Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Captain
Captain
534 views

How to list Attributes not in an ObjectClass

How would I list all of the attributes that are not in an object class?

We are having problems in our DEV environment where some attributes are not in an object class. the most likely reason is that we have imported a schema from production where the production schema did not have some of the same attributes in the DEV environment. As such, some policies which worked before are now getting an "illegal attribute" error because an attribute or two on the userID have an attribute that is associated to an object class.
Labels (1)
0 Likes
2 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

> How would I list all of the attributes that are not in an object class?

To be specific, I think you are asking how to list all attributes
available to the User (inetOrgPerson via LDAP) class, presumably excluding
auxiliary classes, and then figure out how to find which attributes are in
one tree's objectClass list of attributes vs. another tree's.

I'd do this via LDAP; from one box in each tree, try running this:


ldapearch -x -o ldif-wrap=no -b cn=schema -s base > /tmp/treename.ldif


Get your two treename.ldif files on one box and compare them using
whatever you like; vimdiff, Meld, etc.

> We are having problems in our DEV environment where some attributes are
> not in an object class. the most likely reason is that we have imported
> a schema from production where the production schema did not have some
> of the same attributes in the DEV environment. As such, some policies
> which worked before are now getting an "illegal attribute" error because
> an attribute or two on the userID have an attribute that is associated
> to an object class.


Going beyond your technical request, there is a business case alluded to
in here, something abut adding attributes in policies, so maybe Identity
Manager (IDM) related.

If I were you, I would probably look more into that side of things to be
sure you are going down the correct path based on the symptoms. A couple
reasons for this include:

1. It is nearly impossible to have eDirectory remove an attribute from a
class, or entirely from schema, when it is use on any object in the tree
of that class (or any class if removing from schema). That you imported
from here to there or there to here is interesting, but if that actually
did something to negatively impact schema, that implies the attribute(sO
in involved were not actually in use, and that seems contrary to your
description.

2. IDM traces will show you exactly which attributes are being tried when
the error occurs, maybe even giving you the one attribute in question.
You can query hundreds of possible attributes, but if you can have IDM (or
LDAP, or something else) point you directly to the one that matters, the
technical question becomes irrelevant and you can move on to fixing.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

friedman16 wrote:

> How would I list all of the attributes that are not in an object class?


ldapsearch -xD cn=admin,ou=sa,o=system -W -b cn=schema -s base -o ldif-wrap=no
attributeTypes | grep NAME | cut -d \' -f 2 > attributeTypes.txt

ldapsearch -xD cn=admin,ou=sa,o=system -W -b cn=schema -s base -o ldif-wrap=no
objectClasses | grep NAME > objectClasses.txt

while read attr ; do echo -n $attr:`grep -hc $attr objectClasses.txt` | grep :0
; done < attributeTypes.txt

--
http://www.is4it.de/en/solution/identity-access-management/

(If you find this post helpful, please click on the star below.)
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.