Configuring the Directory Server
Configuring Security in the Directory Server
Running the Directory Server as a Non-Root User
Working With Object Identifiers (OIDs)
Extending the Directory Schema
Extending the Schema With a Custom Schema File
The directory server provides a schema-checking mechanism that verifies whether newly-written or added entries conform to the directory server's schema. This mechanism ensures that data imported using import-ldif, or added using ldapmodify, meets the syntax rules of the schema.
The schema checking configuration is part of the advanced global configuration, and can be displayed with the following command:
$ dsconfig -D "cn=directory manager" -w password -n --advanced \ get-global-configuration-prop Property : Value(s) ---------------------------------------:--------------------------------------- ... check-schema : true ... invalid-attribute-syntax-behavior : reject ... single-structural-objectclass-behavior : reject ...
The following configuration properties control schema-checking:
check-schema. Possible values: true (default), false. This property controls whether the directory server should do schema-checking on newly imported or added entries. By default, the property is set to true. If you need to tune the server for maximum performance and you are certain that your clients will never make a change that causes a schema violation, you can set the property to false. The small performance benefits are minimal compared to the potential risks to your directory.
invalid-attribute-syntax-behavior. Possible values are: reject (default), accept, and warn. This property controls how the server should behave if an attempt is made to use an attribute value that violates the associated syntax. By default, the server rejects any requests to use attributes that violate the schema. If this property is set to accept, the server silently accepts attribute violations. If this attribute is set to warn, the server accepts violations, but writes a message to the error log. If the check-schema property is set to false, invalid attribute syntax checking is not enforced.
single-structural-objectclass-behavior. Possible values are: reject (default), accept, and warn. This property controls how the server should behave if an attempt is made to create or alter an entry that does not have exactly one structural object class. This means that object classes with no structural object classes or more than one are rejected by default. If this property is set to accept, entries with no structural object classes are allowed. If this property is set to warn, entries with no structural object classes (or more than one) are allowed, but a message is written to the error log. If the check-schema property is set to false, single structural object class checking is not enforced.
Caution - Changing the value of these properties from the default puts the integrity of the schema at risk, so in general do not alter these values. |