How do I install a new schema for OpenLDAP on Debian 5 with dynamic config=cn backend?
I'm answering my own question because I wanted to know how to solve the problem while using the new slapd.d/dynamic/cn=config backend and I didn't wanted going back to the slapd.conf method. (Almost nobody is doing this, AFAICT)
When I try to add the new schema using `ldapadd, I was always getting the following error:
ldapadd -H ldap://whatever.test.com -D "cn=admin,dc=whatever,dc=test,dc=com" -x -W -f mozillaabpersonalpha.ldif
ldap_add: Insufficient access (50)
So the BindDN I was using does not have that privileges. I would need to setup an ACL or to use the rootDN for that operation.
I don't know why, but when configuring the slapd debian package, it allowed me to create an admin account for my on DIT, but it mentioned nothing about the rootDN. After some browsing, I found this Blog that explains how to set the password of the rootDN while using the cn=config schema.
So, edited the file /etc/ldap/slapd.d/cn=config/olcDatabase\=\{0\}config.ldif and added the following:
olcRootDN: cn=admin,cn=config
olcRootPW: mypassword
I had to restart the slapd for the changes to take effect (It shouldn't be necessary, but ...). In order to test it, I ran the following command:
ldapwhoami -H ldap://whatever.test.com -D "cn=admin,cn=config" -x -w mypassword
And it worked! The next step was to load the mozillaAbPersonAlpha schema in ldif format using ldapadd:
ldapadd -H ldap://whatever.test.com -D "cn=admin,cn=config" -x -w mypassword -f mozillaabpersonalpha.ldif
The response was successful
adding new entry "cn=mozillaabpersonalpha,cn=schema,cn=config"
Finally, adding one user that depends on the mozillaABPersonAlpha schema is now possible. For example, the file newuser.ldif has this:
dn: uid=somedude,cn=Whatever,dc=test,dc=com
sn: Some Dude
givenName: Dude
mail: [email protected]
mozillaCustom1: Engineering
l: Somewhere
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: mozillaAbPersonAlpha
uid: somedude
cn: Some Dude
And adding it to the new directory (not using the rootDN account) works now:
ldapadd -H ldap://whatever.test.com -D "cn=admin,dc=whatever,dc=test,dc=com" -x -W -f usertest.ldif
Enter LDAP Password:
adding new entry "uid=somedude,cn=SomeGroup,cn=whatever,dc=test,dc=com
Related videos on Youtube
08 : 42
26 : 57
10 : 24
10 : 57
02 : 42
Noe Nieto
Updated on September 18, 2022Comments
-
Noe Nieto almost 2 years
I'm importing an OpenLDAP database from another server and while importing, I got some errors with some users, the problem is that the
mozillaAbPersonAlphais not a validobjectClass.#!ERROR [LDAP Error Code 21 - objectClass: value #3 invalid per syntax] ... dn: uid=somedude,cn=Whatever,dc=test,dc=com sn: Some Dude givenName: Dude mail: [email protected] mozillaCustom1: Engineering l: Somewhere objectClass: inetOrgPerson objectClass: top objectClass: person objectClass: mozillaAbPersonAlpha uid: somedude cn: Some DudeAFAICT It seems that my installation of OpenLDAP is lacking a schema for mozillaABPersonAlpha.
But how do I install this schema?
EDIT: The server is using the new configuration backend, so there isn't any
slapd.conffile. There is, instead, a/etc/slapd.d/directory with the weird directory naming (e.g./etc/slapd.d/cn=config/).How do I add the new schema in this situation?
-
Noe Nieto about 13 yearsThanks for your answer, but I wasn't very clear about the setup. I edited the question with the details.
-
bishop over 9 yearsOnly works for ldif based backends: olc based use the {N} ordered config files and require import since 2.4. -
bishop over 9 yearsAlso applies to Centos 6.