[midPoint] Does Midpoint support ApacheDS?

Radovan Semancik radovan.semancik at evolveum.com
Wed Oct 2 10:02:35 CEST 2013 

Hi,

As far as I know we have not tested Apache DS yet. But if you are going 
to test it and are willing to share the important pieces of the final 
configuration we will gladly help.

As Apache DS is an LDAP server it should work quite OK with midPoint. In 
theory. There is lot of things that LDAP standards do not specify and 
are implemented differently by each directory server. MidPoint can adapt 
to most of them and I can surely help you with the configuration on 
midPoint side. But you need to find a way how to properly configure 
Apache DS first.

The ACI syntax is not part of LDAP standard. Therefore each directory 
server implements that in quite a different fashion. Quick look at 
Apache DS documentation 
(http://directory.apache.org/apacheds/basic-ug/3.2-basic-authorization.html) 
reveals that the OpenDS/OpenDJ ACI syntax that we used in the sample and 
Apache DS ACI syntax are very different. You will need to find 
equivalent of the ACIs we use in the ApacheDS dialect and use those. If 
you do not understand the OpenDS/OpenDJ ACI dialect I can help you 
explaining what is its purpose in the sample files. The basic idea is 
that the user that midPoint connects with needs to have appropriate 
read/write access to the objects midPoint is supposed to manage. We use 
user uid=idm,ou=Administrators,dc=example,dc=com in our samples, but you 
can change that. It should also have access to the changelog if you plan 
to use live sync.

When it comes to changelog the situation is even more more confusing. 
The OpenDS/OpenDJ changelog (which they call "external changelog") was 
inspired by Sun/Oracle DSEE changengelog (which they call "retro 
changlelog") which in turn in just a relict of old Netscape/iPlanet 
synchronization mechanism (hence the "retro" in the name) which somehow 
haven't died for all these years because it was so useful. It is kind of 
de facto standard in the directory servers that originated from netscape 
DS (iPlanet, Sun/Oracle DSEE and RedHat 389) and OpenDS/OpenDJ. It was 
also partially adopted by OpenLDAP as far as I know. But it is no formal 
standard. And I have no idea whether Apache DS provides this mechanism 
or not. Quick google search reveals nothing relevant. The best way to 
explore this may be to send a question to Apache DS mailing list 
regarding their support for netscape/iplanet/sun/oracle-style LDAP 
changelog. Or any equivalent mechanism. Once you have the answer we can 
have a look how we can support it.

-- 

                                            Radovan Semancik
                                           Software Architect
                                              evolveum.com



On 10/02/2013 09:16 AM, Deepak Natarajan wrote:
> #!ERROR [LDAP: error code 16 - NO_SUCH_ATTRIBUTE: failed for MessageType : ADD_REQUEST Message ID : 13     Add Request : Entry     dn[n]: ou=People, dc=example,dc=com     objectclass: top     objectclass: organizationalunit     ou: People     aci: (targetattr="*||ds-pwp-account-disabled")(version 3.0; acl "IDM Access"; allow (all) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";) : ERR_04269 ATTRIBUTE_TYPE for OID aci does not exist!]
> dn: ou=People, dc=example,dc=com
> ........
>
> I have enabled ACI and the attribute does seem to exist - I'm still trying to work this through - has anyone tried this before?
>
> 2. I can't see an external change log subtree (cn=changelog) and cannot find anything on the ApacheDS documents...can anyone please help?
>

More information about the midPoint mailing list