The general procedure to read the (sub)schema controlling a particular entry requires two LDAP search operations. One to read the name of the (sub)entry holding the controlling (sub)schema. One to read the desired schema information from the named (sub)entry. Note that this procedure is necessary as each entry of interest may be controlled by a different (sub)schema.
To read the name of the (sub)entry holding the controlling (sub)schema from an entry, say dc=example,dc=com, one could issue the following command:
ldapsearch -x -LLL -b dc=example,dc=com -s base subschemaSubentry
This will return something like (assuming the name object exists and is anonymously readable):
dn: dc=Example,dc=COM
subschemaSubentry: cn=Subschema
The value of the subschemaSubentry attribute is the name of the (sub)entry holding the controlling (sub)schema. Note that on current versions of slapd(8), the server supports only a single schema and its always named cn=Subschema, however future versions of slapd(8) might support multiple subschema subentries. Well-behaved clients should not shortcut this procedure.
Armed with the name of the (sub)entry holding the (sub)schema, one can then read the desired attributes from this (sub)entry. For instance, one might issue
ldapsearch -x -LLL -b cn=Subschema -s base '(objectClass=subschema)' attributeTypes dITStructureRules objectClasses nameForms dITContentRules matchingRules ldapSyntaxes matchingRuleUse
In servers which supports RFC 3673 you can use a short form:
ldapsearch -x -LLL -b cn=Subschema -s base '(objectClass=subschema)' +
This command will generally produce pages of output, hence it is often appropriate to request, by name, only those attributes of interest.
|