[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: still unclear on error 69



On Monday 11 August 2003 20:20, Jon Roberts wrote:
> I'm only using top, person, organizationalperson, and inetorgperson.
> What's missing? I understood your point about conflicts in strucutural
> objectclasses, but it doesn't apply.
>
> The 69 error occurs when I attempt a modify operation on the
> objectclass attribute to go from a [top, person] entry to a [top,
> person, organizationalperson] or [top, person, organizationalperson,
> inetorgperson] entry.

As of OpenLDAP 2.1 changing the structural objectclass of an entry is not 
allowed anymore. You need to delete and re-create the object.

I am not sure about the reasons sicne extending an object (as you do in your 
example above) is harmless compared to changing the objectclass completey
(e.g. to [top, groupOfNames] in your example ,-).
The latter one my be disastrous.
Maybe it is an issue of having to check the objectclass tree. If you do not 
check whether the new combination ob objectclasses is a legal one (only one 
structural objectclass chain, ...), you better forbid changing the structural 
objectclass at all.

I haven't tested if is still allowed to add a superior objectclass of the 
structural objectclass.
i.e. adding [person, organizationperson] to an object created with
[top, inetOrgperson]

Of course adding auxiliary objectclasses is still possible.

Peter

-- 
Peter Marschall
eMail: peter@adpm.de