[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP structural object class problems

masarati@aero.polimi.it wrote:
>> Henrik Dige Semark wrote:
>>> slapd[28381]: entry failed schema check: structural object class
>>> modification from 'account' to 'inetOrgPerson' not allowed
>>> [..]
>>> What do I have to do to allow structural object changes ?
>> It's forbidden by LDAPv3 specs. An LDAP client which is implemented to
>> modify
>> the structural object class is seriously broken.
> The "normal" procedure would be to delete an object and
> recreate it with the required structural modifications.

Strictly speaking it's not the same entry anymore even though it has the same
DN. But the entryUUID attribute has changed then. Since this might be used for
robust syncing of user entries with other user databases in case of name
changes you might loose the link.

> OpenLDAP allows you to do something equivalent atomically using the
> "relax" control (<draft-zeilenga-ldap-relax>, a work in progress) on top
> of a modify operation that modifies the entry by deleting the now
> inappropriate attrs and adding the now appropriate ones within a single
> modification that leaves the object in a consistent state.  The user needs
> to have "manage" access privileges on all the data that's modified.

web2ldap 1.1.x now has even better support for that.

> As it is a work in progress, its functionality may change a little bit
> across versions.  For example, in earlier versions, the modify operation
> had to explicitly deal with changing the (operational) attribute
> structuralObjectClass.  Recent versions do not allow this, but rather
> recompute it according to the final values of the objectClass attribute,
> provided they result in a consistent inheritance relationship.

Hmm, so the input field for structuralObjectClass should not be enabled which
is another special case for the UI if this control is in effect...

You can play with the demo:

Ciao, Michael.