I'm scripting some ldap automation and have reached a slight hangup. Basically, I want to check if an attribute being added to an entry actually exists within a given objectClass before I try to add it.
So far the best idea I have for this is just running a regex on the schema definition file for the attribute, but that wouldn't account for the schema file being edited after the config is initialized.
A second thought would be to just catch the error thrown if the attribute can't be added, but that seems less efficient since my next step would then be to add the attribute to the schema and rebuild the config.
Seems like there should be a simple ldapsearch command to do this but I can't figure out the syntax.
so far I've tried:
ldapsearch -x -b 'dc=MY_DOMAIN,dc=com' '(objectclass=mySCHEMA)'
but that just lists any ldap entries that have the mySCHEMA objectclass on them.
Thanks for the help, Cheers!
You're looking for the
subschemaSubentry.RFC 2252Lightweight Directory Access Protocol (v3): Attribute Syntax DefinitionsYou can find it like so:
As a one line:
If you're scripting in bash and your version of ldapsearch supports it,
-o ldif-wrap=nowill mean that you don't have to parse ldif line wrapping.cn=schema,cn=config, while handy, is usually unavailable under OpenLDAP due to access controls inheritted fromcn=config.This is what I use to show the schema of a specific objectClass, such as
organizationalRoleIt has been a lot of time since I was working with LDAP, but I think that each LDAP server may expose the schema in a certain suffix.
I think in Openldap you can search in base "cn=schema, cn=config" to find the current schema. Try something like
ldapsearch -x -s sub -b "cn=schema,cn=config" '(objectclass=*)'to see what you get. (Haven't tested this command line, but you get the point...).From a developer's perspective, I would expect that the correct schema is there, and handle the exception of objectclass violation as if it was any kind of error.
I think that altering the schema is not something that should be handled by the application that adds/deletes data but by the installation procedure of the software.
Simple shell/awk script approaches won't work at all because of object class inheritance. You have to evaluate that to really find out in advance what the LDAP server would be doing with your add/modify request. (At least that's what I understand what you want to achieve.)
If you don't mind scripting in Python you could use python-ldap's module ldap.schema which I've implemented for the full schema support in web2ldap. Besides object class inheritance it also takes care of DIT content rules which is very important to get attribute lists right with MS AD.
Be warned: Implementing a general solution is not trivial! And depending on the LDAP server used you will find somewhat incomplete schema references and will have to implement fall-back handling here and there.
I only know exactly one LDAPv3 client implementing full LDAP schema support. ;-)
If you prefer a GUI solution, download an LDAP browser like the free open source cross-platform JXplorer. Once connected to the LDAP, it allows you to browse (and edit) all objects and their attributes.