view all possible attributes of an objectClass for LDAP

ldap openldap

Solution 1:

You're looking for the subschemaSubentry.
RFC 2252 Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

5.1.5. subschemaSubentry

The value of this attribute is the name of a subschema entry (or subentry if the server is based on X.500(93)) in which the server makes available attributes specifying the schema.

( 2.5.18.10 NAME 'subschemaSubentry'
  EQUALITY distinguishedNameMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION
  SINGLE-VALUE USAGE directoryOperation )

You can find it like so:

$ ldapsearch -s base -b '' subschemaSubentry
dn:
subschemaSubentry: cn=Subschema

$ ldapsearch -s base -b cn=Subschema objectClasses

As a one line:

ldapsearch -s base -b $(ldapsearch -s base -b '' subschemaSubentry | sed '/dn:/d;/^$/d;s/subschemaSubentry: //' ) objectClasses

If you're scripting in bash and your version of ldapsearch supports it, -o ldif-wrap=no will mean that you don't have to parse ldif line wrapping.

cn=schema,cn=config, while handy, is usually unavailable under OpenLDAP due to access controls inheritted from cn=config.

Solution 2:

This is what I use to show the schema of a specific objectClass, such as organizationalRole

$ ldapsearch -s base -b cn=Subschema objectClasses -LLL -o ldif-wrap=no |\
  sed -nr '/organizationalRole/ p' | sed -r 's/[$()]+/\n /g'

Solution 3:

It has been a lot of time since I was working with LDAP, but I think that each LDAP server may expose the schema in a certain suffix.

I think in Openldap you can search in base "cn=schema, cn=config" to find the current schema. Try something like ldapsearch -x -s sub -b "cn=schema,cn=config" '(objectclass=*)' to see what you get. (Haven't tested this command line, but you get the point...).

From a developer's perspective, I would expect that the correct schema is there, and handle the exception of objectclass violation as if it was any kind of error.

I think that altering the schema is not something that should be handled by the application that adds/deletes data but by the installation procedure of the software.

Related

Can't install nginx using epel repo on Centos 7 (64bit)
HAProxy error: Some configuration options require full privileges, so global.uid cannot be changed
Disable windows file shares without losing share config
Forward one IP to a docker container
How do I include subclasses in Swagger API documentation/ OpenAPI specification using Swashbuckle?
Regex for multiple sshd Received disconnect from ... [preauth]
SQL Server 2014 SP1 installation failure - bug in SSIS_hotfix_install.sql
SSH: su root or sudo? [duplicate]
How to install lynx on an AWS redhat machine that can't find the package?
Can AWS Certificate Manager (ACM) Certificates be used on Elastic Load Balancer Instances in Regions other than us-east-1?
Making a phone call in an iOS application
How to cd to a folder with two dots in the path