[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problems with slapcat/slapadd in upgrade from 2.2.23 to 2.3.11

On  20 Oct 2005, at 14:24, Pierangelo Masarati wrote:

On Thu, 2005-10-20 at 13:29 -0700, Charles Stephens wrote:

Is there a reference on ACI syntax?  What is wrong with this specific

There is no formal specification (yet); values that used to be legal are
still legal, and few extensions have been added in HEAD. Of course,
ACIs need to be explicitly enabled by using --enable-aci at configure.

I read aci.c in 2.3.11 and I am more comfortable with the syntax, but it is still scary that there isn't anything even roughly documented.

I don't see anything strange at a first glance.  Maybe enabling enough
debugging when slapadd'ing that specific value may enlight a bit.

If your intention is to use a custom group objectClass "dnGroup", I
think the trailing "/dnGroup" should be put after "group" instead, i.e.

OpenLDAPaci: 1#entry#grant;w;
[all]#group/ dnGroup#cn=sysops,ou=application,ou=groups,dc=cowlabs,dc=com

and of course you need to make sure that the objectClass "dnGroup" is

Yes, that seems to be where it went wrong. We automatically generate ACI attributes and it looks like the script had the syntax wrong. We adjusted our script and we are test loading the LDIF now to see if it is happy.

Thanks for your help.