Date: 11-04-2022, Updated 3/6/2024 Ryan Conover

Do not modify standard schemas

The standard schema files in /opt/symas/etc/openldap/schema are overwritten during upgrades of OpenLDAP and any changes made will be lost. Instead, all changes should be made in custom .schema files.

Separate custom schemas from standard schemas

Custom schemas should be stored in a separate folder from the standard schema files. Separating schemas will ensure the custom ones aren't deleted/overwritten during OpenLDAP upgrades. We recommend storing custom schemas in the following path:

Unix/Linux: /opt/symas/etc/openldap/local-schema

Symas OpenLDAP 2.5+ ppolicy

The ppolicy schema does not have to be loaded in the slapd.conf as the definitions are now build into the module.

slapadd: Schema Checking and Value Checking

When utilizing slapadd to load data, it is a good practice to turn schema checking and value checking on. This takes longer than just using the -q flag for slapadd, but it will save you a headache in the long run if it finds any errors with your data.  

Usage: 

slapadd -f slapd.conf -b dc=example,dc=com -l /path/to/example.ldif -o schema-check=yes -o value-check=yes

Schema management

It is essential to maintain consistency to ensure that all directory entries are structured in a uniform manner. Ensure each of the LDAP server instances are running the same schema definitions.  It is also important to limit the number of administrators who have permission to modify schemas.