Skip to Content

Converting OpenLDAP Schemas to LDIF

Posted on 2 mins read

I’ve been writing software to work against an OpenLDAP instance, with a highly customized schema. The operators of the existing system only had the schema files and searching around found several elaborate ways to convert the files which I tried with mixed success. After doing the research to figure this out, it became clear I could probably have used slapcat and have dumped the active schema directly to LDIF.

As a sample of how I converted these, I’ll use the rfc2307bis.schema file which didn’t seem to come with a matching LDIF file in the source distribution. You’ll need to identify the dependencies of the schema, which I’ve tended to just do with trial and error. If a dependency is missing you’ll receive an error like the following:

5ab6f5a6 /etc/openldap/schema/cosine.schema: line 1084 objectclass: ObjectClass not found: "person"

You can identify the requisite schema file by grep’ing for the missing object in the other schema files and adding it to the config. The rfc2307.schema file depends on the core.schema and cosine.schema files. With this in mind you can use the following script to convert the LDIF file:

SCHEMA_CONV_DIR="$(mktemp -d)"

cat << EOF > ${SCHEMA_CONV_DIR}/convert.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/rfc2307bis.schema
EOF

slapcat -f ${SCHEMA_CONV_DIR}/convert.conf -F ${SCHEMA_CONV_DIR} -n 0 \
  -s "cn={2}rfc2307bis,cn=schema,cn=config" | sed -re 's/\{[0-9]+\}//' \
  -e '/^structuralObjectClass: /d' -e '/^entryUUID: /d' -e '/^creatorsName: /d' \
  -e '/^createTimestamp: /d' -e '/^entryCSN: /d' -e '/^modifiersName: /d' \
  -e '/^modifyTimestamp: /d' -e '/^$/d' > /etc/openldap/schema/rfc2307bis.ldif

rm -rf ${SCHEMA_CONV_DIR}

One important thing to note is the schema identifier in the slapcat command cn={2}rfc2307bis,cn=schema,cn=config. The ‘{2}’ there will be the line number from the convert.conf file counting from 0 and will likely be different for the schemas you’re converting, and the name will be defined by the contents of the schema file.

You’ll also want to pay attention to the file names and make sure the inputs and outputs match your expectations.