thank you for reply Andrew Findlay <[email protected]> wrote: > You should not change the definitions of standard attributes or > objectclasses.
I remember that, though I wasn't able to get that working without patching ...
> That does not stop you from setting up an index for the
> attribute though, and most LDAP servers will then allow you to search
> for it even if the published schema does not allow for the possibility.
here is my story, what I tryed and what worked:
================================================================================================================
1. INDEX SUB
================================================================================================================
index authorizedService sub,eq
in line 180 of slapd.conf and original ldapns.schema, slapd doesn't
start and complains with:
/usr/local/etc/openldap/slapd.conf: line 180: substr index of attribute
"authorizedService" disallowed
================================================================================================================
2. ORIGINAL ldapns.schema - no substring search result
================================================================================================================
---[ slapd.conf ]-------------------------------------------
index default eq,sub
index authorizedService eq
---[ slapd.conf ]-------------------------------------------
---[ slapd.log with original ldapns.schema
]----------------------------------------
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH base="ou=People,dc=foo"
scope=2 deref=0 filter="(?authorizedService=web@*)"
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SRCH attr=* createTimestamp
creatorsName modifiersName modifyTimestamp
Oct 19 08:00:52 host slapd[1245]: conn=1008 op=1 SEARCH RESULT tag=101 err=0
nentries=0 text=
---[ slapd.log with original ldapns.schema
]----------------------------------------
================================================================================================================
3. PATCHED ldapns.schema - successful substring search
================================================================================================================
---[ ldapns.schema.patch ]-------------------------------------------
--- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300
+++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200
@@ -1,6 +1,7 @@
attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService'
DESC 'IANA GSS-API authorized service name'
EQUALITY caseIgnoreMatch
+ SUBSTR caseIgnoreIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} )
objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject'
---[ ldapns.schema.patch ]-------------------------------------------
---[ slapd.conf ]-------------------------------------------
index default eq,sub
index authorizedService sub,eq
---[ slapd.conf ]-------------------------------------------
---[ slapd.log with patched ldapns.schema
]-------------------------------------------
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH base="ou=People,dc=foo"
scope=2 deref=0 filter="(authorizedService=web@*)"
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SRCH attr=* createTimestamp
creatorsName modifiersName modifyTimestamp
Oct 19 08:04:40 host slapd[1367]: conn=1041 op=1 SEARCH RESULT tag=101 err=0
nentries=8 text=
---[ slapd.log with patched ldapns.schema
]-------------------------------------------
--
Zeus V. Panchenko jid:[email protected]
IT Dpt., I.B.S. LLC GMT+2 (EET)
signature.asc
Description: PGP signature
