Re: OpenLDAPaci not allowed in user-defined object classes

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

The problem is quite simple.  OpenLDAPaci is an operational
attribute and hence is controlled by the "system" schema,
not the "user" schema.

In some cases, object classes are used to control system schema.
For example, 'ref' is allowed by 'referral' when used to create
a subordinate reference.  Here, 'referral' can be viewed as an
operational object class... that is, an object class which is
part of the system schema.

However, there are other cases, where there is no associated
objectclass(es) with the operational attribute.  For example,
subschemaSubentry is can be present in any entry regardless
of whether object classes allow it or not.  OpenLDAPaci is
treated in the same fashion.

In general, system schema is built in... an integral part of
the data model requiring code to implement.

System schema (e.g., operational schema) is under the control
of the system, not the user.  The slapd(8) will prevent the
user from stating rules which control system schema.  They
primary reason for doing this is not to keep users from
shooting themselves in the foot, but to make sure that
oddly defined schema rules don't lead to behaviors which
would be incredibly difficult to diagnose as being caused
by the oddly defined schema rules.   If folks really want
to shoot themselves in the foot, they can easily enough
change slapd(8) to allow such rules to be defined.

At 07:49 AM 2002-08-27, Michael Weiser wrote:
>Using FAQs, mailing-list-archives and the web I found out that this is due
>to the USAGE definition enforcement in openldap-2.1 and tried to redesign
>the schema but I don't seem to get it right and I can't find any
>documentation on it. Therefore I'm sorry to bother you with such an
>FAQ-like question, but how do I add OpenLDAPacis to user-defined object
>classes if the former are operational and therefore not allowed in the
>latter?
>-- 
>Thanks very much in advance,
>Micha