Previous topic |
Next topic |
Contents |
Contact z/OS |
Library |
PDF
Updating the schema z/OS IBM Tivoli Directory Server Administration and Use for z/OS SC23-6788-00 |
|
Attention Updating the schema, if not done properly, can result in being unable to access data. Read this section thoroughly to avoid this situation. When the z/OS® LDAP server is first started, the server supplies an initial schema. This initial schema is sufficient for usage of the SDBM (without RACF® custom fields), CDBM (with configuration related entries), and GDBM backends, but must be updated for usage of LDBM, TDBM, SDBM with RACF custom fields, and CDBM with user-defined entries. The schema files shipped with the LDAP server, schema.user.ldif and schema.IBM.ldif, might be sufficient for your usage of LDBM, CDBM, or TDBM. See Setting up the schema for LDBM, TDBM, and CDBM for more information about adding these files to the schema. If they are not sufficient, you can change the schema as needed. The schema entry is required and cannot be deleted. When in a sysplex, changes to the schema made at one LDAP server are broadcast to all the LDAP servers in the group. When deleting an attribute type or object class definition, you must provide just the object identifier enclosed in parentheses. Any additional fields that are specified are checked for appropriate syntax but are not used. The operations supported include adding, modifying, or deleting any object class, attribute type, or IBM® attribute type that is not part of the initial schema definition required by the LDAP server. Changes to the initial schema are restricted. See Changing the initial schema for more information. The modifications (additions, changes, and deletions) specified by the LDAP modify function are applied to the schema entry. The resulting schema entry becomes the active schema and is used by all backends to verify that directory changes adhere to it. Updates to the schema must be performed such that the schema fully resolves. This includes:
Modifications to the schema are rejected if they would possibly
make existing entries no longer valid. If there is an entry in a TDBM, CDBM, or LDBM backend that is using an attribute or object class:
Changing the initial schemaThe initial schema contains the ldapSyntaxes, matchingRules, attributeTypes, IBMAttributeTypes, and objectClasses needed by the LDAP server. See Initial LDAP server schema for the contents of the initial schema. The syntaxes, matching rules, attribute types, and IBM attribute types in the initial schema cannot
be deleted or modified. The object classes in the initial schema cannot
be deleted or modified, with the following exceptions:
These object classes allow the following fields to be modified:
Any part of a schema modification that attempts to add LDAP syntaxes or matching rules to the schema or to modify the initial schema except as described above is ignored, with no message issued to indicate this. The rest of the schema modification is performed and the result of those changes is returned to the client. Replacing individual schema valuesIt is often necessary to apply an updated schema file to an existing schema. Optimally, this would replace changed values in the existing schema with their updated values from the file and add new values from the file to the existing schema, leaving all other values in the existing schema unchanged. However, this is not the way the RFC 2251: Lightweight Directory Access Protocol (v3) definition for such a modify with replace operation works: the RFC requires that ALL the existing values in the schema be replaced by the values specified in the schema file. Therefore, the schema file must contain all the unchanged values from the schema in addition to the updated and new values so that no unchanged existing values are lost. To address this problem, the LDAP server supports two different
behaviors when using a modify with replace operation on the schema
entry:
In all cases, the values of the attribute that are in the initial LDAP server schema cannot be deleted and can only be modified in limited ways as described in Changing the initial schema. The behavior used by the LDAP server is selected in one of two
ways:
If neither the schemaReplaceByValue configuration option or the IBMschemaReplaceByValueControl control is specified, the default behavior is schema-replace-by-value. Example: assume that the objectclasses attribute for cn=schema contains the following values:
This
is to replace 'oldObjectclass1' and add a value for 'newObjectclass4'.This is the update file for the modify operation:
After the modify operation with schema-replace-by-value behavior,
the objectclasses attribute in the schema would have the following
values:
If the modify operation with traditional RFC behavior is performed
instead, the objectclasses attribute in the schema would end up with
the following values:
IBM attribute types are extensions to the attribute type definition. The IBM attribute type is deleted when the corresponding attribute type is deleted. IBM attribute types are always replaced by value even when schemaReplaceByValue off is specified in the LDAP server configuration file. This ensures that access class protection is not inadvertently removed from an existing attribute type. Updating a numeric object identifier (NOID)It might become necessary to update the numeric object identifier (NOID) of an attribute type or object class in the schema. This NOID change can be accomplished by a special modify operation. The modify operation must consist only of a value to delete followed by a value to add. The value to delete must specify the current NOID of the attribute type or object class whose NOID is to be changed; the value to add must specify the new NOID for the attribute type or object class, along with all the other parts of the attribute type or object class definition. For an attribute type, the NAME, SUP, EQUALITY, ORDERING, SUBSTR, and SYNTAX must be identical in the existing definition and the value to add. SINGLE-VALUE can be removed but not added. For an object class, NAME, SUP, MUST, MAY, and type (ABSTRACT, STRUCTURAL, or AUXILIARY) must be identical in the existing definition and the value to add. The entire attribute type or object class definition is replaced by the contents of the add. Note the object identifier assigned to an attribute type or object class cannot be changed if there are any directory entries using the attribute type or object class. Also, the object identifier of an attribute type or object class in the initial LDAP schema cannot be changed. As an example for changing the NOID of the xyz attribute
type from 1.3.5.7 to 2.4.6.8, the
update file for the modify operation is as follows:
Changing a NOID should not need to be done as part of normal LDAP server operations. It is intended to be used as an error recovery device for when an incorrect NOID has been added to the schema. Analyzing schema errorsFollowing is some information about the possible cause of some schema errors that might be encountered when updating schema:
|
Copyright IBM Corporation 1990, 2014
|