[Date Prev][Date Next]
Re: (ITS#7605) Configuration entries (under cn=config) does not allow 'objectclass' attribute modification to include full object classes hierarchy
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#7605) Configuration entries (under cn=config) does not allow 'objectclass' attribute modification to include full object classes hierarchy
- From: firstname.lastname@example.org
- Date: Fri, 24 May 2013 11:47:03 GMT
- Auto-submitted: auto-generated (OpenLDAP-ITS)
On 23 mai 2013, at 19:26, Michael Ströder <email@example.com> wrote:
> firstname.lastname@example.org wrote:
>> It looks like it's not possible to modify the 'objectClass' attribute of
>> configuration entries.
>> I have some code generating entries for OpenLDAP configuration from a UI utility
>> and updating existing configuration entries in DIT.
>> This code generates entries with the 'objectClass' attribute containing the full
>> object class hierarchy (all the way to 'top') and not only the highest
>> structural object class (which is the case of default OpenLDAP configuration).
>> When updating the configuration in the DIT, the code then tries to complete the
>> 'objectClass' attribute with the full list of object classes.
>> That operations ends with "error code 53- UnwillingToPerform".
>> Here's an example on the "cn=config" entry:
>> #!RESULT ERROR
>> #!CONNECTION ldap://10.211.55.13:389
>> #!DATE 2013-05-22T14:56:03.039
>> #!ERROR [LDAP: error code 53 - UnwillingToPerform]
>> dn: cn=config
>> changetype: modify
>> replace: objectClass
>> objectClass: olcConfig
>> objectClass: olcGlobal
>> objectClass: top
> It's not necessarily a bug.
> I think LDAP clients should not act too "smart" and therefore should not
> automagically add object classes from the structural object class chain if
> they are not already present. You will run into issues with various LDAP
> server implementations - at least according to experiences I made with
> conducting interop testing with web2ldap and several server implementations.
Right, it's just that this kind of modifications is perfectly valid.
I mean, I'm not breaking any LDAP rule or concept and if I add the same entry (as a new entry) with the full object class hierarchy, the server is allowing it without a hitch.
I still think it should be possible to modify the objectclass but I'll take into account that the implementation does not allow it (yet? ;-)).
> A schema-aware client could auto-complete structural object class chain if
> adding a new entry though. But again: Don't be too smart.
Exactly, that's why I updated my code to do.
Let's be dumb, sometimes...
> May I ask which UI utility you're using?
Sure, that's an internal application we wrote to edit some parts of the OpenLDAP configuration.
> Ciao, Michael.