[midPoint] Does Midpoint support ApacheDS?

Deepak Natarajan dnataraj at gmail.com
Wed Oct 2 10:50:08 CEST 2013 

Hi  -

First of all, thank you very much for helping out whenever/where you can.

If I can get my instance of Midpoint 2.2 running w/ resources from ApacheDS I will gladly share what I had to do to get it all to play together.

A quick question :

Regarding this aci attribute (defined on ou=People,dc=example,dc=com from your example.ldif) 

aci: (targetattr="*||ds-pwp-account-disabled")(version 3.0; acl "IDM Access"; allow (all) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";)

When is this required? I understand this is to allow access to that subtree for the idm LDAP account - so will I need this attribute on all our organizational subtrees (if they are part of our midpoint resource schemas)?

Thanks.

Rgds/Deepak

On 02/10/2013, at 10.02, Radovan Semancik <radovan.semancik at evolveum.com> wrote:

> Hi,
> 
> As far as I know we have not tested Apache DS yet. But if you are going to test it and are willing to share the important pieces of the final configuration we will gladly help.
> 
> As Apache DS is an LDAP server it should work quite OK with midPoint. In theory. There is lot of things that LDAP standards do not specify and are implemented differently by each directory server. MidPoint can adapt to most of them and I can surely help you with the configuration on midPoint side. But you need to find a way how to properly configure Apache DS first.
> 
> The ACI syntax is not part of LDAP standard. Therefore each directory server implements that in quite a different fashion. Quick look at Apache DS documentation (http://directory.apache.org/apacheds/basic-ug/3.2-basic-authorization.html) reveals that the OpenDS/OpenDJ ACI syntax that we used in the sample and Apache DS ACI syntax are very different. You will need to find equivalent of the ACIs we use in the ApacheDS dialect and use those. If you do not understand the OpenDS/OpenDJ ACI dialect I can help you explaining what is its purpose in the sample files. The basic idea is that the user that midPoint connects with needs to have appropriate read/write access to the objects midPoint is supposed to manage. We use user uid=idm,ou=Administrators,dc=example,dc=com in our samples, but you can change that. It should also have access to the changelog if you plan to use live sync.
> 
> When it comes to changelog the situation is even more more confusing. The OpenDS/OpenDJ changelog (which they call "external changelog") was inspired by Sun/Oracle DSEE changengelog (which they call "retro changlelog") which in turn in just a relict of old Netscape/iPlanet synchronization mechanism (hence the "retro" in the name) which somehow haven't died for all these years because it was so useful. It is kind of de facto standard in the directory servers that originated from netscape DS (iPlanet, Sun/Oracle DSEE and RedHat 389) and OpenDS/OpenDJ. It was also partially adopted by OpenLDAP as far as I know. But it is no formal standard. And I have no idea whether Apache DS provides this mechanism or not. Quick google search reveals nothing relevant. The best way to explore this may be to send a question to Apache DS mailing list regarding their support for netscape/iplanet/sun/oracle-style LDAP changelog. Or any equivalent mechanism. Once you have the answer we can have a look how we can support it.
> 
> -- 
> 
>                                           Radovan Semancik
>                                          Software Architect
>                                             evolveum.com
> 
> 
> 
> On 10/02/2013 09:16 AM, Deepak Natarajan wrote:
>> #!ERROR [LDAP: error code 16 - NO_SUCH_ATTRIBUTE: failed for MessageType : ADD_REQUEST Message ID : 13     Add Request : Entry     dn[n]: ou=People, dc=example,dc=com     objectclass: top     objectclass: organizationalunit     ou: People     aci: (targetattr="*||ds-pwp-account-disabled")(version 3.0; acl "IDM Access"; allow (all) userdn="ldap:///uid=idm,ou=Administrators,dc=example,dc=com";) : ERR_04269 ATTRIBUTE_TYPE for OID aci does not exist!]
>> dn: ou=People, dc=example,dc=com
>> ........
>> 
>> I have enabled ACI and the attribute does seem to exist - I'm still trying to work this through - has anyone tried this before?
>> 
>> 2. I can't see an external change log subtree (cn=changelog) and cannot find anything on the ApacheDS documents...can anyone please help?
>> 
> 
> _______________________________________________
> midPoint mailing list
> midPoint at lists.evolveum.com
> http://lists.evolveum.com/mailman/listinfo/midpoint

More information about the midPoint mailing list