[Date Prev][Date Next]
Re: Attribute type is operational
Jonathan Clarke wrote:
On Mon, 12 Jul 2010 08:10:56 +0000, Stuart Cherrington
I'm running Openldap 2.4 on Rhel5. I've got the basics working, user
accounts etc, but have tried adding some new schemas which I'm getting
problems with. I followed a VERY helpful Blog at
which allowed me to install some Oracle OID schema's so we can move away
from Oracle OID.
This Blog is a little out of date and I have some attributetypes which I
need to add-in to the schema. I've added the following 2 lines:
attributetypes ( 2.16.840.1.1138184.108.40.206 NAME 'orclGuid' EQUALITY
caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
'220.127.116.11.4.1.1418.104.22.168.15' SINGLE-VALUE NO-USER-MODIFICATION USAGE
attributetypes ( 2.16.840.1.113822.214.171.1240 NAME 'orclnormdn' EQUALITY
distinguishedNameMatch SYNTAX '126.96.36.199.4.1.14188.8.131.52.12'
NO-USER-MODIFICATION USAGE directoryOperation )
I took these from the current 10.2.0 OID installation so wasn't 100% sure
they were correct but they are similar in construct the others found on
When I restart ldap2.4 I get error:
service ldap2.4 restart
Checking config file /etc/openldap2.4/slapd.conf: [FAILED]
/etc/openldap2.4/schema/oidbase.schema: line 27 attributetypes:
"2.16.840.1.1138184.108.40.206" is operational
slaptest2.4: bad configuration file!
This error message is complaining that the attributetype declared is an
operational attribute ("USAGE directoryOperation").
Reading through the code, I see the following comment: "operational
attributes should be defined internally". I therefore presume that you
cannot define operational attributes by way of schema files.
Correct. Operational attributes are, by definition, used internally by a
directory server. They have no meaning unless you provide code that implements
These attributes won't be "operational" anyway in the sense that they will
not be automatically managed by the OpenLDAP server, since it knows nothing
about them. If you just need them for compatibility with OID, I suggest you
change the declaration to make them non-operational. You'll probably want
to remove the "NO-USER-MODIFICATION" flag too, if you want to be able to
modify them with user accounts.
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/