Re: Problems with slapcat/slapadd in upgrade from 2.2.23 to 2.3.11

[Charles Stephens <cfs@cowlabs.com>]

On  20 Oct 2005, at 14:24, Pierangelo Masarati wrote:

> On Thu, 2005-10-20 at 13:29 -0700, Charles Stephens wrote:
>
> > Is there a reference on ACI syntax?  What is wrong with this specific
> > entry?
>
> There is no formal specification (yet); values that used to be  
> legal are
> still legal, and few extensions have been added in HEAD.  Of course,
> ACIs need to be explicitly enabled by using --enable-aci at configure.

I read aci.c in 2.3.11 and I am more comfortable with the syntax, but  
it is still scary that there isn't anything even roughly documented.

> I don't see anything strange at a first glance.  Maybe enabling enough
> debugging when slapadd'ing that specific value may enlight a bit.
>
> If your intention is to use a custom group objectClass "dnGroup", I
> think the trailing "/dnGroup" should be put after "group" instead,  
> i.e.
>
> OpenLDAPaci: 1#entry#grant;w;
> [all]#group/ 
> dnGroup#cn=sysops,ou=application,ou=groups,dc=cowlabs,dc=com
>
> and of course you need to make sure that the objectClass "dnGroup" is
> defined.

Yes, that seems to be where it went wrong.  We automatically generate  
ACI attributes and it looks like the script had the syntax wrong.  We  
adjusted our script and we are test loading the LDIF now to see if it  
is happy.

Thanks for your help.

cfs