Re: objectclass question

[Peter Marschall <peter@adpm.de>]

Hi,

On Friday 03 October 2003 12:14, Michal Gubik wrote:
> My question is regarding object class. I have made already several users
> on ldap but I need to add host atribute that is in account objectclass
> but when I tri to add account objectclass to that user I get error
> saying ldap_modify: Cannot modify object class (69)
>         additional info: Structural object class modification from
> 'InetOrgPerson' to 'account' not allowed
> my ldif looks like this:
>
> dn: uid=mgubik, ou=people, o=coprosys,dc=cd
> changetype: add
> objectclass: account
> add: host
> host: hostname
>
> and  I try to add it by ldapmodify.  Thanks for any help.

It is a restriction of OpenLDAP starting from 2.1.x to not allow to change the 
STRUCTURAL objectclass of an entry.
IIRC the reasons for this restriction were that the LDAP data model requires 
it.

To change the STRUCTURAL objectclasses of an object you need to delete and 
re-add it to the directory.
Please consider the fact that OpenLDAP enforces the "one objectclass chain"
rule. You may need to create a private objectclass that has the account 
objectclass and your user's objectclass as SUPerior objectclasses.

IMHO forbidding the change of the strcutural objectclass completetly is too 
rigid. I can understand that it is a bad idea to delete a STRUCTURAL 
objectclass, but I cannoit see why adding an objectclass that has the
current structural objectclass as SUPerior might hurt anything.

Peter

-- 
Peter Marschall
eMail: peter@adpm.de