-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kurt D. Zeilenga wrote : > At 06:53 AM 1/3/2006, Bruno Bzeznik wrote: > >>some other servers are using the ldap directories and thez add >>supplementary attributes to entries independently of the attributes I manage >>in my >>schemas. > > > BTW, the standard way of enabling the addition of values of > any (user application) attribute to an object is to use > the extensibleObject mechanism. This mechanism is supported > for years in OpenLDAP Software. > > Kurt
Well, I'm not an LDAP expert, but I don't think that it will help me. Here's an example of a problem that I may encounter with schemachecking. I've got 2 servers using the same LDAP service: - - "A" is a unix host, with a simple unix mail service and it hosts the openldap server. - - "B" is a samba server, using the same accounts that are hosted into the ldap server of "A". When I create an account on "A", it's a "posixAccount,account" But for server "B", it must be a "sambaAccount". Objectclasses account and sambaAccount are not compatible: invalid structural object class chain (account/sambaAccount) So, server "A" must create sambaAccounts, even if it is not managing attributes of this class. But a sambaAccount needs a "rid" attribute: object class 'sambaAccount' requires attribute 'rid' Only "B" knows how to create this attribute. So, we used schemacheck off, and let A creating accounts and B modifying accounts into sambaAccounts. How can I do now with schemacheck mandatory on? I know that perhaps, the way we use LDAP is not very clean. But it worked for years... by using LDAP, we were able to provide the same login/password to users over different services. We upgraded only for security reasons (Fedora Core 3 update). We could not imagine that you change this feature in a minor release, there's a very little info about that and the feature has disapeared silently, no warning about a future deprecating. We can change our way, but we have got a lot of work to do so and we can not do that in our stable environnement, but in a testing one before, and plan the change for the future. So, for the moment, we need an up to date secure openldap 2.2.x with schemachecking off. I don't think that we are using the "DIT content rules code" that you talked about here: http://www.openldap.org/lists/openldap-software/200509/msg00476.html So, do you think I can patch openldap to re-add the "global_schemacheck = 0;" line into the source code without having troubles? ======================================== Bruno Bzeznik - [EMAIL PROTECTED] Systemes et reseaux Academie de Grenoble http://slis.ac-grenoble.fr ======================================== -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDu63MKIejyyHkRlIRAvzvAJ49mo+snvDffXsqvnqsU2eDSNqbSACgg746 bITuQqRUjGKvG+DZekvErOo= =NMkJ -----END PGP SIGNATURE-----
