ITS#8826 Allow minimal dsaschema configuration in cn=config

contrib/ConfigOIDs

@@ -10,3 +10,4 @@ OLcfgCt{Oc|At}:7	rbac
 OLcfgCt{Oc|At}:8	datamorph
 OLcfgCt{Oc|At}:9	variant
 OLcfgCt{Oc|At}:10	alias
+OLcfgCt{Oc|At}:11	dsaschema

contrib/slapd-modules/dsaschema/README

@@ -1,23 +0,0 @@
-Copyright 2004-2022 The OpenLDAP Foundation. All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted only as authorized by the OpenLDAP
-Public License.
-
-This directory contains a native slapd plugin, dsaschema, that permits the
-loading of DSA-specific schema from configuration files (including operational
-attributes).
-
-To use the plugin, add:
-
-moduleload dsaschema.so
-	/etc/openldap/schema/foo1.schema
-	...etc...
-	/etc/openldap/schema/fooN.schema
-
-to your slapd configuration file.
-
-Use Makefile to compile this plugin or use a command line similar to:
-
-gcc -shared -I../../../include -Wall -g -o dsaschema.so dsaschema.c
-

contrib/slapd-modules/dsaschema/dsaschema.c

@@ -57,6 +57,64 @@ static char *strtok_quote_ptr;
 
 int init_module(int argc, char *argv[]);
 
+static ConfigDriver dsaschema_config_attribute;
+
+static ConfigTable dsaschemacfg[] = {
+	/* Only attribute loading is currently restricted in slapd, rest can be
+	 * delegated to default */
+	{ "", "attribute", 2, 0, 0,
+		ARG_PAREN|ARG_MAGIC,
+		&dsaschema_config_attribute,
+		"( OLcfgGlAt:4 NAME 'olcAttributeTypes' "
+			"DESC 'OpenLDAP attributeTypes' "
+			"EQUALITY caseIgnoreMatch "
+			"SUBSTR caseIgnoreSubstringsMatch "
+			"SYNTAX OMsDirectoryString X-ORDERED 'VALUES' )",
+				NULL, NULL },
+	{ NULL, NULL, 0, 0, 0, ARG_IGNORED }
+};
+
+static ConfigLDAPadd dsaschema_ldadd;
+
+static ConfigOCs dsaschemaocs[] = {
+	{ "( OLcfgOvOc:11.1 "
+	  "NAME 'olcDSASchemaConfig' "
+	  "DESC 'DSA schema object' "
+	  "SUP olcSchemaConfig STRUCTURAL )",
+	  Cft_Schema, dsaschemacfg,
+	  dsaschema_ldadd,
+	},
+	{ NULL, 0, NULL }
+};
+
+static int
+dsaschema_config_attribute( ConfigArgs *c )
+{
+	if ( c->op == SLAP_CONFIG_EMIT ) {
+		return 1;
+	} else if ( c->op == LDAP_MOD_DELETE ) {
+		return 1;
+	}
+
+	if ( register_at( c->line, NULL, 0 ) ) {
+		snprintf( c->cr_msg, sizeof( c->cr_msg ),
+				"<%s> attribute definition invalid",
+				c->argv[0] );
+		Debug( LDAP_DEBUG_ANY, "%s: %s\n", c->log, c->cr_msg );
+		return 1;
+	}
+}
+
+static int
+dsaschema_ldadd( CfEntryInfo *p, Entry *e, ConfigArgs *ca )
+{
+	if ( p->ce_type != Cft_Schema )
+		return LDAP_CONSTRAINT_VIOLATION;
+
+	return LDAP_SUCCESS;
+}
+
+
 static int dsaschema_parse_cr(const char *fname, int lineno, char *line, char **argv)
 {
 	struct config_args_s c = { .line = line };
@@ -203,11 +261,11 @@ int init_module(int argc, char *argv[])
 	for (i = 0; i < argc; i++) {
 		rc = dsaschema_read_config(argv[i], 0);
 		if (rc != 0) {
-			break;
+			return rc;
 		}
 	}
 
-	return rc;
+	return config_register_schema( dsaschemacfg, dsaschemaocs );
 }
 
 

contrib/slapd-modules/dsaschema/slapd-dsaschema.5

@@ -0,0 +1,55 @@
+.TH SLAPD-DSASCHEMA 5 "RELEASEDATE" "OpenLDAP LDVERSION"
+.\" Copyright 2008-2022 The OpenLDAP Foundation. All rights reserved.
+.\" $OpenLDAP$
+.SH NAME
+slapd-dsaschema \- Define DSA-specific schema
+.SH SYNOPSIS
+ETCDIR/slapd.conf
+.SH DESCRIPTION
+OpenLDAP restricts admin-provided schemas to regular attributes, operational
+attributes cannot be added by normal means. This module allows one to bypass
+this restriction.
+
+.SH CONFIGURATION
+To use the plugin, add the following to your slapd configuration file (similar
+with
+.BR olcModuleLoad ):
+
+.RS
+.nf
+moduleload dsaschema.so [<path-to-schema-file> ...]
+.fi
+.RE
+
+
+With
+.B cn=config
+you can also use the
+.B olcDSASchemaConfig
+objectclass in entries under
+.BR cn=schema,cn=config
+to lift the restriction on defining operational attributes.
+
+.SH EXAMPLES
+.LP
+.RS
+.nf
+moduleload dsaschema.so
+	/etc/openldap/schema/foo1.schema
+	...etc...
+	/etc/openldap/schema/fooN.schema
+.fi
+.RE
+.SH FILES
+.TP
+ETCDIR/slapd.conf
+default slapd configuration file
+.TP
+ETCDIR/slapd.d
+default slapd configuration directory
+.SH SEE ALSO
+.BR slapd-config (5),
+.BR slapd.conf (5).
+.SH ACKNOWLEDGEMENTS
+This module was written in 2008 by Emmanuel Dreyfus.
+.so ../Project