Micro Focus Expert
Micro Focus Expert
349 views

LDAP search of "cn=schema" is missing classes and attributes

I'm on eDir 9.1.2 on SLES12SP3. When I do an LDAP search of cn=schema using OpenLDAP's ldapsearch util or perl's Net::LDAP library, I don't receive all of the classes and attributes. I'm connected as admin.

One class is "App:Application"--I thought the issue might be the ":" but I see that other classes with the colon make it through.

I also thought it might be the lack of an ASN.1 id, but eDir simply substitutes a text id like "myclass-oid" for other classes in that case.

Any suggestions or ideas?

Thanks,
Sam
Labels (1)
0 Likes
3 Replies
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: LDAP search of "cn=schema" is missing classes and attributes

Rights should not matter, as schema is (per LDAP RFC) meant to be publicly
reachable.

Colons in schema names (classes or attributes) are not allowed in LDAP,
but by default eDirectory just removes those from the name when returning
them, and shows the full name in the NDS-NAME portion of the definition.
The OID bits you have already noted too. Still, I suppose something could
be wrong with that auto-conversion in your custom case.

I think a more-likely option is that the LDAP Group object for ths server
has a custom mapping, e.g. App:Application could be mapped to
geeWhizClass, though you should still see it out there. Alternatively,
maybe duplicate mappings are hiding one of the two, e.g. if
App:Application and Bap:Baplication are both mapped to geeWhiz it may only
show one of them. I'm not even sure this is possible, but there you go.

Does this happen for all eDirectory servers, or just for an old one ,or a
new one, or a Prod one, or a Test one?

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Micro Focus Expert
Micro Focus Expert

Re: LDAP search of "cn=schema" is missing classes and attrib

There aren't any custom LDAP Group mappings--I tried to add one to see if it would recognize the class but that didn't work.

The tree is production but quite old and originated on NetWare I believe.

A comparison between NDS schema from iManager and an LDAP search of cn=schema reveals these missing classes:
App:Application
Cheyenne:Fax Queue
Cheyenne:Fax Server
Unknown
* an aux class whose name clashes with another class - a known issue

We don't have any "Cheyenne..." objects, but there are 4 App:Application objects--updated in 2018 but created in 1997! Perhaps before the tree supported LDAP? We are going to see if we can just remove those objects.

I'm going to chalk it up to old age at this point.

Thanks,
Sam
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: LDAP search of "cn=schema" is missing classes and attributes

Just another silly thought is that it could be schema inconsistency, e.g.
the Master knows about things, but the other replicas may not. This is
really rare these days, at least in my experience, but the LDAP service
never walks the tree for schema, so it may be worth using iMonitor to
compare schema among boxes or at least verify which boxes know about those
things (in case not all do). Still, very weird. Thanks for the follow-up.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.