PDA

Archiv verlassen und diese Seite im Standarddesign anzeigen : LDAP Schema hinzufügen



~Gh05t~
27.10.11, 16:44
Hallo,

jedes mal wenn ich gerade denke ich hätte LDAP verstanden werde ich kurze Zeit später eines besseren belehrt. Mein Problem: Ich will mein dbmail durch dovecot ersetzen.
Dazu habe ich als erstes versucht mein LDAP umzubauen:


% cat > dovecot.schema.ldif << EOF
dn: cn=dovecot,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: dovecot
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.1.1.1 NAME 'dcMailMessageStore' DESC 'Path to the maildir/mbox on the mail system' EQUALITY caseExactIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.1.1.2 NAME 'dcMailAlias' DESC 'Secondary (alias) mailaddresses for a user' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.1 NAME 'dcSubMailAddress' DESC 'A users secondary e-mail address for which mail from on another Mailserver has to be fetched' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.2 NAME 'dcAccountStatus' DESC 'The status of a user account: active, noaccess, disabled, deleted' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.3 NAME 'dcSMTPServer' DESC 'Outgoing mails should be delivered to this Mailserver via SMTP.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.4 NAME 'dcSMTPLogin' DESC 'Login credential to send Mail with the SMTP server' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.5 NAME 'dcSMTPPassword' DESC 'A separate text that stores the SMTP account password in clear text' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.6 NAME 'dcRetrieveType' DESC 'Tells getmail what mail account to retrieve mail from, and how to access that account, e.g. SimplePOP3Retriever and BrokenUIDLPOP3SSLRetriever' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.7 NAME 'dcRetrieveServer' DESC 'Incoming mails have to be downloaded from this server' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.8 NAME 'dcRetrieveLogin' DESC 'Login credential to receive Mail from the server' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.9 NAME 'dcRetrievePassword' DESC 'Password for mail retrieval in clear text' EQUALITY caseExactIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.10 NAME 'dcMailQuota' DESC 'The size of space the user can have until further messages get bounced.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.11 NAME 'dcMailSizeMax' DESC 'The maximum size of a single messages the user accepts.' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.2.1.12 NAME 'dcMailAlternateAddress' DESC 'Secondary (alias) mailaddresses for an external Mail Account' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: ( 1.3.6.1.4.1.32589.1.3.1.1 NAME 'dcPosixOwnerURL' DESC 'Identifies an URL associated with the posixOwner of the entry. Any type of labeled URL can be used.' SUP labeledURI )
olcObjectClasses: ( 1.3.6.1.4.1.32589.1.1.2.1 NAME 'dcMailUser' DESC 'Dovecot-LDAP User' SUP top AUXILIARY MUST dcMailMessageStore MAY dcMailAlias )
olcObjectClasses: ( 1.3.6.1.4.1.32589.1.2.2.1 NAME 'dcExternalMailAccount' DESC 'Dovecot-LDAP external mail account' SUP top STRUCTURAL MUST ( dcSubMailAddress $ dcAccountStatus ) MAY ( dcSMTPServer $ dcSMTPLogin $ dcSMTPPassword $ dcRetrieveType $ dcRetrieveServer $ dcRetrieveLogin $ dcRetrievePassword $ dcMailQuota $ dcMailSizeMax $ dcMailAlternateAddress ) )
olcObjectClasses: ( 1.3.6.1.4.1.32589.1.3.2.1 NAME 'dcPosixSubAccount' DESC 'LDAP-URL for retrieving the respective posixAccount of an entry' SUP top AUXILIARY MAY dcPosixOwnerURL )
EOF
% ldapadd -D "cn=admin,cn=config" -x -W -f dovecot.schema.ldif

Dann wollte ich die neue Objectclass meinen Benutzern hinzugügen, dazu habe ich webmin verwendet. Das ist leider schiefgegangen, da ich nicht gleichzeitig die neue Objectclass und das notwendige Attribut dcMailMessageStore hinzufügen kann, uns so beides schief geht. Also habe ich es mit verschiedenen andere LDAP-Browsern (jxplorer, apache directory studio) getestet.
Diese haben mir die Fehlermeldung "Schema Ort fehlt" gegeben (ähnlicher Wortlaut).

Die Suche bei google ergab, dass offensichtlich das Attribut subschemaSubentry nicht oder falsch gesetzt ist. Und hier steig ich aus. Was ist das, warum gibt es das nicht und wie kann ich das reparieren?

~Gh05t~
27.10.11, 19:03
Seltsamerweise kann ich diese Attribute mit ldapsearch abfragen:


# ldapsearch -b cn=subschema -H ldap://localhost -x -s base subschemasubentry | egrep -v ('#'|'^$')
dn: cn=Subschema
subschemaSubentry: cn=Subschema
search: 2
result: 0 Success

# ldapsearch -b cn=subschema -H ldap://localhost -x -s base objectclass=subschema + | grep objectClass | tail -n 5
objectClasses: ( 1.3.6.1.4.1.2312.4.2.2 NAME 'automountMap' DESC 'An group of
objectClasses: ( 2.16.840.1.113730.3.1.97 NAME 'myPerson' DESC 'Additional Per
objectClasses: ( 1.3.6.1.4.1.32589.1.1.2.1 NAME 'dcMailUser' DESC 'Dovecot-LDA
objectClasses: ( 1.3.6.1.4.1.32589.1.2.2.1 NAME 'dcExternalMailAccount' DESC '
objectClasses: ( 1.3.6.1.4.1.32589.1.3.2.1 NAME 'dcPosixSubAccount' DESC 'LDAP


Hier ist ein Log (Level 255) von der Schema Abfrage von Apache Directory Studio:


Oct 27 18:55:08 hyperion slapd[8350]: daemon: activity on 1 descriptor
Oct 27 18:55:08 hyperion slapd[8350]: daemon: activity on:
Oct 27 18:55:08 hyperion slapd[8350]: 15r
Oct 27 18:55:08 hyperion slapd[8350]:
Oct 27 18:55:08 hyperion slapd[8350]: daemon: read active on 15
Oct 27 18:55:08 hyperion slapd[8350]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 27 18:55:08 hyperion slapd[8350]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 27 18:55:08 hyperion slapd[8350]: connection_get(15)
Oct 27 18:55:08 hyperion slapd[8350]: connection_get(15): got connid=1000
Oct 27 18:55:08 hyperion slapd[8350]: connection_read(15): checking for input on id=1000
Oct 27 18:55:08 hyperion slapd[8350]: op tag 0x63, time 1319734508
Oct 27 18:55:08 hyperion slapd[8350]: conn=1000 op=4 do_search
Oct 27 18:55:08 hyperion slapd[8350]: daemon: activity on 1 descriptor
Oct 27 18:55:08 hyperion slapd[8350]: daemon: activity on:
Oct 27 18:55:08 hyperion slapd[8350]:
Oct 27 18:55:08 hyperion slapd[8350]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 27 18:55:08 hyperion slapd[8350]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 27 18:55:08 hyperion slapd[8350]: >>> dnPrettyNormal: <>
Oct 27 18:55:08 hyperion slapd[8350]: <<< dnPrettyNormal: <>, <>
Oct 27 18:55:08 hyperion slapd[8350]: SRCH "" 0 3
Oct 27 18:55:08 hyperion slapd[8350]: 0 0 0
Oct 27 18:55:08 hyperion slapd[8350]: begin get_filter
Oct 27 18:55:08 hyperion slapd[8350]: PRESENT
Oct 27 18:55:08 hyperion slapd[8350]: end get_filter 0
Oct 27 18:55:08 hyperion slapd[8350]: filter: (objectClass=*)
Oct 27 18:55:08 hyperion slapd[8350]: attrs:
Oct 27 18:55:08 hyperion slapd[8350]: subschemaSubentry
Oct 27 18:55:08 hyperion slapd[8350]:
Oct 27 18:55:08 hyperion slapd[8350]: => test_filter
Oct 27 18:55:08 hyperion slapd[8350]: PRESENT
Oct 27 18:55:08 hyperion slapd[8350]: => access_allowed: search access to "" "objectClass" requested
Oct 27 18:55:08 hyperion slapd[8350]: => acl_get: [1] attr objectClass
Oct 27 18:55:08 hyperion slapd[8350]: => acl_mask: access to entry "", attr "objectClass" requested
Oct 27 18:55:08 hyperion slapd[8350]: => acl_mask: to all values by "cn=admin,dc=weiss,dc=homelinux,dc=com", (=0)
Oct 27 18:55:08 hyperion slapd[8350]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn =auth
Oct 27 18:55:08 hyperion slapd[8350]: <= check a_dn_pat: *
Oct 27 18:55:08 hyperion slapd[8350]: <= acl_mask: [2] applying +0 (break)
Oct 27 18:55:08 hyperion slapd[8350]: <= acl_mask: [2] mask: =0
Oct 27 18:55:08 hyperion slapd[8350]: => dn: [2] cn=subschema
Oct 27 18:55:08 hyperion slapd[8350]: <= acl_get: done.
Oct 27 18:55:08 hyperion slapd[8350]: => slap_access_allowed: no more rules
Oct 27 18:55:08 hyperion slapd[8350]: => access_allowed: no more rules
Oct 27 18:55:08 hyperion slapd[8350]: <= test_filter 50
Oct 27 18:55:08 hyperion slapd[8350]: send_ldap_result: conn=1000 op=4 p=3
Oct 27 18:55:08 hyperion slapd[8350]: send_ldap_result: err=0 matched="" text=""
Oct 27 18:55:08 hyperion slapd[8350]: send_ldap_response: msgid=5 tag=101 err=0
Wo ist das Problem?