view all possible attributes of an objectClass for LDAP
Solution 1:
You're looking for the subschemaSubentry
.RFC 2252
Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions
5.1.5. subschemaSubentry
The value of this attribute is the name of a subschema entry (or subentry if the server is based on X.500(93)) in which the server makes available attributes specifying the schema.
( 2.5.18.10 NAME 'subschemaSubentry' EQUALITY distinguishedNameMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION SINGLE-VALUE USAGE directoryOperation )
You can find it like so:
$ ldapsearch -s base -b '' subschemaSubentry
dn:
subschemaSubentry: cn=Subschema
$ ldapsearch -s base -b cn=Subschema objectClasses
As a one line:
ldapsearch -s base -b $(ldapsearch -s base -b '' subschemaSubentry | sed '/dn:/d;/^$/d;s/subschemaSubentry: //' ) objectClasses
If you're scripting in bash and your version of ldapsearch supports it, -o ldif-wrap=no
will mean that you don't have to parse ldif line wrapping.
cn=schema,cn=config
, while handy, is usually unavailable under OpenLDAP due to access controls inheritted from cn=config
.
Solution 2:
This is what I use to show the schema of a specific objectClass, such as organizationalRole
$ ldapsearch -s base -b cn=Subschema objectClasses -LLL -o ldif-wrap=no |\
sed -nr '/organizationalRole/ p' | sed -r 's/[$()]+/\n /g'
Solution 3:
It has been a lot of time since I was working with LDAP, but I think that each LDAP server may expose the schema in a certain suffix.
I think in Openldap you can search in base "cn=schema, cn=config" to find the current schema.
Try something like ldapsearch -x -s sub -b "cn=schema,cn=config" '(objectclass=*)'
to see what you get. (Haven't tested this command line, but you get the point...).
From a developer's perspective, I would expect that the correct schema is there, and handle the exception of objectclass violation as if it was any kind of error.
I think that altering the schema is not something that should be handled by the application that adds/deletes data but by the installation procedure of the software.