[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP structural object class problems

> Henrik Dige Semark wrote:
>> slapd[28381]: entry failed schema check: structural object class
>> modification from 'account' to 'inetOrgPerson' not allowed
>> [..]
>> What do I have to do to allow structural object changes ?
> It's forbidden by LDAPv3 specs. An LDAP client which is implemented to
> modify
> the structural object class is seriously broken.

Michael is correctly stating that you can't change the structural
objectClass of an object using an LDAP operation as per the protocol
specification.  The "normal" procedure would be to delete an object and
recreate it with the required structural modifications.

OpenLDAP allows you to do something equivalent atomically using the
"relax" control (<draft-zeilenga-ldap-relax>, a work in progress) on top
of a modify operation that modifies the entry by deleting the now
inappropriate attrs and adding the now appropriate ones within a single
modification that leaves the object in a consistent state.  The user needs
to have "manage" access privileges on all the data that's modified.

As it is a work in progress, its functionality may change a little bit
across versions.  For example, in earlier versions, the modify operation
had to explicitly deal with changing the (operational) attribute
structuralObjectClass.  Recent versions do not allow this, but rather
recompute it according to the final values of the objectClass attribute,
provided they result in a consistent inheritance relationship.