Announcement Announcement Module
Collapse
No announcement yet.
Issue using Embedded LDAP server (ApacheDS 1.5.5) with Custom Schema Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Issue using Embedded LDAP server (ApacheDS 1.5.5) with Custom Schema

    I am using Spring Security 3.1.0 and Apache Directory Server 1.5.5.

    Was able to setup integration with a remote OpenLDAP server with a schema just fine, and am now trying to switch to using the <ldap-server> tag so that our development team can use embedded server and be able to work offline.

    In the OpenLDAP setup, I have multiple files and load the custom schema .ldif first, then the base OU, Groups and Users last.

    In the ApacheDS setup, we can only use 1 .ldif file for reasons seen here: https://jira.springsource.org/browse/SEC-1732

    I have concatenated all of my .ldif files into a single file, in order of which they should be loaded. The org, ou, groups and users all load fine, except for the users don't have the custom attribute (why it does not fail as expected, like OpenLDAP, may be another issue...)

    Also, I had to convert my custom schema Attribute and ObjectClass from the OpenLDAP format - here is the orgininal custom schema section:

    Code:
    dn: cn=myproject,cn=schema,cn=config
    objectClass: olcSchemaConfig
    cn: myproject
    olcAttributeTypes: {0}( 1.3.6.1.4.1.XXXX.2.3.101 NAME 'myCustomAttribute' DESC 'My Description' EQUALITY integerMatch ORDERING integerOrderingMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
    olcObjectClasses: {0}( 1.3.6.1.4.1.XXXX.2.4.101 NAME 'myCustomPerson' DESC 'A custom person object' SUP inetOrgPerson MUST myCustomAttribute )
    Opened up in Apache Directory Studio and converted to this format:

    Code:
    dn: cn=myproject, ou=schema
    objectclass: metaSchema
    objectclass: top
    cn: myproject
    m-dependencies: inetorgperson
    
    dn: ou=attributeTypes, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: attributetypes
    
    dn: m-oid=1.3.6.1.4.1.XXXX.2.3.101, ou=attributeTypes, cn=myproject, ou=schema
    objectclass: metaAttributeType
    objectclass: metaTop
    objectclass: top
    m-oid: 1.3.6.1.4.1.XXXX.2.3.101
    m-name: myCustomAttribute
    m-description: My Description
    m-equality: integerMatch
    m-ordering: integerOrderingMatch
    m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
    m-length: 0
    
    dn: ou=comparators, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: comparators
    
    dn: ou=ditContentRules, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: ditcontentrules
    
    dn: ou=ditStructureRules, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: ditstructurerules
    
    dn: ou=matchingRules, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: matchingrules
    
    dn: ou=matchingRuleUse, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: matchingruleuse
    
    dn: ou=nameForms, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: nameforms
    
    dn: ou=normalizers, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: normalizers
    
    dn: ou=objectClasses, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: objectClasses
    
    dn: m-oid=1.3.6.1.4.1.XXXX.2.4.101, ou=objectClasses, cn=myproject, ou=schema
    objectclass: metaObjectClass
    objectclass: metaTop
    objectclass: top
    m-oid: 1.3.6.1.4.1.XXXX.2.4.101
    m-name: myCustomPerson
    m-description: A custom person object 
    m-supObjectClass: inetOrgPerson
    m-must: myCustomAttribute
    
    dn: ou=syntaxCheckers, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: syntaxcheckers
    
    dn: ou=syntaxes, cn=myproject, ou=schema
    objectclass: organizationalUnit
    objectclass: top
    ou: syntaxes
    The above loads and server starts, but gives 3 warnings when it gets to the 'myCustomPerson' object section:

    Code:
    6069 [2011-12-14 15:17:50,751] WARN  org.apache.directory.server.core.entry.ServerStringValue  - Cannot normalize the value :Encountered name based id of myCustomAttribute which was not found in the OID registry
    6070 [2011-12-14 15:17:50,752] WARN  org.apache.directory.server.core.entry.ServerStringValue  - Cannot normalize the value :Encountered name based id of myCustomAttribute which was not found in the OID registry
    6070 [2011-12-14 15:17:50,752] WARN  org.apache.directory.server.core.entry.ServerStringValue  - Cannot normalize the value :Encountered name based id of myCustomAttribute which was not found in the OID registry
    Then later in the script, when I try to add some myCustomPerson entries, like this:

    Code:
    dn: uid=myuser,ou=people,dc=mydomain,dc=com
    uid: myuser
    cn: Name
    sn: Surname
    objectClass: myCustomPerson
    userPassword: {SSHA}yr6SnddPW8WJWjHwrAi5HINn4XP1S6OK
    myCustomAttribute: 12345
    
    ... (lots of these)
    I get this warning for each user listed:

    Code:
    6140 [2011-12-14 15:17:50,822] WARN  org.apache.directory.server.schema.registries.DefaultOidRegistry  - OID for name 'myCustomAttribute' was not found within the OID registry
    6140 [2011-12-14 15:17:50,822] WARN  org.apache.directory.server.core.entry.DefaultServerEntry  - The attribute 'myCustomAttribute' cannot be stored
    The end result is that the people all get loaded into the embedded LDAP server, but the 'myCustomAttribute' is not included (even though it is defined as a 'must' attribute, and the ObjectClass shows as 'myCustomPerson'.)

    So it looks like:
    1) The defined custom attribute is not getting registered in Apache DS OID registry
    2) Apache DS does not enforce schema/objectClass integrity

    Has anyone been able to get a custom schema loaded in the embedded server and be able to share their process?

  • #2
    I'm encountering the exact same situation. Has anybody (perhaps out-of-band) solved this?

    Comment


    • #3
      Embedded Server

      We did not end up finding a spring-based solution to fit our requirements of both using a custom schema and adding users in the same project. Instead, we now have a side project which embeds ApacheDS into a web application, similar to this:

      http://directory.apache.org/apacheds...plication.html

      Now this extra war gets deployed along with our real project but only on developer machines. We have the .ldif resources synced between dev-ldap webapp and OpenLDAP script locations by using SVN externals link, so we are confident the LDAP users on our development hosts always match those of the CI/Test/Demo servers.

      Comment

      Working...
      X