Symantec Access Management

 View Only
  • 1.  change schema of a Symantec Directoy

    Posted Nov 26, 2021 11:19 AM
    Some year ago I customized schema for a Symantec Directory that I use as User Store for Siteminder and for a IGA environment.
    I had addes some attribute like this

    schema set attribute im-UU-attr:45 = {
    name = imCodiceSO
    ldap-names = imCodiceSO
    equality = caseExactMatch
    syntax = directoryString


    schema set object-class im-UU-oc:1 = {
      name = imUser 
      subclass-of inetorgperson

    Now I have to extend schema again adding new attribute.
    I also realized that other attributes planned in development years ago were never used.
    I am sure that no object in the DSA uses these attributes.

    1) Can I safely remove them from the schema ?
    2) Can I safely extend schema (stopping all DSA, modify the schema file and then restart all istances ? )
    3) Can I add for some attributes another ldap-names or change the "name" of existent Attribute  ?

    Thanks in avance

  • 2.  RE: change schema of a Symantec Directoy

    Broadcom Employee
    Posted Nov 28, 2021 11:09 AM
    Hi Marco,

    In the old days when the underneath store was Ingres RMDB, you could not just change your schemas arbitrarily as there were RMDB tables used to store the schema definitions. The usual procedure was to dump the data into LDIF file and restore it into DSA that use the modified schema. For that matter, the schema file name could be different, e.g. you may have schemav1.dxc and schemav2.dxc, as the file names were actually insignificant.

    With the current version, I really have not had tried. Just want to share the thoughts so that you can at least try it.


  • 3.  RE: change schema of a Symantec Directoy

    Broadcom Employee
    Posted Nov 29, 2021 01:14 AM
    Hello Marco,

    Extending a schema is always safe.
    As for removing anything from existing schema, even unused attributes, - it's not advisable. And what would you achieve by doing that? Really unnecessary work.
    You can add extra ldap-names for attributes or for object classes. Changing "name" is, again, not advisable.
    As Tommy pointed out it's possible to dump LDIF file from a DSA, modify it as required by schema changes, and load it back into a DSA. It doesn't matter if the data is held in Ingress, as it was long ago, or in dxgrid as it is now, the approach is the same. But why would you want to do that? Can't really see any reason...


  • 4.  RE: change schema of a Symantec Directoy

    Posted Nov 29, 2021 02:45 AM

    Thanks Dmytro and Tommy,

    At the moment I just need to extend the scheme. But I had seen that I have about ten unused attributes (never or only once, then emptied from all objects). I checked that they were not used by any object and I was wondering if, since I had to modify the scheme, to do a bit of "cleaning" by removing attributes that will never be used.

    The procedure of "exporting to LDIF", modifying the schema, and then "importing from LDIF" is **** (I would have to stop the DSA anyway - there are 3 nodes in sync - for a while),
    but I could actually just ignore unused attributes.