5

I'm scripting some ldap automation and have reached a slight hangup. Basically, I want to check if an attribute being added to an entry actually exists within a given objectClass before I try to add it.

So far the best idea I have for this is just running a regex on the schema definition file for the attribute, but that wouldn't account for the schema file being edited after the config is initialized.

A second thought would be to just catch the error thrown if the attribute can't be added, but that seems less efficient since my next step would then be to add the attribute to the schema and rebuild the config.

Seems like there should be a simple ldapsearch command to do this but I can't figure out the syntax.

so far I've tried:

ldapsearch -x -b 'dc=MY_DOMAIN,dc=com' '(objectclass=mySCHEMA)'

but that just lists any ldap entries that have the mySCHEMA objectclass on them.

Thanks for the help, Cheers!

Rooster
  • 495
  • 2
  • 7
  • 21

5 Answers5

8

You're looking for the subschemaSubentry.
RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

5.1.5. subschemaSubentry

The value of this attribute is the name of a subschema entry (or subentry if the server is based on X.500(93)) in which the server makes available attributes specifying the schema.

( 2.5.18.10 NAME 'subschemaSubentry'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION
  SINGLE-VALUE USAGE directoryOperation )

You can find it like so:

$ ldapsearch -s base -b '' subschemaSubentry
dn:
subschemaSubentry: cn=Subschema

$ ldapsearch -s base -b cn=Subschema objectClasses

As a one line:

ldapsearch -s base -b $(ldapsearch -s base -b '' subschemaSubentry | sed '/dn:/d;/^$/d;s/subschemaSubentry: //' ) objectClasses

If you're scripting in bash and your version of ldapsearch supports it, -o ldif-wrap=no will mean that you don't have to parse ldif line wrapping.

cn=schema,cn=config, while handy, is usually unavailable under OpenLDAP due to access controls inheritted from cn=config.

84104
  • 12,905
  • 6
  • 45
  • 76
3

This is what I use to show the schema of a specific objectClass, such as organizationalRole

$ ldapsearch -s base -b cn=Subschema objectClasses -LLL -o ldif-wrap=no |\
  sed -nr '/organizationalRole/ p' | sed -r 's/[$()]+/\n /g'
sphakka
  • 213
  • 2
  • 6
2

It has been a lot of time since I was working with LDAP, but I think that each LDAP server may expose the schema in a certain suffix.

I think in Openldap you can search in base "cn=schema, cn=config" to find the current schema. Try something like ldapsearch -x -s sub -b "cn=schema,cn=config" '(objectclass=*)' to see what you get. (Haven't tested this command line, but you get the point...).

From a developer's perspective, I would expect that the correct schema is there, and handle the exception of objectclass violation as if it was any kind of error.

I think that altering the schema is not something that should be handled by the application that adds/deletes data but by the installation procedure of the software.

lacasitos
  • 346
  • 1
  • 4
  • no dice. I'm thinking I'll just have to catch the error when adding and the attribute isn't already there. Seems to be working in the stuff I've written since posting the question. – Rooster May 27 '14 at 17:48
1

Simple shell/awk script approaches won't work at all because of object class inheritance. You have to evaluate that to really find out in advance what the LDAP server would be doing with your add/modify request. (At least that's what I understand what you want to achieve.)

If you don't mind scripting in Python you could use python-ldap's module ldap.schema which I've implemented for the full schema support in web2ldap. Besides object class inheritance it also takes care of DIT content rules which is very important to get attribute lists right with MS AD.

Be warned: Implementing a general solution is not trivial! And depending on the LDAP server used you will find somewhat incomplete schema references and will have to implement fall-back handling here and there.

I only know exactly one LDAPv3 client implementing full LDAP schema support. ;-)

Michael Ströder
  • 974
  • 5
  • 9
0

If you prefer a GUI solution, download an LDAP browser like the free open source cross-platform JXplorer. Once connected to the LDAP, it allows you to browse (and edit) all objects and their attributes.

not2savvy
  • 206
  • 1
  • 10