{"id":354,"date":"2012-06-19T10:21:34","date_gmt":"2012-06-19T10:21:34","guid":{"rendered":""},"modified":"2016-01-11T13:10:23","modified_gmt":"2016-01-11T12:10:23","slug":"opendj-online-schema-modification","status":"publish","type":"post","link":"https:\/\/drfugazi.eu.org\/en\/opendj-online-schema-modification\/","title":{"rendered":"OpenDJ – online schema modification"},"content":{"rendered":"

\"opendj-logo\"<\/a>I wrote before about schema conversion to LDIF format and how to add schemas offline by uploading them to config\/schema<\/code> directory in OpenDJ. Now I will describe how to extend schema online, without restart LDAP server. Most if not all LDAP servers now have possibility to modify configuration and schemas due LDIF files and ldapmodify<\/code> tool. Let’s prepare our LDIF file, attributes first:<\/p>\n

# cat us-newattrs.ldif<\/code><\/pre>\n
<\/p>\n
dn: cn=schema\r\nchangetype: modify\r\nadd: attributeTypes\r\nattributeTypes: ( 1.3.6.1.4.1.XXXX.1.1.11 \r\n NAME 'usTypeOfStudies' \r\n DESC 'Type of studies' \r\n EQUALITY caseIgnoreMatch \r\n SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\r\n-\r\nadd: attributeTypes\r\nattributeTypes: ( 1.3.6.1.4.1.XXXX.1.1.12 \r\n NAME 'usSystemOfStudies' \r\n DESC 'System of studies' \r\n EQUALITY caseIgnoreMatch \r\n SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\r\n\r\n<\/pre>\n
Explanation about those numbers you can find in LDAP documentation and RFC. In place of XXXX is OID, that means unique number, which should be registered for your institution.<\/p>\n
Now is part which modifies existing in schema object class (first delete<\/code> then add<\/code>):<\/p>\n
# cat us-modclass.ldif<\/code><\/pre>\n
dn: cn=schema\r\nchangetype: modify\r\ndelete: objectClasses\r\nobjectClasses: ( 1.3.6.1.4.1.XXXX.1.2.2\r\n NAME 'useduplStudAccount'\r\n DESC 'us.edu.pl account extension for students' \r\n SUP useduplAccount AUXILIARY \r\n MAY ( usUsosId $ usUsosLogin $ usUsosPass $ usIndexNum $ usAccountActive ) \r\n )\r\n-\r\nadd: objectClasses\r\nobjectClasses: ( 1.3.6.1.4.1.XXXX.1.2.2\r\n NAME 'useduplStudAccount' \r\n DESC 'us.edu.pl account extension for students' \r\n SUP useduplAccount AUXILIARY \r\n MAY ( usUsosId $ usUsosLogin $ usUsosPass $ usIndexNum $ usAccountActive $ usTypeOfStudies $ usSystemOfStudies ) \r\n )\r\n\r\n<\/pre>\n
Files are prepared, but I suggest to backup LDAP directory before change.<\/p>\n
# cd \/data\/var\/OpenDJ\r\n# mkdir ..\/backup\r\n# .\/bin\/backup --backUpAll --compress --backupDirectory ..\/backup<\/code>\r\n[19\/Jun\/2012:10:11:18 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend config\r\n[19\/Jun\/2012:10:11:19 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend userRoot\r\n[19\/Jun\/2012:10:11:21 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000000.jdb\r\n[19\/Jun\/2012:10:11:24 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000001.jdb\r\n[19\/Jun\/2012:10:11:27 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000002.jdb\r\n[19\/Jun\/2012:10:11:30 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000003.jdb\r\n...\r\n[19\/Jun\/2012:10:13:01 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 000004cb.jdb\r\n[19\/Jun\/2012:10:13:01 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend replicationChanges\r\n[19\/Jun\/2012:10:13:03 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000005.jdb\r\n[19\/Jun\/2012:10:13:04 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000006.jdb\r\n[19\/Jun\/2012:10:13:04 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend schema\r\n[19\/Jun\/2012:10:13:04 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend tasks\r\n[19\/Jun\/2012:10:13:04 +0200] category=TOOLS severity=NOTICE msgID=10944795 msg=The backup process completed successfully\r\n<\/pre>\n
Let’s add new attributes:<\/p>\n
# .\/bin\/ldapmodify -D cn=dirmgr -h localhost -X -f ..\/us-newattrs.ldif<\/code>\r\nPassword for user 'cn=dirmgr':\r\nProcessing MODIFY request for cn=schema\r\nMODIFY operation successful for DN cn=schema\r\n<\/pre>\n
Now we are checking dry run of objectClass modification (option -n<\/code> means “dry run”):<\/p>\n
# .\/bin\/ldapmodify -D cn=dirmgr -h localhost -X -n -f ..\/us-newclass.ldif<\/code>\r\nPassword for user 'cn=dirmgr':\r\nProcessing MODIFY request for cn=schema\r\n<\/pre>\n
No errors occured, so we can modify objectClass (without -n<\/code>)<\/p>\n
# .\/bin\/ldapmodify -D cn=dirmgr -h localhost -X -f ..\/us-newclass.ldif   <\/code>\r\nPassword for user 'cn=dirmgr':\r\nProcessing MODIFY request for cn=schema\r\nMODIFY operation successful for DN cn=schema\r\n<\/pre>\n
If replicas are properly configured then schema changes will automatically imitated on them. You can check this by reviev config\/schema<\/code> dir on other server:<\/p>\n
# less 99-user.ldif<\/code>\r\ndn: cn=schema\r\nobjectClass: top\r\nobjectClass: ldapSubentry\r\nobjectClass: subschema\r\ncn: schema\r\nattributeTypes: ( 1.3.6.1.4.1.XXXX.1.1.12 NAME 'usSystemOfStudies' DESC 'System of studies' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\r\nattributeTypes: ( 1.3.6.1.4.1.XXXX.1.1.11 NAME 'usTypeOfStudies' DESC 'Type of studies' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )\r\nds-sync-generation-id: 8408\r\nmodifiersName: cn=Directory Manager,cn=Root DNs,cn=config\r\nds-sync-state: 00000132f753ae9a5d4900000001\r\nds-sync-state: 000001316b1b6be44a1a00000001\r\nds-sync-state: 0000013803e4be617c7400000004\r\nmodifyTimestamp: 20120619083838Z\r\n<\/pre>\n
Notice:<\/b> I wrote that you can modify schema without restart, but you can hit a bug during adding new attribute for existing entry which have modified objectClass. This is caused by server’s cache, where compressed schema is stored, and leading to error 65:<\/p>\n
Result Code: 65 (Object Class Violation)\r\nAdditional Information: Entry xxx cannot not be modified because the resulting entry would have violated the server schema: Entry xxx violates the Directory Server schema configuration because it includes attribute testattr which is not allowed by any of the objectclasses defined in that entry<\/pre>\n
Bug is already reported and should be fixed in 2.5. Workaround in 2.4.x versions is to restart LDAP server. More about this you can read on this page:<\/p>\n
https:\/\/bugster.forgerock.org\/jira\/browse\/OPENDJ-169<\/a><\/p>","protected":false},"excerpt":{"rendered":"
Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.Pisa\u0142em wcze\u015bniej...<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_newsletter_tier_id":0,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","enabled":false}}},"categories":[115],"tags":[6,88,44],"jetpack_publicize_connections":[],"acf":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p7M9Tz-5I","jetpack-related-posts":[{"id":337,"url":"https:\/\/drfugazi.eu.org\/en\/dodawanie-schematow-opendj\/","url_meta":{"origin":354,"position":0},"title":"Dodawanie schemat\u00f3w do OpenDJ","author":"drfugazi","date":"Tuesday July 12th, 2011","format":false,"excerpt":"Sorry, this entry is only available in Polish. For the sake of viewer convenience, the content is shown below in the alternative language. You may click the link to switch the active language.OpenDJ podobnie jak inne us\u0142ugi katalogowe pozwala na rozszerzanie funkcjonalno\u015bci katalogu poprzez dodawanie schemat\u00f3w. Istnieje szereg gotowych schemat\u00f3w,\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":285,"url":"https:\/\/drfugazi.eu.org\/en\/konfiguracja\/","url_meta":{"origin":354,"position":1},"title":"Konfiguracja OpenDJ","author":"drfugazi","date":"Monday July 11th, 2011","format":false,"excerpt":"Po rozpakowaniu i instalacji OpenDJ jest wst\u0119pnie skonfigurowany. W moim przypadku posiada te\u017c wpis bazowy (base entry), tutaj niech to b\u0119dzie dc=domain,dc=tld. Je\u015bli kto\u015b dopiero buduje drzewo LDAP, to pewnie teraz doda sobie standardowe ou=People i tam b\u0119dzie umieszcza\u0142 u\u017cytkownik\u00f3w za pomoc\u0105 narz\u0119dzi do zarz\u0105dzania katalogiem LDAP. Zwykle jednak jest\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":284,"url":"https:\/\/drfugazi.eu.org\/en\/instalacja\/","url_meta":{"origin":354,"position":2},"title":"Instalacja OpenDJ","author":"drfugazi","date":"Monday July 11th, 2011","format":false,"excerpt":"Pobieramy i rozpakowujemy najnowsz\u0105 wersj\u0119 OpenDJ ze strony ForgeRock.com. Po rozpakowaniu znajdziemy katalog OpenDJ-ver, gdzie jest numerem wersji oczywi\u015bcie, ja u\u017cyj\u0119 najnowszej na chwil\u0119 obecn\u0105 czyli 2.4.3 # cd \/data\/var # unzip OpenDJ-2.4.3.zip # cd OpenDJ-2.4.3 Uruchamiamy instalacj\u0119:","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":341,"url":"https:\/\/drfugazi.eu.org\/en\/unique-attributes-opendj\/","url_meta":{"origin":354,"position":3},"title":"Unique attributes in OpenDJ","author":"drfugazi","date":"Monday July 25th, 2011","format":false,"excerpt":"Sometimes you need to set some attributes as unique, for example: if LDAP contains system users, then uid attribute shouldn't repeat in whole system. OpenDJ is equipped with proper plugin, but it's not enabled by default. In case of mail system, attribute mail should be unique. Here we don't have\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":283,"url":"https:\/\/drfugazi.eu.org\/en\/opendj\/","url_meta":{"origin":354,"position":4},"title":"OpenDJ","author":"drfugazi","date":"Monday July 11th, 2011","format":false,"excerpt":"OpenDJ jest nowy serwerem us\u0142ug katalogowych zgodnym z LDAPv3, rozwijanym na platformie Java, dostarczaj\u0105cym wysoko wydajnego, niezawodnego i bezpiecznego magazynu to\u017csamo\u015bci. \u0141atwy proces instalacyjny w po\u0142\u0105czeniu z si\u0142\u0105 platformy Java powoduje, \u017ce OpenDJ jest jednym z najprostszych do zarz\u0105dzania i najszybszych do uruchomienia serwerem us\u0142ug katalogowych. OpenDJ jest rozszerzeniem projektu\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":299,"url":"https:\/\/drfugazi.eu.org\/en\/ldap-meta-directory\/","url_meta":{"origin":354,"position":5},"title":"LDAP meta directory","author":"drfugazi","date":"Thursday August  4th, 2011","format":false,"excerpt":"Sometimes you need to combine two or more LDAP directories with same suffixes to one directory or you just need to have a proxy. My first attempts to combine two OpenLDAP directories was to make replication from two different sources. This solution however has some disadvantages. First of all: to\u2026","rel":"","context":"In "LDAP"","block_context":{"text":"LDAP","link":"https:\/\/drfugazi.eu.org\/en\/category\/ldap\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/354"}],"collection":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/comments?post=354"}],"version-history":[{"count":3,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/354\/revisions"}],"predecessor-version":[{"id":563,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/posts\/354\/revisions\/563"}],"wp:attachment":[{"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/media?parent=354"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/categories?post=354"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/drfugazi.eu.org\/en\/wp-json\/wp\/v2\/tags?post=354"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}