How do I install a new schema for OpenLDAP on Debian 5 with dynamic config=cn backend?

I'm answering my own question because I wanted to know how to solve the problem while using the new slapd.d/dynamic/cn=config backend and I didn't wanted going back to the slapd.conf method. (Almost nobody is doing this, AFAICT)

When I try to add the new schema using `ldapadd, I was always getting the following error:

ldapadd -H ldap://whatever.test.com -D "cn=admin,dc=whatever,dc=test,dc=com" -x -W -f mozillaabpersonalpha.ldif
ldap_add: Insufficient access (50)

So the BindDN I was using does not have that privileges. I would need to setup an ACL or to use the rootDN for that operation.

I don't know why, but when configuring the slapd debian package, it allowed me to create an admin account for my on DIT, but it mentioned nothing about the rootDN. After some browsing, I found this Blog that explains how to set the password of the rootDN while using the cn=config schema.

So, edited the file /etc/ldap/slapd.d/cn=config/olcDatabase\=\{0\}config.ldif and added the following:

olcRootDN: cn=admin,cn=config
olcRootPW: mypassword

I had to restart the slapd for the changes to take effect (It shouldn't be necessary, but ...). In order to test it, I ran the following command:

ldapwhoami -H ldap://whatever.test.com -D "cn=admin,cn=config" -x -w mypassword

And it worked! The next step was to load the mozillaAbPersonAlpha schema in ldif format using ldapadd:

ldapadd -H ldap://whatever.test.com -D "cn=admin,cn=config" -x -w mypassword -f mozillaabpersonalpha.ldif

The response was successful

adding new entry "cn=mozillaabpersonalpha,cn=schema,cn=config"

Finally, adding one user that depends on the mozillaABPersonAlpha schema is now possible. For example, the file newuser.ldif has this:

dn: uid=somedude,cn=Whatever,dc=test,dc=com
sn: Some Dude
givenName: Dude
mail: [email protected]
mozillaCustom1: Engineering
l: Somewhere
objectClass: inetOrgPerson
objectClass: top
objectClass: person
objectClass: mozillaAbPersonAlpha
uid: somedude
cn: Some Dude

And adding it to the new directory (not using the rootDN account) works now:

ldapadd -H ldap://whatever.test.com -D "cn=admin,dc=whatever,dc=test,dc=com" -x -W -f usertest.ldif 
Enter LDAP Password: 
adding new entry "uid=somedude,cn=SomeGroup,cn=whatever,dc=test,dc=com

Tags:

Debian

Openldap

Debian Lenny

Recent Posts