Is there any plan to do the openldap schema extensible?

Michael Ströder michael at
Tue Aug 25 08:14:29 MDT 2009

Andrew Bartlett wrote:
> On Mon, 2009-08-24 at 23:42 +0200, Alejandro wrote:
>> I'm testing samba4 with openldap backend.I want to develop a plugin for the
>> GOsa (, this poject is a manager based on the openldap
>> tree.
>> One of the firsts things i see that provisión generate a unique file for
>> schema, doing it hard to me to integrate to other schemas...
> Indeed.  Microsoft's AD schema is hard to integrate into other schemas,
> and Samba4 uses the AD schema. 
>> Is there any plan to make the openldap schema extensible and let it to use
>> in a deployed server?
> There are ways this can be done, but it's a lot of work.  For every area
> where Samba4 wants to move away from what AD does, we have to implement
> a mapping.  For the moment I'm encouraging those interested in admin
> tools to make them work with the AD schema.  

It's not only about the plain schema. Even when just thinking about a LDAP
client tool some use-cases are different:

1.1 Admin resets user's password via LDAP (MOD_REPLACE unicodePwd).
1.2 User sets new password via LDAP (MOD_DEL/MOD_ADD unicodePwd).
(This distinction is enforced by MS AD!)

2.1 Search tombstone entries (extended control 1.2.840.113556.1.4.417).
2.2 Restore tombstone entries (extended control 1.2.840.113556.1.4.417).

3. Temporarily deactivate user entry and manipulate other flags in

4. Various configuration stuff.

Sure there are more cases.

Upcoming web2ldap 1.1.0 handles the different use-cases 1.1 and 1.2 for
setting unicodePwd and supports 2.1 by letting you search for tombstone
entries. 3. is done with a plugin class for userAccountControl for
manipulating flags in integer values. There are also some plugin classes which
allow tweaking configuration stuff (4.).

web2ldap now honours operational attribute 'allowedAttributesEffective' to
determine which attributes are editable for a bound user and
'allowedChildClasses' to determine which STRUCTURAL object classes can be used
for new entry. Not sure whether Samba 4 already supports it. There was a
overlay added to OpenLDAP's HEAD CVS repository recently (see ITS#4730) which
implements this functionality for 'allowedAttributesEffective' and
'allowedAttributes'. Maybe this could also be helpful for Samba4.

This is all tested with MS AD but I'm not sure whether Samba4 now supports
reading the subschema subentry:

Ciao, Michael.

More information about the samba-technical mailing list