How do I install a new schema for OpenLDAP on Debian 5 with dynamic config=cn backend?
I'm answering my own question because I wanted to know how to solve the problem while using the new slapd.d/dynamic/cn=config
backend and I didn't wanted going back to the slapd.conf
method. (Almost nobody is doing this, AFAICT)
When I try to add the new schema using `ldapadd, I was always getting the following error:
ldapadd -H ldap://whatever.test.com -D "cn=admin,dc=whatever,dc=test,dc=com" -x -W -f mozillaabpersonalpha.ldif
ldap_add: Insufficient access (50)
So the BindDN
I was using does not have that privileges. I would need to setup an ACL or to use the rootDN
for that operation.
I don't know why, but when configuring the slapd
debian package, it allowed me to create an admin account for my on DIT, but it mentioned nothing about the rootDN
. After some browsing, I found this Blog that explains how to set the password of the rootDN
while using the cn=config
schema.
So, edited the file /etc/ldap/slapd.d/cn=config/olcDatabase\=\{0\}config.ldif
and added the following:
olcRootDN: cn=admin,cn=config
olcRootPW: mypassword
I had to restart the slapd for the changes to take effect (It shouldn't be necessary, but ...). In order to test it, I ran the following command:
ldapwhoami -H ldap://whatever.test.com -D "cn=admin,cn=config" -x -w mypassword
And it worked! The next step was to load the mozillaAbPersonAlpha
schema in ldif format using ldapadd
:
ldapadd -H ldap://whatever.test.com -D "cn=admin,cn=config" -x -w mypassword -f mozillaabpersonalpha.ldif
The response was successful
adding new entry "cn=mozillaabpersonalpha,cn=schema,cn=config"
Finally, adding one user that depends on the mozillaABPersonAlpha
schema is now possible. For example, the file newuser.ldif
has this:
dn: uid=somedude,cn=Whatever,dc=test,dc=com
sn: Some Dude
givenName: Dude
mail: [email protected]
mozillaCustom1: Engineering
l: Somewhere
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: mozillaAbPersonAlpha
uid: somedude
cn: Some Dude
And adding it to the new directory (not using the rootDN
account) works now:
ldapadd -H ldap://whatever.test.com -D "cn=admin,dc=whatever,dc=test,dc=com" -x -W -f usertest.ldif
Enter LDAP Password:
adding new entry "uid=somedude,cn=SomeGroup,cn=whatever,dc=test,dc=com
Related videos on Youtube
Noe Nieto
Updated on September 18, 2022Comments
-
Noe Nieto almost 2 years
I'm importing an OpenLDAP database from another server and while importing, I got some errors with some users, the problem is that the
mozillaAbPersonAlpha
is not a validobjectClass
.#!ERROR [LDAP Error Code 21 - objectClass: value #3 invalid per syntax] ... dn: uid=somedude,cn=Whatever,dc=test,dc=com sn: Some Dude givenName: Dude mail: [email protected] mozillaCustom1: Engineering l: Somewhere objectClass: inetOrgPerson objectClass: top objectClass: person objectClass: mozillaAbPersonAlpha uid: somedude cn: Some Dude
AFAICT It seems that my installation of OpenLDAP is lacking a schema for mozillaABPersonAlpha.
But how do I install this schema?
EDIT: The server is using the new configuration backend, so there isn't any
slapd.conf
file. There is, instead, a/etc/slapd.d/
directory with the weird directory naming (e.g./etc/slapd.d/cn=config/
).How do I add the new schema in this situation?
-
Noe Nieto about 13 yearsThanks for your answer, but I wasn't very clear about the setup. I edited the question with the details.
-
bishop over 9 yearsOnly works for ldif based backends: olc based use the {N} ordered config files and require import since 2.4.
-
bishop over 9 yearsAlso applies to Centos 6.