[Fedora-directory-users] How is access control done?

Wed Oct 19 13:34:42 UTC 2005

speedy zinc wrote:

>Let's say, my apps have some specific needs for data,
>which is not covered by existing standard schema. So,
>I create extended schema. Let's say I have 3 apps
>right now, and I can't forsee what future apps will
>need in terms of schema definition.
>
>And let's say I've been using the FDS for 2 years, and
>have 20K users. Then I want to add new apps, which
>require to extend schema again. Assuming that I don't
>have to change any existing schema, do I have to
>rebuild the whole ldap directory, or can I just add
>the new schema, and tell the server that the new
>attributes are now allowed in
>inetOrgPerson/Person/posixAccount/etc?
>  
>
If you are _extending_ your schema, you can add the new schema elements, 
then populate new and existing entries with the new fields and such.  
You do not have to rebuild your directory.  If you change the schema 
such that you remove some attributes, or change their type, etc, things 
get a little trickier, but in general, you shouldn't need to do this to 
add support for new apps.

I would recommend strongly against modifying existing objectclasses, 
especially standardized ones.  Instead, create a new objectclass that is 
inherited from the one you want to extend (or from objectclass top if 
it's something truely new)

>The important thing is, I don't want to rebuild
>anything, not to interrupt any service.
>  
>
If you make the changes via console, they should take affect without 
even having to restart the server.  I you edit the schema files by hand, 
you have to restart the server for it to take effect.  Note that if your 
schema files are not just right, the server may not start.

>I see there are quite a few of Netscape schema, for
>specific apps, such as Collabra Server, etc. How do I
>add app-specific schema like that without rebuilding
>the directory? Or do I have to rebuild it everytime a
>new schema is added?
>  
>
If you add things via console, it adds to 99user.ldif.  But...  if you 
want to organize things a bit better, you can create separate files 
(say, 99appx.ldif for appx specific schema, etc).  You can craft these 
by hand, but it might be easier to create the schema in console on a 
test server, then copy/paste the appropriate definitions into a new file 
and drop that onto your production server.  You'll need a restart for 
this to take effect.

Somewhere along the line, schema in 99user.ldif started being replicated 
to replicas to keep the schema in sync.  Not sure if this happened 
before or after the Sun/Netscape split of the server.  Any custom files 
you create, plus the 99user.ldif (if it's not replicated) will have to 
be copied to replica servers.

>Please bear with me, I have no real life experience
>with LDAP, just learning here, and throw in the
>questions that I can't figure out from googling :)
>  
>
Sure - everyone has to start somewhere :)

 - Jeff