Michael Ströder wrote:
HI!
Why is it not allowed to use
NO-USER-MODIFICATION USAGE dSAOperation
in an attribute type declaration?
Because such an operational attribute requires server-side code to actually implement it, and you haven't got any means to provide that code. Custom operational attributes must be defined using code loaded in a module.
For OATH-LDAP I'd like to define a "virtual" attribute (actually to be processed by back-sock listener) without having to write a slapd overlay.
attributetype ( oath-ldap-at:16 NAME 'oathOTPValue' DESC 'OATH-LDAP: currently valid OTP value of a token' X-ORIGIN 'OATH-LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch SINGLE-VALUE ) NO-USER-MODIFICATION USAGE dSAOperation )
But slapd refuses to start:
5a00641b /home/michael/Proj/oath-ldap/oath-ldap.schema: line 241 (attributetype ( oath-ldap-at:16 NAME 'oathOTPValue' DESC 'OATH-LDAP: currently valid OTP value of a token or associated user entry (not directly used)' X-ORIGIN 'OATH-LDAP' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 EQUALITY integerMatch SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )) 5a00641b /home/michael/Proj/oath-ldap/oath-ldap.schema: line 241 attributetype: "oath-ldap-at:16" is operational
Ciao, Michael.
Howard Chu wrote:
Michael Ströder wrote:
HI!
Why is it not allowed to use
NO-USER-MODIFICATION USAGE dSAOperation
in an attribute type declaration?
Because such an operational attribute requires server-side code to actually implement it, and you haven't got any means to provide that code. Custom operational attributes must be defined using code loaded in a module.
You could use the dsaschema contrib module to help with this.
Howard Chu wrote:
Howard Chu wrote:
Michael Ströder wrote:
HI!
Why is it not allowed to use
NO-USER-MODIFICATION USAGE dSAOperation
in an attribute type declaration?
Because such an operational attribute requires server-side code to actually implement it, and you haven't got any means to provide that code. Custom operational attributes must be defined using code loaded in a module.
You could use the dsaschema contrib module to help with this.
Thanks for the information but it does not work for me.
https://www.openldap.org/its/index.cgi?findid=8770
Will provide backtrace soon.
Ciao, Michael.
Howard Chu wrote:
Michael Ströder wrote:
Why is it not allowed to use
NO-USER-MODIFICATION USAGE dSAOperation
in an attribute type declaration?
Because such an operational attribute requires server-side code to actually implement it, and you haven't got any means to provide that code. Custom operational attributes must be defined using code loaded in a module.
For OATH-LDAP I'd like to define a "virtual" attribute (actually to be processed by back-sock listener) without having to write a slapd overlay.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This *is* the server-side code!
It somewhat defeats the idea of back-sock or similar if I still have to implement an overlay to simply define appropriate schema (in my case for OATH-LDAP).
IMO it does not any harm to allow .schema files to contain such an attribute type description.
Ciao, Michael.
openldap-technical@openldap.org
-
Howard Chu -
Michael Ströder