The LDAP server in UCS, like the Active Directory on a Windows server, stores all the information on your domain about all your resources from hardware to employee as objects, namely in a structured and well-defined manner. Every object has some defined attributes of a particular type. Common attributes of a user object are, for example, the user’s surname, password and further valuable information on him. Part of the LDAP is the LDAP schema, which provides the administrator with a clear overview on all objects by describing which types of attributes exist within the LDAP and what attributes they have.

So, if you want to include additional attributes or create entirely new object types, extending the schema might be the way to go.

When a schema extension is needed

Univention Corporate Server contains many attributes in its default schemes. The Univention Directory Manager (UDM) uses many of them and makes them available. However, there are some, which are not used by default, because they only apply to a limited list of use cases. Thus, checking the schema directories on the master might reveal the attributes you need.

These directories are:

/etc/ldap/schema/
/usr/share/univention-ldap/schema/
/var/lib/univention-ldap/local-schema/

Furthermore, UCS contains multiple attributes that can be used by the end user. These free attributes are named “univentionFreeAttribute1” to “univentionFreeAttribute20”. These free attributes are strings.

Thus, for small extensions or when the default schema already contains the matching attributes, you can just make use of the ones already present.

Schema extension using the UDM

The Univention Management Console offers the possibility to upload the new schema to all servers and it will execute the needed steps to activate it within the domain. To include a new schema, open the management console, navigate to “Domain” and select “LDAP Navigator”.

Screenshot of the Univention Management Console

Then traverse the LDAP Tree up to the folder “univention” and “ldapschema”.

Screenshot of the LDAP tree in UCS

Click on the folder and then on the add button. Select “Settings: LDAP Schema Extension” as the object to create. Give here a name to your schema and enter its filename. In the data field, copy the schema compressed as bzip2 and encoded in base64. Save your entry and the master will start to process the schema.

Manually including a schema

If you decide that you need a schema extension or have a schema extension from a third party software, you can easily include it in UCS 4.2 or newer.

On the UCS Master, copy your schema file into the directory /var/lib/univention-ldap/local-schema/.

Afterwards, recreate the SLAPD configuration using the Univention Configuration Registry and then restart the LDAP Server.

/usr/sbin/univention-config-registry commit /etc/ldap/slapd.conf
/etc/init.d/slapd crestart

It is recommended to put the schema extension into the /var/lib/univention-ldap/local-schema/ directory on any UCS backup. If you are forced to do a backup2master and the schema is not present, the LDAP server will not start.

Schema replication by the slaves

In the previous part, we talked about adding the schema to the master and backup. So you might be wondering about the UCS slaves.

The UCS slaves and backups replicate the currently working schema from the UCS master. Thus, the schema will be active once the LDAP server on the master is restarted.

UCS replicates changes in the order of their occurrence and the schema needs to be present on the master before you can add an object. This ensures that all LDAP servers will function properly. This replication makes it also more important to place the schema files on all UCS backups, because if you are forced to promote a backup, no LDAP server will be working as they will all replicate the incomplete schema from the new master.

However, it makes installing the schema on the UCS backups less time sensitive.

Packaging schema files and the UCS App Center

UCS contains many software products from third party vendors. Many of these add configuration options to the UMC and include a schema extension to model these options in the LDAP.

Therefore, we have well-defined instructions in the Developer References that describe how to package and install schema extensions and they also describe, in case you use the App Center, how to configure your apps so that the schema will be installed correctly on the master and every backup within the domain.

Extended attributes made within the UMC

Extending the LDAP schema in itself is not necessarily useful by itself. Only if the attributes are filled with meaningful content, is the schema put to good use. In UCS the primary management interface is the UMC. Our management console comes with an inbuilt function to extend itself. These are called extended attributes and extended options.

There are multiple combinations possible to extend the UMC and our documentation provides an overview over the possible combinations.

Conclusion

Schema extensions can customize your LDAP to match your needs. However, each extension enlarges the LDAP and the content needs to be managed by an administrator. Therefore, the first question should always be, do I need it or is there an existing attribute that already fulfils my requirements?

But if you do need to extend the schema, UCS features and its domain concept make installing it incredibly easy to do so.

We hope you enjoyed this article and find it useful. For further questions please comment below or visit our forum to get help.

Thank you!

Further, already published articles on LDAP which might interest you, too:

Use UCS Core Edition for Free!

Download now
Kevin Dominik Korte

Kevin Dominik Korte studied computer sciences at the Jacobs University in Bremen. He graduated as a Master of Science in 2011. Afterwards, he worked in the Professional Services Team at Univention for two years. Since 2013 he is President of Univention North America Inc. and responsible for the business development in the USA.

What's your opinion? Leave a comment!

Your email address will not be published. Required fields are marked *