@@ -1242,6 +1242,8 @@ nsdb_update_fsl_s(nsdb_t host, const char *nce, const char *fsl_uuid,
dn: o=fedfs
changeType: add
objectClass: organization
+ objectClass: fedfsNsdbContainerEntry
+ objectClass: top
o: fedfs
@endverbatim
*/
@@ -1249,7 +1251,7 @@ static FedFsStatus
nsdb_create_nce_add_top_entry(LDAP *ld, char **dn,
unsigned int *ldap_err)
{
- char *ocvals[2], *ouvals[2];
+ char *ocvals[4], *ouvals[2];
LDAPMod *attrs[3];
LDAPMod attr[2];
size_t len;
@@ -1262,6 +1264,9 @@ nsdb_create_nce_add_top_entry(LDAP *ld, char **dn,
nsdb_init_add_attribute(attrs[i++],
"objectClass", ocvals, "organization");
+ ocvals[1] = "fedfsNsdbContainerEntry";
+ ocvals[2] = "top";
+ ocvals[3] = NULL;
nsdb_init_add_attribute(attrs[i++],
"o", ouvals, "fedfs");
attrs[i] = NULL;
@@ -1307,6 +1312,8 @@ nsdb_create_nce_add_top_entry(LDAP *ld, char **dn,
dn: ou=fedfs,"parent"
changeType: add
objectClass: organizationalUnit
+ objectClass: fedfsNsdbContainerEntry
+ objectClass: top
ou: fedfs
@endverbatim
*/
@@ -1314,7 +1321,7 @@ static FedFsStatus
nsdb_create_nce_add_entry(LDAP *ld, const char *parent, char **dn,
unsigned int *ldap_err)
{
- char *ocvals[2], *ouvals[2];
+ char *ocvals[4], *ouvals[2];
LDAPMod *attrs[3];
LDAPMod attr[2];
size_t len;
@@ -1327,6 +1334,9 @@ nsdb_create_nce_add_entry(LDAP *ld, const char *parent, char **dn,
nsdb_init_add_attribute(attrs[i++],
"objectClass", ocvals, "organizationalUnit");
+ ocvals[1] = "fedfsNsdbContainerEntry";
+ ocvals[2] = "top";
+ ocvals[3] = NULL;
nsdb_init_add_attribute(attrs[i++],
"ou", ouvals, "fedfs");
attrs[i] = NULL;
@@ -1486,6 +1496,45 @@ nsdb_update_nci_s(nsdb_t host, const char *nce, unsigned int *ldap_err)
}
/**
+ * Remove fedfsNsdbContainerEntry from NCE object
+ *
+ * @param ld an initialized LDAP server descriptor
+ * @param nce a NUL-terminated C string containing DN of an NCE
+ * @param ldap_err OUT: possibly an LDAP error code
+ * @return a FedFsStatus code
+ *
+ * LDIF equivalent:
+ *
+ * @verbatim
+
+ dn: "nce"
+ changeType: modify
+ delete: objectClass
+ objectClass: fedfsNsdbContainerEntry
+ @endverbatim
+ */
+static FedFsStatus
+nsdb_remove_nce_objectclass_s(LDAP *ld, const char *nce,
+ unsigned int *ldap_err)
+{
+ LDAPMod *mods[3];
+ char *ocvals[2];
+ LDAPMod mod[2];
+ int i;
+
+ for (i = 0; i < 2; i++)
+ mods[i] = &mod[i];
+ i = 0;
+
+ nsdb_init_del_attribute(mods[i++],
+ "objectClass", ocvals,
+ "fedfsNsdbContainerEntry");
+ mods[i] = NULL;
+
+ return nsdb_modify_nsdb_s(ld, nce, mods, ldap_err);
+}
+
+/**
* Remove NSDB Container Info from a namingContext object
*
* @param ld an initialized LDAP server descriptor
@@ -1555,8 +1604,13 @@ nsdb_remove_nci_s(nsdb_t host, const char *nce, unsigned int *ldap_err)
if (retval != FEDFS_OK)
return retval;
+ retval = nsdb_remove_nce_objectclass_s(host->fn_ldap, nce, ldap_err);
+ if (retval != FEDFS_OK)
+ goto out;
+
retval = nsdb_remove_nci_attributes_s(host->fn_ldap, context, ldap_err);
+out:
free(context);
return retval;
}
When constructing an NSDB, part of the process currently involves adding a fedfsNceDN attribute to one or more root suffix entries in an LDAP server's rootDSE. Simo Sorce (FreeIPA) points out it may be difficult or impossible for some LDAP server implementations to allow modification of their root DSE. Or it could be a problem for some deployments to allow root DSE modification. For this reason, LDAP applications typically use an approach that does not require root DSE modification. My own experience with OpenLDAP and 389-ds is that rootDSE modification is quite awkward. Long-term, we'd like to replace fedfsNsdbContainerInfo and fedfsNceDN with a form of NCE discovery that is simpler to configure. Old-style NCE discovery works like this: For each of the server's naming contexts, an NSDB client performs this query: ldapsearch -b "naming_context" -s base (objectClass=*) fedfsNceDN The fedfsNceDN attribute contains the full distinguished name of the NCE residing under that naming context (root suffix). New-style NCE discovery works like this: An NCE contains an auxiliary object class called fedfsNsdbContainerEntry. For each of the server's naming contexts, an NSDB client performs this query: ldapsearch -b "naming_context" -s subtree \ (objectClass=fedfsNsdbContainerEntry) The response carries the distinguished name of the NCE residing under that naming context, or NO_SUCH_OBJECT. When creating new-style NCEs, insert the fedfsNsdbContainerEntry object class. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> --- src/libnsdb/administrator.c | 58 ++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 56 insertions(+), 2 deletions(-)