Writing to cn=Subschema


If I've got it right, I can change schema as of OpenLDAP 2.3 directly
by accessing values below cn=Subschema. (E.g. add new objectClasses or
attributeTypes. And maybe also change or delete existing ones?)

I first tried it with an "ordinary" database Manager account like
cn=Manager,o=Example, which resulted in an "invalid per syntax" error.
I then added a "database config" section with "cn=Manager,dc=config."
and tryied to write with this BindDN with same upshot.

ACL slapd.conf equivalent in slapd.d:

access to dn="cn=Subschema"
       by dn="cn=Manager,dc=fuckner,dc=net" write

Simple ldif I wanted to write:

$ ldapmodify -x -D "cn=Manager,o=Example" -w secret
dn: cn=Subschema
add: objectClasses
objectClasses: ( NAME 'fooObjectClass'
DESC 'Boo' SUP top STRUCTURAL MUST ( cn $ objectclass ) )

ldapmodify anwerd:

modifying entry "cn=Subschema"
ldap_modify: Invalid syntax (21)
       additional info: objectClasses: value #0 invalid per syntax

I think there is no error in my class definition. So, where did I made my mistake? But please: Don't tell me that it's not possible (yet). :-)