Re: Documentation: mapping from slapd.conf to slapd database

Thu, 16 Jul 2020 13:26:25 -0700 

Norman Gray wrote:
> Separately, Howard Chu said:
> 
>> All of the schema is always retrievable from slapd itself, either by 
>> querying cn=Subschema
>> or cn=schema,cn=config.
> 
> That looks perfect in principle, and I see you made a similar remark in 
> <https://bugs.openldap.org/show_bug.cgi?id=7335>.  However the first way that 
> occurred
> to me to search for this:
> 
>     # slapcat -b cn=config | grep cn=schema
>     dn: cn=schema,cn=config
>     dn: cn={0}core,cn=schema,cn=config
>     dn: cn={1}cosine,cn=schema,cn=config
>     dn: cn={2}nis,cn=schema,cn=config
>     dn: cn={3}inetorgperson,cn=schema,cn=config
> 
> ...didn't produce the results I expected.

slapcat is not querying slapd, so no.

> I find I can do
> 
>     %  ldapsearch -x -b cn=schema,cn=config -D cn=config -w PASSWORD 
> '(objectclass=*)'

You should add "-s base" to this command, since hardcoded schema only appears 
in this entry.

> and grub through the output to find
> 
> olcObjectClasses: ( OLcfgOvOc:1.1 NAME 'olcSyncProvConfig' DESC 'SyncRepl Prov
>  ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o
>  lcSpSessionlog $ olcSpNoPresent $ olcSpReloadHint ) )
> 
> Is that what you meant, Howard?  If so, then yes, a schema; but looking there 
> really, really, isn't obvious from slapd-config(5).  It is described there 
> under
> 'schema options', and there's nothing wrong with the text, but one  has to 
> know it's there beforehand, in order to find it.

The slapd-config(5) manpage says explicitly

      The cn=Schema entry contains all of the hardcoded schema elements.  The
      children of this entry contain all user-defined  schema  elements.

But even if you didn't know that, you should already know that all LDAPv3 
servers publish
their schema, and you can find where that is by querying the subschemaSubentry 
attribute
of any entry (including the rootDSE). In OpenLDAP this will always point to 
"cn=Subschema"
 - but you don't need to memorize that, ldapsearch will show you.

> I think none of your users would feel at all insulted by being given slightly 
> more of a hint there or in, say, slapd.overlays(5).

Users are expected to know how LDAP works already.

-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Reply via email to