ldapschema(1)ldapschema(1)NAMEldapschema - determines the status of an LDAP schema on the LDAP direc‐
tory server and extends the LDAP directory server schema with new
attribute types and object classes.
SYNOPSIS
[options]
[options]
DESCRIPTION
The utility allows schema developers to define LDAP schemas using a
universal XML syntax, greatly simplifying the ability to support dif‐
ferent directory server variations. It can be used to query the cur‐
rent status of the LDAP schema on the LDAP directory server, as well as
extend the LDAP directory server schema with new attribute types and
object classes. The utility was designed to support directory servers
from several vendors and is currently supported with Netscape Directory
Server/Red Hat Directory Server and Microsoft Windows Active Directory
Server.
supports two modes of operation:
1. determines the current status of the LDAP schema on the LDAP direc‐
tory server. checks if any attribute types and object classes of
the LDAP schema are already installed on the LDAP server. Also, it
determines if definitions installed on the LDAP server match defini‐
tions specified in the schema definition file being queried.
2. adds definitions of attribute types and object classes that are not
yet installed on the LDAP server to that LDAP server's schema. Only
new valid attribute types and object classes can be added to the
LDAP server schema. To execute the utility in the most LDAP direc‐
tory servers require specifying the distinguished name and password
of an administrator who has permissions to modify the schema on that
server.
uses the following XML files:
· LDAP schema definition files (see the section below).
· Files containing matching rules and syntaxes supported on the LDAP
server in case the LDAP server does not provide them directly (see
the section below).
· Mapping rules for unsupported matching rules and syntaxes file (see
the section below).
This manpage describes the use of including the command line, environ‐
ment variables and the XML files format.
Required Command Options
requires these options:
Queries schema status on the LDAP directory server without applying any
changes to the LDAP directory server. Schema definition is
obtained from the specified schema file. See the section
for details.
Extends the LDAP directory server schema with attribute types and
object
classes defined in the specified schema. Schema definition
is obtained from the schema file. See the section for
details. On most LDAP directory servers this option
requires specifying the option and either the or the option
to specify the credentials of an administrator who has per‐
missions to modify the schema on the directory server.
Specifies the type of LDAP directory server.
The following types of LDAP directory servers are fully
supported by
Type of Directory Server ds_type
Active Directory Server ads
Red Hat Directory Server rhds
The utility may work with other types of LDAPv3 directory
servers, although its behavior has not been verified.
The names of the following LDAPv3 directory servers are
reserved for future support:
Type of Directory Server ds_type
Oracle Internet Directory oracle
Novell e-Directory eDirectory
IBM Tivoli Directory Server ibm
MAC OS X Directory Server mac
Computer Associates DS ca
Sun ONE Directory Server sun
iPlanet Directory Server iPlanet
Specifies the version of LDAP directory server.
The function compares the version specified by this option
and the version defined in the XML files the utility pro‐
cesses.
For example, the schema definition file contains the fol‐
lowing object class definition:
<objectClassDefinition>
<oid>1.2.345.6.789</oid>
<name>sampleObject</name>
<must>sampleAttributeA</must>
<must only="rhds" versionGreaterOrEqual="6.2">sampleAt‐
tributeB</must> </objectClassDefinition>
If the utility is called with ds_version set to 6.2.1 the
sampleObject definition has two mandatory attributes, sam‐
pleAttributeA and sampleAttributeB. The returns a positive
integer, so sampleAttributeB is included in the definition
of the object class sampleObject.
On the other hand, if the utility is called with ds_version
set to 6.02.1 the sampleObject definition has only one
mandatory attribute, sampleAttributeA. The returns a nega‐
tive integer, so sampleAttributeB is not included in the
definition of the object class sampleObject.
The utility ignores ds_version if the LDAP directory server
version-specific attributes and are not used in the XML
files being processed (i.e., the schema definition files,
the LDAP directory server definition file and the mapping
rules file). If the XML files include any definitions with
attribute set, must return zero or a positive integer to
include directory-specific information in the LDAP schema
definition. If the XML files include any definitions with
attribute set, must return a negative integer to include
directory-specific information in the LDAP schema defini‐
tion. Also, and can be used simultaneously to define a
range of version of the LDAP directory server. See the
section for details.
Additional Options (Optional)
support these additional options:
Specifies the LDAP directory server hostname or IP address.
Default: localhost
Specifies the LDAP directory server TCP port number.
Default: 389 for regular connections, 636 for SSL connec‐
tions.
Specifies the distinguished name of an administrator who has permis‐
sions
to read and modify LDAP directory server schema.
Reads administrator's password from the specified file
(for simple authentication).
Reads the administrator's password from the prompt
(for simple authentication).
Establishes an SSL-encrypted connection.
Starts TLS request.
Enforces start of TLS request (requires successful server response).
Specifies path to SSL certificate database containing cert8.db and
key3.db files.
Default:
Verifies hostnames in SSL certificates.
Disables syntax substitution in attribute types.
Normally, if an attribute type uses an LDAP syntax not sup‐
ported on the LDAP directory server, it is mapped to use a
higher-level (more inclusive) syntax supported by that
server. If this option is specified, any attribute types
that use unsupported LDAP syntax will not be added to the
LDAP directory server schema. See the section for more
details.
Disables matching rule substitution in attribute types.
Normally, if an attribute type uses a matching rule not
supported on the LDAP directory server, it is mapped to use
a higher-level (less specific) matching rule supported by
that server. If this option is specified, any attribute
types that use unsupported matching rules will not be added
to the LDAP directory server schema. See the section for
more details.
Stores schema extension instructions in the specified file.
File format depends on the vendor and version of the LDAP
directory server (usually LDIF). When this option is spec‐
ified, will not apply any changes to the LDAP directory
server or its schema.
This option requires specifying the option. If filename is
set to a dash the output is redirected to standard output;
otherwise, it is stored in the specified filename.
Forces installation of schema even if it contains any invalid attribute
type or object class definitions, or the LDAP directory
server already has some of its components installed and
their definitions are different from those specified in the
schema file.
Displays verbose information to standard output.
To extend schema on the LDAP server, HP recommends the following
process:
1. Execute in query mode (use the option) first to determine the over‐
all status of the schema.
2. Correct any invalid attribute type or object class definitions, if
present.
3. Execute in extend mode (use the option) to install new schema ele‐
ments on the LDAP server.
Extending schema containing invalid or incompatible attribute types or
object classes is not recommended. To install elements defined in a
schema file containing invalid or incompatible definitions requires
specifying the force option
SECURITY
For security reasons, the LDAP administrator password may not be speci‐
fied on the command line. It can be specified at the prompt (using the
option), in a file (using or using the environmental variable described
in the section below.
CONFIGURATION VARIABLES
The utility tool recognizes the following shell environmental vari‐
ables.
Distinguished name of an administrator who has permissions to read and
modify LDAP directory server schema.
The password for the above privileged LDAP user.
The host name of the LDAP directory server.
uses the following format:
If port is not specified, the default port number is 389
for regular connections, or 636 for SSL connections.
Options specified on the command line override the environmental vari‐
ables. For example, if is specified on the command line, and environ‐
mental variable is set, the password of the LDAP directory server
administrator is obtained from file name
SCHEMA DEFINITION FILE
The utility queries and extends the LDAP directory server based on the
XML schema definition file. The schema argument used with the or
option must correspond to the XML file containing the appropriate
schema definition.
Each schema definition file must adhere to Document Type Definition
(DTD) template specified in the file. So every XML file used by must
include as its DTD. See line 2 in the example below.
WARNING: Every XML file used with the utility must include file
as its DTD template. Do not modify this file, or create your
own DTD template file. File is created to validate attribute
type and object class definitions before they can be added to
the LDAP directory server schema. Altering this file will cause
to fail.
The schema definition, enclosed by the tags, specifies the schema name,
schema description and schema source, followed by any number of
attribute type and object class definitions.
There are no restrictions on the schema name, description and source
XML tag. See lines 6-8 in the example below. These tags are optional.
Schema source is used to specify the field of extended attribute types
and object classes, if used.
After general schema information is specified, attribute types, if any,
must be specified followed by any object class definitions. The exam‐
ple below defines two attribute types, printer-name (lines 10-19) and
printer-aliases (lines 21-29), followed by one object class printerLPR
(lines 31-38) as specified in RFC 3712.
Line 1: <?xml version="1.0" encoding="UTF-8"?>
Line 2: <!DOCTYPE schemaDefinition SYSTEM "/etc/opt/ldapux/schema/schema.dtd">
Line 3:
Line 4: <schemaDefinition>
Line 5:
Line 6: <schemaName>rfc3712</schemaName>
Line 7: <schemaDescription>Printer Services Schema</schemaDescription>
Line 8: <schemaSource>RFC 3712</schemaSource>
Line 9:
Line 10: <attributeTypeDefinition>
Line 11: <oid>1.3.18.0.2.4.1135</oid>
Line 12: <name>printer-name</name>
Line 13: <desc>A site-specific administrative name of this printer</desc>
Line 14: <equality>caseIgnoreMatch</equality>
Line 15: <substr>caseIgnoreSubstringsMatch</substr>
Line 16: <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
Line 17: <length>127</length>
Line 18: <singleValued/>
Line 19: </attributeTypeDefinition>
Line 20:
Line 21: <attributeTypeDefinition>
Line 22: <oid>1.3.18.0.2.4.1108</oid>
Line 23: <name>printer-aliases</name>
Line 24: <desc>Names in addition to the printer-name value</desc>
Line 25: <equality>caseIgnoreMatch</equality>
Line 26: <substr>caseIgnoreSubstringsMatch</substr>
Line 27: <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
Line 28: <length>127</length>
Line 29: </attributeTypeDefinition>
Line 30:
Line 31: <objectClassDefinition>
Line 32: <oid>1.3.18.0.2.6.253</oid>
Line 33: <name>printerLPR</name>
Line 34: <desc>LPR information</desc>
Line 35: <type>AUXILIARY</type>
Line 36: <must>printer-name</must>
Line 37: <may>printer-aliases</may>
Line 38: </objectClassDefinition>
Line 39:
Line 40: </schemaDefinition>
Lines 1-2 are required in every schema definition file. Attribute type
and object class definitions closely follow the format specified in RFC
2252. Values specified for all XML tags, except the fields must not be
quoted. Only the description field (enclosed by tags) can contain spa‐
ces.
Defining Attribute Types
Each can contain the following case-sensitive tags, in the order speci‐
fied:
Required. Exactly one numeric id must be specified. value must
adhere to RFC 2252 format specification.
Required. At least one attribute type name must be specified. Do
not use quotes around the name values. value must
adhere to RFC 2252 format specification.
Optional. At most one display name can be specified. This tag
specifies a display name of the attribute type used by
LDAP clients and administrative tools. Currently,
applies only to Active Directory Server (ADS) to specify
lDAPDisplayName and adminDisplayName if different from
the value.
Optional. At most one description can be specified. Do not use
quotes around the description value.
Optional, use only if applicable.
Obsolete attribute types cannot be used in definitions
of any other attribute types or object classes. At most
one obsolete flag can be specified.
Optional, use if an attribute type has a super-type.
At most one super-type can be specified. The specified
super-type must already exist on the LDAP directory
server, or its definition must be specified in the same
schema definition file.
Optional. At most one equality rule can be specified.
Optional. At most one ordering rule can be specified.
Optional. At most one substrings rule can be specified.
Required if an attribute type has no super-type.
At most one LDAP syntax can be specified.
Optional. Indicates the maximum length of a value of this
attribute. RFC 2252 specifies this value in curly
braces following the attribute type's syntax. For
instance, can be expressed using the following tags:
<syntax>1.3.6.4.1.1466.0</syntax>
<length>64</length>
At most one attribute length can be specified. must
contain a positive integer value.
Optional, use if the
flag is set. At most one flag can be specified.
Optional, use if the
flag is set. At most one collective flag can be speci‐
fied.
Optional, use if the
flag is set. At most one flag can be specified.
Optional, must contain one of the following possible values:
or At most one value can be specified.
Optional, use if an attribute type requires indexing.
At most one flag can be set.
Optional, use to specify any directory-specific information about the
attribute type. See the section for details.
Each attribute type definition must meet the following conditions in
order to be added to the LDAP directory server schema:
· The attribute type has a numeric OID which adheres to RFC 2252 for‐
mat specification.
· The attribute type has at least one name. Each name must adhere to
RFC 2252 format specification.
· No other attribute types in the schema definition file or on the
LDAP directory server have the same OID or any of its name values.
· The super-type used by this attribute type is defined.
· The attribute type specifies either an LDAP syntax value or a super-
type. Some directory servers, for example ADS, do not support
attribute type inheritance. For such directory servers, the LDAP
syntax for the sub-type attribute is obtained from the super-type
definition and the super-type/sub-type relationship is ignored.
· The matching rules and syntaxes used by this attribute type are sup‐
ported by the LDAP directory server. See the section for details.
· The inheritance hierarchy has no cycles (no circular dependencies
exist in the super-class/sub-class relationships).
· If the attribute type has a super-type, they both have the same
value.
Defining Object Classes
Each can contain the following case-sensitive tags, in the order speci‐
fied:
Required. Exactly one numeric id must be specified. value must
adhere to RFC 2252 format specification.
Required. At least one object class name must be specified. Do
not use quotes around the name values. value must
adhere to RFC 2252 format specification.
Optional. At most one display name can be specified. This tag
specifies a display name of the object class used by
LDAP clients and administrative tools. Currently,
applies only to Active Directory Server (ADS) to specify
lDAPDisplayName and adminDisplayName if different from
the value.
Optional. At most one description can be specified. Do not use
quotes around the description value.
Optional, use only if applicable.
Obsolete object classes cannot be used in definitions of
any other object classes. At most one obsolete flag can
be specified.
Optional, use if an object class has super-classes.
The specified super-class must already exist on the LDAP
directory server, or must its definition must be speci‐
fied in the same schema definition file.
Optional, must contain one of the following possible values:
At most one type value can be specified.
Optional, use if an object class has mandatory attributes.
The specified attributes must already exist on the LDAP
directory server, or must its definition must be speci‐
fied in the same schema definition file.
Optional, use if an object class has optional attributes.
The specified attributes must already exist on the LDAP
directory server, or must its definition must be speci‐
fied in the same schema definition file.
Optional. Defines the recommended attribute to use for the Rela‐
tive Distinguished Name (RDN) for new entries created
with this object class. Currently, applies only to
Active Directory Server (ADS). At most one RDN can be
specified.
Optional, applies to
object classes only. This tag is used to extend an
object class already defined in the LDAP server schema
with this new AUXILIARY object class. Currently,
applies only to Active Directory Server (ADS) to include
the new AUXILIARY class as an in the definition of
another object class already defined in the LDAP server
schema.
Optional, use to specify any directory-specific information about the
attribute type. See the section for details.
Each object class definition must meet the following conditions in
order to be added to the LDAP directory server schema:
· The object class has a numeric OID which adheres to RFC 2252 format
specification.
· The object class has at least one name. Each name must adhere to
RFC 2252 format specification.
· No other object classes in the schema definition file or on the LDAP
directory server have the same OID or any of its name values.
· The super-class(es) used by this object classes are defined.
· The attribute(s) used by this object classes are defined.
· The inheritance hierarchy has no cycles (no circular dependencies
exist in the super-class/sub-class relationships).
· An object class can specify only object class(es) as its super-
class(es).
· An object class can specify or object class(es) as its super-
class(es).
· A object class can specify or object class(es) as its super-
class(es).
Predefined Schema Definition Files
The following LDAP schema definition files are delivered with the LDAP-
UX product:
· /etc/opt/ldapux/schema/rfc2256.xml
· /etc/opt/ldapux/schema/rfc2307.xml
· /etc/opt/ldapux/schema/rfc2307-bis.xml
· /etc/opt/ldapux/schema/rfc2926.xml
· /etc/opt/ldapux/schema/rfc3712.xml
These files are provided as examples to demonstrate how to define new
LDAP schema definition files to use with the utility. Since these
files define attribute types and object classes that come pre-installed
on most LDAP directory servers they are not intended for extending the
LDAP directory server schema. Instead, these files are provided for
reference when creating the new schema definition files to query and
extend the LDAP directory server schema with the new attribute type and
object class definitions.
SPECIFYING DIRECTORY-SPECIFIC INFORMATION
Attribute type and object class definitions can be extended with direc‐
tory-specific information using the tag. This is useful to maintain a
single schema definition file for different types and versions of LDAP
directory servers. The following example illustrates how a single
attribute type definition can be altered to support Red Hat Directory
Server and Active Directory Server directory server specific defini‐
tions simultaneously.
Line 1: <attributeTypeDefinition>
Line 2: <oid>1.23.456.7.89101112.1.314.1.51.6</oid>
Line 3: <name>sampleAttribute</name>
Line 4: <displayName only="ads"
Line 5: versionGreaterOrEqual="2003">my-sample-attribute</displayName>
Line 6: <equality>caseIgnoreMatch</equality>
Line 7: <syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
Line 8: <dsSpecific vendor="rhds" versionGreaterOrEqual="6.2"
Line 9: versionLessThan="7.1">
Line 10: <field attr="X-ORIGIN">'Custom Schema'</field>
Line 11: </dsSpecific>
Line 12: <dsSpecific vendor="ads" versionLessThan="2003">
Line 13: <field attr="systemOnly">TRUE</field>
Line 14: <field attr="rangeLower">256</field>
Line 15: </dsSpecific>
Line 16: <dsSpecific vendor="ads" versionGreaterOrEqual="2003">
Line 17: <field attr="rangeLower">512</field>
Line 18: </dsSpecific>
Line 19: </attributeTypeDefinition>
On Red Hat Directory Server 6.2 through 7.0, the flag for the sampleAt‐
tribute will be set to as specified in the field. On Red Hat Directory
Server 6.1 and earlier, or 7.1 and later, the flag for sampleAttribute
will be set to the value specified in the tag.
On Active Directory Server 2000, the sampleAttribute is added using the
same display name as specified by the value, with attribute set to and
attribute set to
On Active Directory Server 2003, the sampleAttribute is added using my-
sample-attribute display name, with attribute set to and attribute set
to which is the default value.
Also, since syntax is not supported on the ADS, it is mapped to the
corresponding Directory String syntax supported on ADS, which is See
the section for details.
Directory specific information can also be specified in the object
class definitions.
Line 1: <objectClassDefinition>
Line 2: <oid>1.23.456.7.89101112.1.314.1.51.7</oid>
Line 3: <name>sampleObject</name>
Line 4: <must only="ads">serverRole</must>
Line 5: <must not="ads">userPassword</must>
Line 6: <may>sampleAttribute</may>
Line 7: <dsSpecific vendor="ads">
Line 8: <field attr="systemOnly">TRUE</field>
Line 9: </dsSpecific>
Line 10: </objectClassDefinition>
On Active Directory Server, this object class has a mandatory attribute
type serverRole and an optional attribute sampleAttribute. On all
other types of directory servers, this object class has a mandatory
attribute type userPassword and an optional attribute sampleAttribute.
Also, on Active Directory Server this object class has the attribute
set to
WARNING: Directory-specific attributes and values specified using
fields are not validated. Make sure the values specified in these
fields are legitimate and adhere to the LDAP directory server rules.
The field value must be specified exactly as it is to appear in the
attribute type or object class definition, using single and double
quotes as applicable. attributes and values override the default
attribute type and object class configurations. For instance, on
Active Directory Server the setting by default is set to However, spec‐
ifying
<dsSpecific vendor="ads">
<field attr="isDefunct">TRUE</field>
</dsSpecific>
will override this default setting and will result in the element being
defunct (i.e. obsolete).
LDAP DIRECTORY SERVER DEFINTION FILE
In order to properly install new attribute types on the LDAP directory
server schema, the utility needs to determine whether the LDAP server
supports the matching rules and LDAP syntaxes used by the new attribute
type definitions. The utility performs an LDAP search for supported
matching rules and syntaxes on the LDAP server. However, some types of
directory servers do not provide this information as part of the
search. Perform the following command to determine if your directory
server returns information about supported matching rules and LDAP syn‐
taxes:
First, determine the
Then, obtain the list of supported matching rules and LDAP syntaxes:
If the latter search does not return a complete listing of sup‐
ported matching rules and LDAP syntaxes, they need to be speci‐
fied in the file, where ds_type corresponds to the same value
specified with the option on the command line when executing the
utility.
The LDAP directory server definition, enclosed by the tags, may
specify the schema description, followed by any number of sup‐
ported matching rules and LDAP syntax definitions.
Using Active Directory Server as an example, run with the
option, so the corresponding directory server definition is
obtained from file provided with the utility.
After general schema information is specified, supported match‐
ing rules, if any, must be specified followed by any supported
LDAP syntaxes definitions. The example below defines two syn‐
taxes supported on ADS (lines 8-12 and 14-18).
Line 1: <?xml version="1.0" encoding="UTF-8"?>
Line 2: <!DOCTYPE dsSchemaDefinition SYSTEM "/etc/opt/ldapux/schema/schema.dtd">
Line 3:
Line 4: <dsSchemaDefinition>
Line 5:
Line 6: <schemaDescription>ADS Syntaxes</schemaDescription>
Line 7:
Line 8: <syntaxDefinition>
Line 9: <oid>2.5.5.1</oid>
Line 10: <desc>Distinguished Name</desc>
Line 11: <oMSyntax>127</oMSyntax>
Line 12: </syntaxDefinition>
Line 13:
Line 14: <syntaxDefinition>
Line 15: <oid>2.5.5.2</oid>
Line 16: <desc>Object Identifier</desc>
Line 17: <oMSyntax>6</oMSyntax>
Line 18: </syntaxDefinition>
Line 19:
Line 20: </dsSchemaDefinition>
Lines 1-2 are required in every LDAP directory server definition
file. LDAP syntax and matching rules definitions closely follow
the format specified in RFC 2252. Values specified for all XML
tags must not be quoted. Only the description field (enclosed
by tags) can contain spaces.
Defining LDAP Syntaxes
Each can contain the following case-sensitive tags, in the order speci‐
fied:
Required. Exactly one numeric id must be specified.
Optional. At most one description can be specified.
Required on ADS only, ignored on other types of LDAP directory servers.
Defining Matching Rules
Each can contain the following case-sensitive tags, in the order speci‐
fied:
Required. Exactly one numeric id must be specified.
Required. At least one matching rule type name must be specified.
Do not use quotes around the name values.
Optional. At most one description can be specified.
Optional, use only if applicable.
Obsolete matching rules cannot be used in definitions of
any other attribute types. At most one obsolete flag
can be specified.
Required. Specified LDAP syntax must also be supported on the LDAP
directory server. At most one LDAP syntax can be speci‐
fied per matching rule definition.
Only syntaxes and matching rules fully supported by the LDAP directory
server can be specified in this file. Attributes and can be used to
specify directory-specific information.
See for an example of LDAP directory server definition files.
MAPPING UNSUPPORTED MATCHING RULES AND LDAP SYNTAXES
If matching rules and/or LDAP syntaxes used in attribute type defini‐
tions in the schema definition file are not supported on the LDAP
directory server, they need to be mapped to use alternate matching
rules and syntaxes the LDAP server does support.
The matching rules are specified in or tags in the attribute type defi‐
nition. The LDAP syntax is specified in the tag. The mapping rules
that determine how the matching rules and syntaxes are replaced are
specified in file. If cannot successfully map the attribute's matching
rules and syntax, will not be able to add the attribute type to the
LDAP directory server schema.
The purpose of the mapping rules file is to allow an LDAP schema to be
installed on an LDAP directory server even if some of matching rules
and LDAP syntaxes used in the definition of that schema are not sup‐
ported by the directory server. File uses the following mapping rules
guideline:
· map more restrictive syntaxes to less restrictive syntaxes
· map more specific matching rules to less specific matching rules
For example, the Integer syntax contains a subset of characters of the
IA5 string syntax. Therefore, it is acceptable to map the Integer syn‐
tax to the IA5 string syntax, since the IA5 string syntax is a superset
of the Integer syntax.
The following example illustrates a sample file.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE mappingPolicies SYSTEM "schema.dtd">
<mappingPolicies>
<defaultMatchingRulesReplacements>
<defaultMatchingRule>
<matchingRule>caseIgnoreMatch</matchingRule>
</defaultMatchingRule>
</defaultMatchingRulesReplacements>
<defaultSyntaxesReplacements>
<defaultSyntax only="ads">
<syntax>2.5.5.12</syntax>
<desc>Active Directory String syntax.</desc>
<oMSyntax>64</oMSyntax>
</defaultSyntax>
<defaultSyntax not="ads">
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
<desc>Directory String syntax.</desc>
</defaultSyntax>
</defaultSyntaxesReplacements>
<matchingRulesReplacements>
<matchingRules>
<matchingRule>integerMatch</matchingRule>
<subRule>
<matchingRule>numericStringMatch</matchingRule>
</subRule>
</matchingRules>
</matchingRulesReplacements>
<syntaxesReplacements>
<syntaxes>
<syntax>1.3.6.1.4.1.1466.115.121.1.26</syntax>
<desc>IA5 String syntax.</desc>
<equivSyntax>
<syntax>2.5.5.5</syntax>
<desc>Active Directory IA5 String LDAP Syntax.</desc>
<oMSyntax>22</oMSyntax>
</equivSyntax>
<subSyntax>
<syntax>1.3.6.1.4.1.1466.115.121.1.15</syntax>
<desc>Directory String syntax.</desc>
</subSyntax>
</syntaxes>
</syntaxesReplacements>
</mappingPolicies>
If any mapping rules or the syntax used by an attribute type are not
supported on the LDAP server, the utility checks if the appropriate
substitution rule is specified in the file. If it is specified,
locates the first available matching rule or syntax supported on the
LDAP server, and uses it in the attribute type definition instead. If
the substitution rule is not specified, or if the substitution matching
rules or syntaxes are not supported on the LDAP server, checks if the
default substitution can be used.
Attributes and can be used to specify directory-specific information
stored in and tags. If the default substitution is supported on the
LDAP server, it is used in the attribute type definition instead. If
even the default substitution is not supported on the LDAP server, the
attribute type cannot be added to the LDAP directory server schema.
For example, an attribute type with IA5String syntax is being installed
on ADS, where this syntax oid is not supported. will try using the
first equivalent or substitution syntax supported by the target LDAP
server as specified in file. The specified equivalent syntax with
value of is supported on ADS and will be used in place of the original
syntax value when installing this attribute type definition on ADS.
As another example, for instance, attribute type with a equality match‐
ing rule is being installed on the LDAP server where this matching rule
is not supported. Since no substitution policy is specified for this
matching rule in the example above, the default substitution matching
rule, would be used instead, if the LDAP server supports it. If the
LDAP server does not support that attribute type cannot be installed on
the LDAP server, unless its definition is modified to use another sup‐
ported equality matching rule.
If the option is specified, syntax substitution in attribute types is
disabled. Any attribute types with unsupported LDAP syntaxes will not
be added to the LDAP directory server schema. The option disables
matching rule substitution. Any attribute types with unsupported
matching rules will not be added to the LDAP directory server schema.
EXAMPLES
To query the status of RFC 3712 schema on the Red Hat Directory Server
7.1, execute the following command:
Note that LDAP directory server version number bears no effect unless
also specified in the XML files being processed. Version specification
must follow the same format as version specification used in the and
files.
To extend Windows 2000 Active Directory Server with custom schema, fol‐
low the following procedure:
1. Create schema definition file containing attribute type and object
class definitions for schema (i.e.
2. Recommended�: Query the current status of schema on the server:
3. Based on the results produced by Step 2, correct any invalid defini‐
tions.
4. Extend the Active Directory Server schema with new schema elements
by executing the following command:
Note that LDAP directory server version number bears no effect unless
also specified in the XML files being processed. Version specification
must follow the same format as version specification used in the and
files.
RETURN VALUES
The utility returns the following values:
0 Successful completion.
1 Failure.
In addition, prints to STDOUT the overall status of the schema being
queried or extended. Based on the schema status, any combination of
the following messages is displayed. Detailed explanations of each
message are specified in the square brackets following the message body
text.
Schema Status Messages
file "<schema>" contains attribute types and object
classes that are not defined in the LDAP server
schema.
[The message indicates all attribute types and object classes defined
in the <schema> file are new to the LDAP directory server. The message
indicates none of the specified definitions are currently installed in
the LDAP server schema.]
----------------------------------------------------------------------
All attribute types and object classes defined in file
"<schema>" are already part of the LDAP server
schema.
[The message indicates the schema specified in the <schema> file is
already installed on the LDAP directory server. All attribute types
and object classes defined in the <schema> file are already part of the
schema on the LDAP directory server. Only attribute types and object
classes with new and unique numeric oids and names can be added to the
LDAP server schema. Check the messages containing and described below
for details. Since the definitions specified in the <schema> file are
already installed in the LDAP server schema, the utility will make no
changes to the LDAP directory server schema.]
----------------------------------------------------------------------
subset of attribute types and/or object classes defined in file
"<schema>" are already part of the LDAP server
schema.
[The message indicates one or more attribute type or object class defi‐
nitions specified in the <schema> file are already installed in the
LDAP server schema. Such elements will be excluded from being extended
on the LDAP server. Only attribute types and object classes with new
and unique numeric oids and names can be added to the LDAP server
schema. Check the messages containing and described below for details.
The utility may install any remaining new elements that are not already
defined in the LDAP server schema if both of the following two condi‐
tions are met.
1. The LDAP schema defined in the <schema> file is compatible with the
LDAP server schema. The two schemas are compatible if the defini‐
tions of any elements found in the LDAP server schema match their
definitions specified in the <schema> file.
If the message is displayed, the two schemas are not compatible.
This means one or more elements installed on the LDAP server have
definitions different from those specified in the <schema> file.
Installation of any remaining new elements is not recommended. See
definition of the message below.
If the message is not displayed, the two schemas are compatible.
The schema specified in the <schema> file partially exists on the
LDAP server schema, and can be extended with any remaining new valid
attribute type and object class definitions.
2. The LDAP schema defined in the <schema> file is valid.
If the message is displayed, one or more definitions specified in
the <schema> file are invalid and cannot be added to the LDAP server
schema. Such definitions need to be corrected before the new schema
elements can be extended on the LDAP server.
If the message is not displayed, the schema definition in the
<schema> file is valid. It partially exists on the LDAP server
schema, and can be extended with any remaining new valid attribute
type and object class definitions.]
----------------------------------------------------------------------
file "<schema>" contains one or more attribute types or
object classes already installed in the LDAP server
schema with incompatible (i.e. mismatching) defini‐
tions. Review the messages above and verify defi‐
nitions of any mismatching schema elements. If any
remaining valid schema elements defined in the
"<schema>" file exist, use the force flag ("-F"
option) to add them to the LDAP server schema.
[The message indicates one or more attribute types or object classes
defined in the <schema> file are already installed on the LDAP direc‐
tory server, however, their definitions do not match. This means that
some attribute type or object class definitions specified in the
<schema> file do not match the LDAP server schema definitions of the
elements with the same numeric oids or names. Check the messages con‐
taining and described below for the exact instances of attribute types
and object classes, respectively, causing the schema mismatch.
The mismatch is caused by any differences in element definitions, such
as equality matching rule, single-valued setting, attribute syntax,
object class type, attribute types an object class includes, etc. For
example, if an attribute type 'sampleAttributeA' installed on the LDAP
directory server specifies IA5 String syntax, but the definition of
'sampleAttributeA' in the <schema> file specifies Unicode String syn‐
tax, the two attribute types are mismatching. HP does not recommend
installing schemas containing mismatching definitions. If the <schema>
file defines any new valid attribute types or object classes that are
not present in the LDAP directory server schema and you would like to
install them anyway, use the force flag (the option) to add them to the
LDAP server schema.]
----------------------------------------------------------------------
all attribute types and object classes defined in
"<schema>" file are valid.
[The message indicates the definitions of attribute types and object
classes specified in the <schema> file have valid XML format and con‐
form to the DTD template and the LDAP directory server schema policies.
This message also indicates no mismatching/incompatible definitions
specified in the <schema> file are installed on the LDAP server.]
----------------------------------------------------------------------
file "<schema>" contains one or more invalid definitions
of attribute types and/or object classes. Review
the messages above and correct any errors in the
schema definition file.
[The message indicates some of the attribute types and/or object
classes specified in the <schema> file have invalid definitions. This
condition occurs if the definition does not conform to the LDAP direc‐
tory server schema policies or the DTD template. Review the and sec‐
tions for details. Also, check the messages containing and described
below for details.
Any invalid elements and any elements that depend on them will be
excluded from being extended on the LDAP server. For example, if an
attribute type 'sampleAttributeA' has an invalid value, and an object
class 'sampleObjectO' includes 'sampleAttributeA' as a mandatory or an
optional attribute, neither 'sampleAttributeA' nor 'sampleObjectO' can
be added to the LDAP server schema until the value is corrected. Run‐
ning the utility in verbose mode (the option) can provide additional
information about invalid attribute type and object class definitions.
HP recommends correcting any invalid definitions before extending the
LDAP directory server schema with any remaining new valid definitions.]
----------------------------------------------------------------------
file "<schema>" contains no valid attribute type or
object class definitions that can be added to the
LDAP server schema. It defines elements already
installed in the LDAP server schema, or contains
invalid definitions that hence cannot be installed.
Review the messages above and correct any errors in
the schema definition file.
[The message indicates no attribute type or object class definitions
specified in the <schema> file meet the requirement of being both new
and valid, and, therefore, cannot be added to the LDAP server schema.
Any invalid definitions need to be corrected before they can be added
to the LDAP directory server schema.
Check the messages containing and for details on which attribute type
and object class definitions prevent the schema from being installed.
If the <schema> file contains any mismatching or invalid definitions,
HP does not recommend installing the schema on the LDAP server.]
----------------------------------------------------------------------
Attribute Type Status Messages
attribute type definition is missing a numericoid.
Edit the schema definition file to specify one
<oid> tag and its value for every <attributeType‐
Definition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the <schema> file.]
----------------------------------------------------------------------
attribute type definition is missing a name.
Edit the schema definition file to specify at least
one <name> tag and its value for every <attribute‐
TypeDefinition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the <schema> file.]
----------------------------------------------------------------------
attribute type "<attribute name>" specifies an unrecognized
<usage> value. Supported values are: directoryOp‐
eration, distributedOperation, dSAOperation or
userApplications.
[This message indicates the tag value needs to be corrected in the def‐
inition in the <schema> file. Possible attribute type usage values are
or Any other usage values are rejected. If the tag is not specified in
the definition, the default attribute type usage value is See RFC 2252
for details.]
----------------------------------------------------------------------
attribute type "<attribute name>" has an invalid numericoid. Edit
the schema definition file to specify an RFC 2252
compliant <oid> value for this attribute type.
Valid numericoid must consist of digits (0-9) that
can be separated by a period (.). Leading zeroes
are not allowed. See RFC 2252 for details.
[This message indicates the tag value needs to be corrected in the def‐
inition in the <schema> file. The value must be compliant with RFC
2252. See RFC 2252 for details.]
----------------------------------------------------------------------
attribute type "<attribute name>" has an invalid name. Edit the
schema definition file to specify an RFC 2252 com‐
pliant <name> value for this attribute type. Valid
name characters include letters (A-z), digits
(0-9), semicolons (;) and dashes (-). Valid name
must begin with an alphabet letter (A-z). See RFC
2252 for details.
[This message indicates the tag value needs to be corrected in the def‐
inition in the file. The attribute type name value must be compliant
with RFC 2252. See RFC 2252 for details.]
----------------------------------------------------------------------
attribute type "<attribute name>" must have the same usage
(<usage> tag) value as its supertype. Edit the
schema definition file to correct the usage value
for this attribute or its supertype.
[If the attribute type specifies a supertype, both this attribute type
and its supertype must have the same tag value. This message indicates
the tag value of the specified attribute type and the tag value of its
supertype do not match. Edit the <schema> file to correct the discrep‐
ancy.]
----------------------------------------------------------------------
attribute type "<attribute name>" is missing a syntax value. Edit
the schema definition file to specify a syntax
(<syntax> tag) value, or a valid supertype (<sub‐
TypeOf> tag) value.
[Most LDAP directory servers require attribute type definitions to
specify either the syntax value or a supertype value. This message
indicates that the specified attribute type definition in the file does
not specify either of these values. Edit the <schema> file to specify
either the tag and its value, or a tag and its value in the specified
attribute type definition.]
----------------------------------------------------------------------
attribute type "<attribute name>" cannot be labeled as obsolete
(<obsolete> tag) if any other attribute types or
object classes depend on it. Edit the schema defi‐
nition file to remove the <obsolete> tag from this
attribute type definition in order for it to be
added to the LDAP server schema.
[Obsolete attribute types cannot be added to the LDAP directory server
schema if any other attribute types or object classes depend on them.
This messages indicates the given attribute type cannot specify the tag
in its definition if it is used as a supertype in any other attribute
types, or if it is used as a mandatory or optional attribute in any
object classes. Edit the <schema> file to correct this discrepancy.]
----------------------------------------------------------------------
super-type used in "<attribute name>" attribute type definition is not
defined in any LDAP schema.
[This message indicates the supertype specified with the tag in the
given attribute type definition is undefined. Edit the <schema> file
to correct the name of the supertype in the attribute type definition.
The supertype used in the attribute type definition must be defined
either in the LDAP directory server schema or in the <schema> file
before this attribute type can be installed.]
----------------------------------------------------------------------
matching rule "<matching rule name>" used in "<attribute name>"
attribute type definition cannot be mapped because
"-m -" option is specified. This matching rule is
not supported on the LDAP server.
[This message indicates the matching rule specified with the or tag in
the given attribute type definition is not supported on the LDAP direc‐
tory server. Option disables matching rule substitution in attribute
types. Edit the <schema> file to specify an alternate matching rule
supported on the LDAP server, or execute the utility without the option
to substitute this matching rule with an alternative matching rule sup‐
ported on the LDAP server.]
----------------------------------------------------------------------
matching rule "<matching rule name>" used in "<attribute name>"
attribute type definition cannot be mapped. This
matching rule is not supported on the LDAP server.
[This message indicates the matching rule specified with the or tag in
the given attribute type definition is not supported on the LDAP direc‐
tory server. The default substitution matching rule specified in the
file is not supported on the LDAP directory server either. Edit the
<schema> file to specify an alternate matching rule supported on the
LDAP server, or edit the file to specify a default substitution match‐
ing rule supported on the LDAP server.]
----------------------------------------------------------------------
LDAP syntax "<syntax oid>" used in "<attribute name>" attribute
type definition cannot be mapped because "-s -"
option is specified. This LDAP syntax is not sup‐
ported on the LDAP server.
[This message indicates the LDAP syntax specified with the tag in the
given attribute type definition is not supported on the LDAP directory
server. Option disables syntax substitution in attribute types. Edit
the <schema> file to specify an alternate syntax supported on the LDAP
server, or execute the utility without the option to substitute this
syntax with an alternative syntax supported on the LDAP server.]
----------------------------------------------------------------------
LDAP syntax "<syntax oid>" used in "<attribute name>" attribute
type definition cannot be mapped. This LDAP syntax
is not supported on the LDAP server.
[This message indicates the LDAP syntax specified with the tag in the
given attribute type definition is not supported on the LDAP directory
server. The default substitution syntax specified in the file is not
supported on the LDAP directory server either. Edit the <schema> file
to specify an alternate syntax supported on the LDAP server, or edit
the file to specify a default substitution syntax supported on the LDAP
server.]
----------------------------------------------------------------------
attribute type "<attribute name>" is already installed in the LDAP
server schema.
[This message indicates the LDAP directory server schema already
includes a definition of an attribute type definition with the same
numeric oid or name. If the utility is executed in the extend mode,
the given attribute type will not be added to the LDAP directory server
schema. This message is displayed in verbose mode only. Also, the
following message will appear:]
----------------------------------------------------------------------
attribute type "<attribute name>" will not be added to the LDAP
server schema because it is already part of the
LDAP schema.
[This message indicates the LDAP directory server schema already
includes a definition of an attribute type definition with the same
numeric oid or name.]
----------------------------------------------------------------------
attribute type "<attribute name>" will not be added to the LDAP
server schema because its definition is invalid.
[This message indicates definition of the specified attribute type is
invalid. If the utility is executed in the extend mode, the given
attribute type will not be added to the LDAP directory server schema.
Check the messages containing for details.]
----------------------------------------------------------------------
definition of attribute type
"<attribute name>" is incompatible with the defini‐
tion already installed in the LDAP server schema.
[The message indicates the attribute type is already installed on the
LDAP directory server, however, its definition does not match the LDAP
server schema definition of the attribute type with the same numeric
oid or name. The mismatch can be caused by any differences in the
attribute type definition. For example, if an attribute type 'sam‐
pleAttributeB' installed on the LDAP directory server is multi-valued,
but the definition of 'sampleAttributeB' in the <schema> file specifies
the tag, the two attribute types are mismatching. HP does not recom‐
mend installing a schema containing mismatching definitions. If the
<schema> file defines any new valid attribute types or object classes
that are not present in the LDAP directory server schema and you would
like to install them anyway, use the force flag (the option) to add
them to the LDAP server schema.]
----------------------------------------------------------------------
Object Class Status Messages
object class definition is missing a numericoid.
Edit the schema definition file to specify one
<oid> tag and its value for every <objectClassDefi‐
nition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the <schema> file.]
----------------------------------------------------------------------
object class definition is missing a name.
Edit the schema definition file to specify at least
one <name> tag and its value for every <object‐
ClassDefinition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the <schema> file.]
----------------------------------------------------------------------
object class "<object name>" has an invalid numericoid. Edit
the schema definition file to specify an RFC 2252
compliant <oid> value for this object class. Valid
numericoid must consist of digits (0-9) that can be
separated by a period (.). Leading zeroes are not
allowed. See RFC 2252 for details.
[This message indicates the tag value needs to be corrected in the def‐
inition in the <schema> file. The value must be compliant with RFC
2252. See RFC 2252 for details.]
----------------------------------------------------------------------
object class "<object name>" has an invalid name. Edit the
schema definition file to specify an RFC 2252 com‐
pliant <name> value for this object class. Valid
name characters include letters (A-z), digits
(0-9), semicolons (;) and dashes (-). Valid name
must begin with an alphabet letter (A-z). See RFC
2252 for details.
[This message indicates the tag value needs to be corrected in the def‐
inition in the <schema> file. The object class name value must be com‐
pliant with RFC 2252. See RFC 2252 for details.]
----------------------------------------------------------------------
object class "<object name>" specifies an invalid object type
value. Edit the schema definition file to modify
the value specified with the <type> tag, which can
be one of the following: STRUCTURAL, AUXILIARY,
ABSTRACT.
[This message indicates the tag value needs to be corrected in the def‐
inition in the <schema> file. Possible object class type values are or
Any other type values are rejected. If the tag is not specified in the
definition, the default object class type value is See RFC 2252 for
details.]
----------------------------------------------------------------------
object class "<object name>" cannot be labeled as obsolete
(<obsolete> tag) if any other object classes depend
on it.
[Obsolete object classes cannot be added to the LDAP directory server
schema if any other object classes depend on them. This messages indi‐
cates the given object class cannot specify the tag in its definition
if it is used as a superclass in any other object classes. Edit the
<schema> file to correct this discrepancy.]
----------------------------------------------------------------------
abstract object class
"<object name>" cannot have a non-abstract super‐
class "<superclass object name>".
[Abstract object classes can specify only abstract superclasses. This
message indicates the specified abstract object class specifies a
superclass (using a tag) that is not abstract. Edit the <schema> file
to correct this discrepancy.]
----------------------------------------------------------------------
structural object class
"<object name>" cannot have an auxiliary superclass
"<superclass object name>".
[Structural object classes can specify only abstract or structural
superclasses. Structural object classes cannot specify auxiliary
superclasses. This message indicates the specified structural object
class specifies a superclass (using a tag) that is auxiliary. Edit the
<schema> file to correct this discrepancy.]
----------------------------------------------------------------------
auxiliary object class
"<object name>" cannot have a structural superclass
"<superclass object name>".
[Auxiliary object classes can specify only abstract or auxiliary super‐
classes. Auxiliary object classes cannot specify structural super‐
classes. This message indicates the specified auxiliary object class
specifies a superclass (using a tag) that is structural. Edit the
<schema> file to correct this discrepancy.]
----------------------------------------------------------------------
super-class used in "<object name>" object class definition is not
defined in any LDAP schema.
[This message indicates the superclass specified with the tag in the
given object class definition is undefined. Edit the <schema> file to
correct the name of the superclass in the object class definition. The
superclass used in the object class definition must be defined either
in the LDAP directory server schema or in the <schema> file before this
object class can be installed.]
----------------------------------------------------------------------
mandatory attribute used in
"<object name>" object class definition is not
defined in any LDAP schema.
[This message indicates the mandatory attribute type specified with the
tag in the given object class definition is undefined. Edit the
<schema> file to correct the name of the mandatory attribute in the
object class definition. The mandatory attribute used in the object
class definition must be defined either in the LDAP directory server
schema or in the <schema> file before this object class can be
installed.]
----------------------------------------------------------------------
optional attribute used in
"<object name>" object class definition is not
defined in any LDAP schema.
[This message indicates the optional attribute type specified with the
tag in the given object class definition is undefined. Edit the
<schema> file to correct the name of the optional attribute in the
object class definition. The optional attribute used in the object
class definition must be defined either in the LDAP directory server
schema or in the <schema> file before this object class can be
installed.]
----------------------------------------------------------------------
object class "<object name>" is already installed in the LDAP
server schema.
[This message indicates the LDAP directory server schema already
includes a definition of an object class definition with the same
numeric oid or name. If the utility is executed in the extend mode,
the given object class will not be added to the LDAP directory server
schema. This message is displayed in verbose mode only. Also, the
following message will appear:]
----------------------------------------------------------------------
object class "<object name>" will not be added to the LDAP
server schema because it is already part of the
LDAP schema.
[This message indicates the LDAP directory server schema already
includes a definition of an object class definition with the same
numeric oid or name.]
----------------------------------------------------------------------
object class "<object name>" will not be added to the LDAP
server schema because its definition is invalid.
[This message indicates definition of the specified object class is
invalid. If the utility is executed in the extend mode, the given
object class will not be added to the LDAP directory server schema.
Check the messages containing for details.]
----------------------------------------------------------------------
definition of object class
"<object name>" is incompatible with the definition
already installed in the LDAP server schema.
[The message indicates the object class is already installed on the
LDAP directory server, however, its definition does not match the LDAP
server schema definition of the object class with the same numeric oid
or name. The mismatch can be caused by any differences in the object
class definition. For example, if an object class 'sampleObjectB'
installed on the LDAP directory server has two optional attributes (
'sampleAttributeA' and 'sampleAttributeB' ), but the definition of
'sampleObjectB' in the <schema> file specifies three optional
attributes ( 'sampleAttributeA' , 'sampleAttributeB' and 'sampleAt‐
tributeC' ), the two attribute types are mismatching. HP does not rec‐
ommend installing a schema containing mismatching definitions. If the
<schema> file defines any new valid attribute types or object classes
that are not present in the LDAP directory server schema and you would
like to install them anyway, use the force flag (the option) to add
them to the LDAP server schema.]
----------------------------------------------------------------------
Matching Rule Status Messages
matching rule is missing a numericoid.
Edit the schema definition file to specify one
<oid> tag and its value for every <matchingRuleDef‐
inition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the file, where ds_type corresponds to the same value
specified with the option on the command line when executing the util‐
ity.]
----------------------------------------------------------------------
matching rule is missing a name.
Edit the schema definition file to specify at least
one <name> tag and its value for every <matchin‐
gRuleDefinition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the file, where ds_type corresponds to the same value
specified with the option on the command line when executing the util‐
ity.]
----------------------------------------------------------------------
matching rule is missing an LDAP syntax.
Edit the schema definition file to specify one
<syntax> tag and its value for every <matchin‐
gRuleDefinition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the file, where ds_type corresponds to the same value
specified with the option on the command line when executing the util‐
ity.]
----------------------------------------------------------------------
matching rule "<matching rule name>" used in "<attribute name>"
attribute type definition is not supported on the
LDAP server. Matching rule "<substitute matching
rule name>" will be used instead.
[This message indicates the specified matching rule <matching rule
name> is not supported on the LDAP directory server. However, it was
successfully mapped with a higher level (less specific) matching rule
supported by that server, <substitute matching rule name> , as speci‐
fied in the file. The attribute types which uses this matching rule
with the or tags will use be queried or extended on the LDAP directory
server using the
----------------------------------------------------------------------
LDAP Syntax Status Messages
LDAP syntax is missing a numericoid.
Edit the schema definition file to specify one
<oid> tag and its value for every <syntaxDefini‐
tion> definition.
[This message indicates the tag and its value need to be specified in
the definition in the file, where ds_type corresponds to the same value
specified with the option on the command line when executing the util‐
ity.]
----------------------------------------------------------------------
LDAP syntax is missing an oMSyntax value.
Edit the schema definition file to specify one
<oMSyntax> tag and its value for every <syntaxDefi‐
nition> definition.
[This message indicates the tag and its value need to be specified in
the definition in the file, where ds_type corresponds to the same value
specified with the option on the command line when executing the util‐
ity. The tag is required for LDAP syntax definitions supported by the
Active Directory Server.]
----------------------------------------------------------------------
LDAP syntax "<syntax oid>" used in "<attribute name>" attribute
type definition is not supported on the LDAP
server. LDAP syntax "<substitute syntax oid>" will
be used instead.
[This message indicates the specified syntax is not supported on the
LDAP directory server. However, it was successfully mapped with a
higher level (more inclusive) syntax supported by that server, as spec‐
ified in the file. The attribute types which uses this syntax with the
tag will use be queried or extended on the LDAP directory server using
the
----------------------------------------------------------------------
Extending schema containing invalid or incompatible attribute types or
object classes is not recommended. To install elements defined in a
schema file containing invalid or incompatible definitions requires
specifying the force option
FILESSEE ALSOldapux(1).
LDAPv3 RFC 2251
LDAPv3 Attribute Syntax Definitions RFC 2252
LDIF RFC 2849
ldapschema(1)