I needed to integrate Cisco ISE (Identity Service Engine) and OpenLDAP together. It was easy task, but after couple week I realized that I need more fields. I didn’t find good fields in ISE SGT and some other uses, so I decide to create my own LDAP schema.
There was lot’s off discussion about how to generate your own schema, but only couple which worked for me. Now in this blogpost I parse those information together so you don’t need to do so much googling, ducking, bingin etc.
First install Apache Directory Studio. You can find it here https://directory.apache.org/studio/
After Directory Studio is started, open Apache Directory Studio Schema Editor.
Choose File > New.
Select Schema Editor > New Schema Project and click Next.
Give project name and click Next.
Choose Server Type OpenLDAP and click Finish. After this you have created new project where you can add your own OpenLDAP schema.
Choose File > New.
Select Schema Editor > New Schema and click Next.
Give schema name and click Finish.
Under Cisco > Object Classes, choose New > New Object Class.
Give new OID, you can find instruction how get new private OID here https://pen.iana.org/pen/PenApplication.page and current OIDs here https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers also give new unique name for attribute in aliases field and description. After this click Next.
Choose Class type Auxiliary and click Finish.
Under Cisco > Attribute Types, choose New > New Attribute Type.
Give new OID, you can find instruction how get new private OID here https://pen.iana.org/pen/PenApplication.page and current OIDs here https://www.iana.org/assignments/enterprise-numbers/enterprise-numbers also give new unique name for attribute and description. After this click Next.
Choose Syntaxt, lenght and properties.
Choose matching rules and click Finish.
Choose Object class CiscoSchemaExtension and look Optional attributes. Choose Add…
Find your attribute and click Choose.
Choose File > Save.
You are now create your own OpenLDAP schema extension.
Now choose Cisco > Export > Schemas as OpenLDAP files.
Choose what to export and click Finish.
Login your linux server and create directory.
Copy your exported ldap file (cisco.schema) to directory /etc/ldap/schema
Create file called ldap.conf
Now generate ldap files what you import to your OpenLDAP server. Give command slaptest -f ldap.conf -F .
As you can see there is new directory in /tmp/ldapschema
Go to directory cn=config/cn=schema
Edit file called cn={0}cisco.ldif
Remove bottom lines.
Edit top lines
Now you can add your new schema to your OpenLDAP server. Use command ldapadd -Y EXTERNAL -H ldapi:/// -f cn\=\{0\}cisco.ldif
If everything goes fine you get adding new entry….
Now restart your slapd (service slapd restart) and start using your new schema.