[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Invalid Structural Object Class Chain (account/person)

To: Paul Thomas <pwthoma@anc.net>
Subject: Re: Invalid Structural Object Class Chain (account/person)
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Thu, 10 Jun 2004 17:09:55 +0200
Cc: openLDAP-software@OpenLDAP.org
In-reply-to: <6.0.3.0.2.20040610091735.02462640@127.0.0.1>
References: <6.0.3.0.2.20040610091735.02462640@127.0.0.1>

Paul Thomas writes:
> ldap_add: Object class violation (65)
> additional info: invalid structural object class chain (account/person)

You can join the bottom of the two object class chains like this:

  objectclass ( <oid> NAME 'ANCpersonWithAccount'
                SUP ( inetOrgPerson $ account ) STRUCTURAL )

See <http://www.openldap.org/faq/data/cache/391.html> about getting an
OID, if your organization does not already have one.

Or if your applications don't need the 'account' object class to be
present, you can drop it.  posixAccount and shadowAccount will still be
allowed since they are auxiliary classes.  The only attribute in account
which your other object classes do not allow is 'host', which you don't
seem to use anyway.

> I don't think modifying the account or person objectclass in their
> schema is ideal in this case

Modifying the existing schema is a bad idea in any case.  Your LDAP
become incompatible with other LDAP installations that expect the
correct object classes, and you'll have to maintain the change when you
upgrade.

> as I'm sure they are defined that way for a reason.

An entry in the directory is supposed represent one real-world object.
A person may have an account, but that does not mean an account is a
person.

-- 
Hallvard

References:
- Invalid Structural Object Class Chain (account/person)
  - From: Paul Thomas <pwthoma@anc.net>

Prev by Date: Re: Invalid Structural Object Class Chain (account/person)
Next by Date: Re: Entry addition conflict
Index(es):
- Chronological
- Thread