Re: schema check on => Object class violation

["Kurt D. Zeilenga" <Kurt@OpenLDAP.org>]

At 03:19 PM 7/16/99 -0400, Jeff Clowser wrote:
>ramana.ramachandran@wcom.com wrote:
>> I have schema check on. When I try to modify the userpassword attr I
>> get.. [ schema violation ]

>What does the entire record look like?
Does the record you are modifying violate schema?

>> When I turn schema check off Its working fine.
It likely does.

>Most likely the problem is that you are trying to
>put an attribute into a record or edit a record
>that violates schema - If your record has objectclass
>"account", and you try to write a cn to it, and it
>does not have another objectclass that allows cn,
>you get an objectclass violation.

>Even though you're changing the password, maybe the script
>updates other attributes that don't really need it

ldappasswd(1) (included in the distribution) only attempts
to modify userPassword.

>or maybe the LDAP server won't make changes to
>a record (even if the changing attribute is within the
>schema) if the record contains schema violations
>elsewhere - dunno, but worth a look.

Exactly.  If the resulting ENTRY violates schema, an
error is returned.

>Best to make sure you don't have objectclass violations
>anywhere :-)

Enabling schema checks and using ldap operations (ie: not
ldif2ldbm or other ldbm tools) to modify your directory
is the best way to ensure schema is maintained.

>>ldapsearch doesn't support -W option. I have default access set to none.

-W support needs to be added to ldapsearch (it's implemented in -devel).
Feel free to submit an ITS (preferrably with a patch)...

Kurt


Kurt