[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
knowing which schema(s) to use
- To: openldap-technical@openldap.org
- Subject: knowing which schema(s) to use
- From: Prentice Bisbal <pbisbal@pppl.gov>
- Date: Tue, 16 May 2017 15:23:59 -0400
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pppl-gov.20150623.gappssmtp.com; s=20150623; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding:content-language; bh=aO8DBQIljf4SjJlsckRKKg6lXoURHoKXoeA+e13eTis=; b=ga5hCm9uKU2GdlFI26k4DFtTPgtcLSDefCuFT1lDJdM7LyOIZA1vpIAJ0oCj5qYhvm rHJh/sinhOG4idN2i0+X9q6G/r96y/QNAABj6EHpmHvANiwGfeLM3Dq8cTZJ9YV3xdwy J/c35f4fZiYUaKMUx5YPSHRWcxpllE3Skgoddoqf5A2QLoTM6Vvxse3ZUIqqCf2Cd8Ir X0lQCzmeuCjU3KFRiy9aJW3Arxm/b8wYzpy4tCqaJlDPh9DVDdaS1p384tvAzed5psdp vfJT57p7MR4MyuvlZ743lalSIIFV/ldS6DUb/jhvqymMPsMnDAeiDw71Caq+iI0ghkXK xCpA==
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.1.0
Over the past few days or weeks, I've asked a number of questions
related to schemas as I move my LDAP directory to a newer OS and newer
version of OpenLDAP. As has happened in the past, I have run into schema
issues when importing the database (LDIF file) into the new directory
with slapadd.
This time I got the following errors:
1. Kerberos attributes in "new" kerberos schema start with 'krb' instead
of 'krb5'
2. I got a schema structural error because user accounts have both
objectclasses "account" and "krbPrincipal", which is not good.
3. We were using solaris.schema on the old system, which CentOS 6
doesn't provide, but it does provide duaconf.schema, which seemed be be
similar if not identical to solaris.schema.
Both of these are easy to fix - just use sed to change 'krb5' to 'krb',
and then change 'krbPrincipal' to 'krbPrincipalAux', but is this really
the best/safest way to make these changes. Also, what happens to apps
that are looking for the 'krb5' instead of 'krb' and vice-versa?
I think many system admins would say just copy the schemas from the old
server to the new server and forget about it, but I don't think this is
a good approach. After doing that several times, I imagine the newer
applications on the newer OS versions will be looking for different
objectclass or attribute names (like krb instead of krb5), and things
will eventually break, anyway.
So my questions are this:
1. How do the rest of you handle situations like this?
2. Who/what is the authoritative source for current schema definitions?
Are they all defined in RFCs?
In an earlier e-mail, regarding my kerberos schema issues, Michael
Ströder wrote
You should use the current schema file shipped with your particular Kerberos installation.
That's exactly what I'm trying to do, which led to the kerberos schema
issues. And in the past there have been times when the current version
of the OS didn't provide the same schemas as the old version, and I was
left searching the Internet to find the modern equivalent of the schema
from the old system.
--
Prentice