Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI.
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Can you please provide schema for aci attribute?
Regards Neelesh
Am Thu, 15 May 2014 20:45:04 +0530 schrieb neel neel.hjs@gmail.com:
Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI.
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Can you please provide schema for aci attribute?
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
-Dieter
Am Thu, 15 May 2014 17:48:37 +0200 schrieb Dieter Klünter dieter@dkluenter.de:
Am Thu, 15 May 2014 20:45:04 +0530 schrieb neel neel.hjs@gmail.com:
Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI.
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Can you please provide schema for aci attribute?
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
you may as well read http://www.openldap.org/faq/data/cache/634.html
-Dieter
Yes, I read that article. By reading that I compiled OpenLDAP with --enable-aci option. However I was still getting same error. When I was trying to integrate my application with LDAP.
Thats why I need schema file for aci attribute.
Regards
On Thu, May 15, 2014 at 9:55 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Thu, 15 May 2014 17:48:37 +0200 schrieb Dieter Klünter dieter@dkluenter.de:
Am Thu, 15 May 2014 20:45:04 +0530 schrieb neel neel.hjs@gmail.com:
Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI.
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Can you please provide schema for aci attribute?
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
you may as well read http://www.openldap.org/faq/data/cache/634.html
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
On 05/15/2014 06:58 PM, neel wrote:
Yes, I read that article. By reading that I compiled OpenLDAP with --enable-aci option. However I was still getting same error. When I was trying to integrate my application with LDAP.
Thats why I need schema file for aci attribute.
The schema is hardcoded. You need to
--enable-dynacl=yes --enable-aci=yes
p.
Regards
On Thu, May 15, 2014 at 9:55 PM, Dieter Klünter <dieter@dkluenter.de mailto:dieter@dkluenter.de> wrote:
Am Thu, 15 May 2014 17:48:37 +0200 schrieb Dieter Klünter <dieter@dkluenter.de <mailto:dieter@dkluenter.de>>: > Am Thu, 15 May 2014 20:45:04 +0530 > schrieb neel <neel.hjs@gmail.com <mailto:neel.hjs@gmail.com>>: > > > Hi, > > I have compiled and configured OpenLDAP 2.4.39 with ACI. > > > > I am trying to integrate one application with LDAP. I have entered > > all settings. Authentication is working fine. Only thing when it > > tries to add some entries to ldap, it says that "err=17 text=aci: > > attribute type undefined" > > > > Can you please provide schema for aci attribute? > > The attribute type is openLDAPaci. The model is based on > http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08 you may as well read http://www.openldap.org/faq/data/cache/634.html -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Hi Thanks for this step. I compiled OpenLDAP with both options. However I am still getting error. err=17 text=aci: attribute type undefined.
When I connect Jxplorer client. In available Attributes I can not see aci or openLDAPaci or dynacl there.
Regards
Regards
On Thu, May 15, 2014 at 11:02 PM, Pierangelo Masarati < pierangelo.masarati@polimi.it> wrote:
On 05/15/2014 06:58 PM, neel wrote:
Yes, I read that article. By reading that I compiled OpenLDAP with --enable-aci option. However I was still getting same error. When I was trying to integrate my application with LDAP.
Thats why I need schema file for aci attribute.
The schema is hardcoded. You need to
--enable-dynacl=yes --enable-aci=yes
p.
Regards
On Thu, May 15, 2014 at 9:55 PM, Dieter Klünter <dieter@dkluenter.de mailto:dieter@dkluenter.de> wrote:
Am Thu, 15 May 2014 17:48:37 +0200 schrieb Dieter Klünter <dieter@dkluenter.de <mailto:dieter@dkluenter.de>>: > Am Thu, 15 May 2014 20:45:04 +0530 > schrieb neel <neel.hjs@gmail.com <mailto:neel.hjs@gmail.com>>: > > > Hi, > > I have compiled and configured OpenLDAP 2.4.39 with ACI. > > > > I am trying to integrate one application with LDAP. I haveentered > > all settings. Authentication is working fine. Only thing when it > > tries to add some entries to ldap, it says that "err=17 text=aci: > > attribute type undefined" > > > > Can you please provide schema for aci attribute? > > The attribute type is openLDAPaci. The model is based on > http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
you may as well read http://www.openldap.org/faq/data/cache/634.html -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E-- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
On 05/15/2014 08:19 PM, neel wrote:
Hi Thanks for this step. I compiled OpenLDAP with both options. However I am still getting error. err=17 text=aci: attribute type undefined.
When I connect Jxplorer client. In available Attributes I can not see aci or openLDAPaci or dynacl there.
After build completes:
cd tests/ ./run test041
does it pass?
Note that "aci" is not a valid attribute name; OpenLDAPaci is the right name.
p.
Regards
Regards
On Thu, May 15, 2014 at 11:02 PM, Pierangelo Masarati <pierangelo.masarati@polimi.it mailto:pierangelo.masarati@polimi.it> wrote:
On 05/15/2014 06:58 PM, neel wrote: Yes, I read that article. By reading that I compiled OpenLDAP with --enable-aci option. However I was still getting same error. When I was trying to integrate my application with LDAP. Thats why I need schema file for aci attribute. The schema is hardcoded. You need to --enable-dynacl=yes --enable-aci=yes p. Regards On Thu, May 15, 2014 at 9:55 PM, Dieter Klünter <dieter@dkluenter.de <mailto:dieter@dkluenter.de> <mailto:dieter@dkluenter.de <mailto:dieter@dkluenter.de>>> wrote: Am Thu, 15 May 2014 17:48:37 +0200 schrieb Dieter Klünter <dieter@dkluenter.de <mailto:dieter@dkluenter.de> <mailto:dieter@dkluenter.de <mailto:dieter@dkluenter.de>>>: > Am Thu, 15 May 2014 20:45:04 +0530 > schrieb neel <neel.hjs@gmail.com <mailto:neel.hjs@gmail.com> <mailto:neel.hjs@gmail.com <mailto:neel.hjs@gmail.com>>>: > > > Hi, > > I have compiled and configured OpenLDAP 2.4.39 with ACI. > > > > I am trying to integrate one application with LDAP. I have entered > > all settings. Authentication is working fine. Only thing when it > > tries to add some entries to ldap, it says that "err=17 text=aci: > > attribute type undefined" > > > > Can you please provide schema for aci attribute? > > The attribute type is openLDAPaci. The model is based on > http://tools.ietf.org/html/__draft-ietf-ldapext-acl-model-__08 <http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08> you may as well read http://www.openldap.org/faq/__data/cache/634.html <http://www.openldap.org/faq/data/cache/634.html> -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
Hi Dieter Thanks for reply. However, Where can I get schema file for this attribute? Or How can I add this attribute to any schema ?
Regards Neelesh
On Thu, May 15, 2014 at 9:18 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Thu, 15 May 2014 20:45:04 +0530 schrieb neel neel.hjs@gmail.com:
Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI.
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Can you please provide schema for aci attribute?
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Am Thu, 15 May 2014 22:00:03 +0530 schrieb neel neel.hjs@gmail.com:
Hi Dieter Thanks for reply. However, Where can I get schema file for this attribute? Or How can I add this attribute to any schema ?
it is all in the source, openldap/servers/slapd/aci.c so no schema file required.
-Dieter
On Thu, May 15, 2014 at 9:18 PM, Dieter Klünter dieter@dkluenter.de wrote:
Am Thu, 15 May 2014 20:45:04 +0530 schrieb neel neel.hjs@gmail.com:
Hi, I have compiled and configured OpenLDAP 2.4.39 with ACI.
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Can you please provide schema for aci attribute?
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Quoting Dieter Klünter dieter@dkluenter.de:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
http://www.openldap.org/faq/data/cache/758.html
-mike
Am Thu, 15 May 2014 19:31:33 +0300 schrieb Mike Jackson mj@netauth.com:
Quoting Dieter Klünter dieter@dkluenter.de:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
As, to my knowledge, the source code aci.c hasn't changed lately, yes it still is experimental.
-Dieter
Mike Jackson wrote:
Quoting Dieter Klünter dieter@dkluenter.de:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
Yes.
http://www.openldap.org/faq/data/cache/758.html
-mike
Quoting Howard Chu hyc@symas.com:
Mike Jackson wrote:
Quoting Dieter Klünter dieter@dkluenter.de:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
Yes.
OK, thanks for clarification from both you, Howard, and Dieter. I like in-tree ACIs for the reason that they are replicated without too much concern. OTOH, the olcAccess semantics are very powerful compared to the SUN/Netscape semantics.
The key thing I desire, I suppose, is replicated schema and ACI, but not some/most of the other parts of cn=config. I, like the previous poster today, would like to be able to dynamically adjust logging levels on a per-server basis while replicating other matters of policy. I think it just means a bit more work on the syncrepl access control. Small price to pay for such power, and don't require much touching after initial config anyway, IMO.
-mike
Mike Jackson wrote:
would like to be able to dynamically adjust logging levels on a per-server basis
If you use back-monitor this particular functionality could also be achieved by tweaking attribute 'managedInfo' in entry cn=Log,cn=Monitor.
The admin guide is not really clear on this because it mentions attribute 'description' instead of 'managedInfo':
http://www.openldap.org/devel/admin/monitoringslapd.html#Log
Ciao, Michael.
Quoting Michael Ströder michael@stroeder.com:
Mike Jackson wrote:
would like to be able to dynamically adjust logging levels on a per-server basis
If you use back-monitor this particular functionality could also be achieved by tweaking attribute 'managedInfo' in entry cn=Log,cn=Monitor.
The admin guide is not really clear on this because it mentions attribute 'description' instead of 'managedInfo':
http://www.openldap.org/devel/admin/monitoringslapd.html#Log
Ciao, Michael.
Yes, I'm running back-monitor. Thanks for the tip. I didn't try it yet, but I only run slapd in the foreground with -d 256 with runit and am not interested in any syslog facilities - I only want all of my slapd logs to go to stderr (with the exception of auditlog). So, the question is that do you know if back-monitor managedInfo sends output to slapd's active logging mechanism or will it go to syslog despite my wishes?
-mike
Mike Jackson wrote:
Quoting Michael Ströder michael@stroeder.com:
Mike Jackson wrote:
would like to be able to dynamically adjust logging levels on a per-server basis
If you use back-monitor this particular functionality could also be achieved by tweaking attribute 'managedInfo' in entry cn=Log,cn=Monitor.
The admin guide is not really clear on this because it mentions attribute 'description' instead of 'managedInfo':
http://www.openldap.org/devel/admin/monitoringslapd.html#Log
Yes, I'm running back-monitor. Thanks for the tip. I didn't try it yet, but I only run slapd in the foreground with -d 256 with runit and am not interested in any syslog facilities - I only want all of my slapd logs to go to stderr (with the exception of auditlog). So, the question is that do you know if back-monitor managedInfo sends output to slapd's active logging mechanism or will it go to syslog despite my wishes?
Did not try my self. I'd expect it to go to syslog.
slapd -d is most times used for debugging only.
Ciao, Michael.
Mike Jackson mj@netauth.com schrieb am 15.05.2014 um 20:35 in Nachricht
20140515213556.Horde.wkpVZ5iF1hLX6CSzSDPdMQ3@mail.netauth.com:
Quoting Howard Chu hyc@symas.com:
Mike Jackson wrote:
Quoting Dieter Klünter dieter@dkluenter.de:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
Yes.
OK, thanks for clarification from both you, Howard, and Dieter. I like in-tree ACIs for the reason that they are replicated without too much concern. OTOH, the olcAccess semantics are very powerful compared to the SUN/Netscape semantics.
The key thing I desire, I suppose, is replicated schema and ACI, but not some/most of the other parts of cn=config. I, like the previous poster today, would like to be able to dynamically adjust logging levels on a per-server basis while replicating other matters of policy. I think it just means a bit more work on the syncrepl access control. Small price to pay for such power, and don't require much touching after initial config anyway, IMO.
A spontaneous idea would be to extend the logging level in cn=config, maybe by adding the Server ID to make it specific to a server (connection)
-mike
Howard Chu wrote:
Mike Jackson wrote:
Quoting Dieter Klünter dieter@dkluenter.de:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
Yes.
Given the power of OpenLDAP ACLs in the normal configuration I also do not see any real need for in-directory ACLs anymore. set-based ACLs could be a bit faster though (see my other posting). :-)
Ciao, Michael.
Hi I am using HPCC and I am integrating it with openldap. In that when I start one component I.e. mydali server. It throws this error.
Regards Neelesh
On Friday, May 16, 2014, Michael Ströder michael@stroeder.com wrote:
Howard Chu wrote:
Mike Jackson wrote:
Quoting Dieter Klünter <dieter@dkluenter.de javascript:;>:
The attribute type is openLDAPaci. The model is based on http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
Does this FAQ-O-Matic still represent the current situation regarding the semantics and not recommended for general use?
Yes.
Given the power of OpenLDAP ACLs in the normal configuration I also do not see any real need for in-directory ACLs anymore. set-based ACLs could be a bit faster though (see my other posting). :-)
Ciao, Michael.
neel wrote:
I am using HPCC and I am integrating it with openldap. In that when I start one component I.e. mydali server. It throws this error.
I don't know HPCC. Is it this one?
https://track.hpccsystems.com/browse/HPCC-7999
Ciao, Michael.
neel wrote:
I am trying to integrate one application with LDAP. I have entered all settings. Authentication is working fine. Only thing when it tries to add some entries to ldap, it says that "err=17 text=aci: attribute type undefined"
Could you please elaborate on this particular client application and why you believe that you really need in-directory ACLs?
I suspect your application assumes to talk to a SunONE/Oracle directory server and tries to set their proprietary attributes.
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Klünter -
Howard Chu -
Michael Ströder -
Mike Jackson -
neel -
Pierangelo Masarati -
Ulrich Windl