC=example,DC=com (permitted to fail)
> ldb load failed: LDAP error 65 LDAP_OBJECT_CLASS_VIOLATION -  <class
> 'samba4Top' not allowed by content rule 'domainDNS'> <>
> 
> Is there a different approach I should be taking?  I need to extend
> 'top' without extending OpenLDAP's hardcoded top, and I need something
> that looks like dITcontentRule without the restrictions.  Any hints?

I suppose I could just calculate the resultant set of (structuralclass |
top | auxilirayclasses) and merge them into the MUST and MAY of that
structural class.

Would this be the best (if ugly) way forward?

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed message part

References:
- AD-style AUX classes
  - From: Andrew Bartlett <abartlet@samba.org>

Prev by Date: Re: sles 10 synchronize 2 ldapservers
Next by Date: Re: AD-style AUX classes
Index(es):
- Chronological
- Thread