[389-users] Reg aci field missing

Rich Megginson rmeggins at redhat.com
Mon Apr 22 13:42:23 UTC 2013 

On 04/22/2013 04:43 AM, s.varadha rajan wrote:
> Hi Team,
>
> We have implemented 389-ds in Ubuntu 12.04 LTS. Everything is working 
> fine.we have created ou called "groups " such as 
> ou=groups,dc=xxx,dc=com. same 389-ds (1.2.1-0ubuntu2)implemented in 
> the  Ubuntu linux 10.04 LTS and  we can see the "aci" attributes in 
> the groups OU. Same aci is not available in the "1.2.10.4-0ubuntu3.1".
>
> For example, if i connected my *older ldap server* through 
> phpldapadmin and select any group from "ou=groups,dc=xxx,dc=com" ,  i 
> can see the below fields from aci attribute,
>
> (targetattr="*") 
> (target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version 
> 3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user 
> name>,ou=people,dc=xxx,dc=com");)
> (targetattr="*") 
> (target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version 
> 3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user 
> name>,ou=people,dc=xxx,dc=com");)
> (targetattr="*") 
> (target="ldap:///cn=*,ou=services,ou=groups,dc=xxx,dc=com") (version 
> 3.0;acl "<group name>"; allow (write)(userdn="ldap:///uid=<user 
> name>,ou=people,dc=xxx,dc=com");)
>
> For getting the same details, if i connect to my new LDAP server 
> through phpldapadmin, "aci" attribute itself not displayed.
>
> Is it the attribute is related to samba ?

The aci attribute?  No.

> Refered some of the blogs through net, if i search through ldapsearch,
>
> ldapsearch -x -h localhost -p <port no>  -s base -b "cn=schema" 
> "objectclass=*" | grep -i samba -> output is displayed in the old 
> server with some values.same command if i apply in new server, no output.

For schema, 389 is now compliant with the LDAPv3 RFCs.  These state that 
the schema attributes such as attributeTypes, objectClasses, etc. are 
OPERATIONAL attributes and must be explicitly requested by the search 
command.  So

ldapsearch -x -h localhost -p <port no>  -s base -b "cn=schema" 
"objectclass=*" attributeTypes objectClasses | grep -i samba

The other thing about cn=schema is that the ldapsearch LDIF output is 
wrapped at 78 characters which makes grep difficult.  See 
http://richmegginson.livejournal.com/18726.html

For "aci", it too is an operational attribute - in order to see it:

ldapsearch -x -h localhost -p <port no> -b "dc=xxx,dc=com" "aci=*" aci

>
> My question may be silly,pls don't mistake.what could be the reason ?
>
> Regards,
> Varad
>
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20130422/a214d034/attachment.html>

More information about the 389-users mailing list