Re: (ITS#7605) Configuration entries (under cn=config) does not allow 'objectclass' attribute modification to include full object classes hierarchy

pa(a)marcelot.net wrote: > It looks like it's not possible to modify the 'objectClass' attribute of > configuration entries. > > I have some code generating entries for OpenLDAP configuration from a UI utility > and updating existing configuration entries in DIT. > This code generates entries with the 'objectClass' attribute containing the full > object class hierarchy (all the way to 'top') and not only the highest > structural object class (which is the case of default OpenLDAP configuration). > > When updating the configuration in the DIT, the code then tries to complete the > 'objectClass' attribute with the full list of object classes. > That operations ends with "error code 53- UnwillingToPerform". > > > Here's an example on the "cn=config" entry: > #!RESULT ERROR > #!CONNECTION ldap://10.211.55.13:389 > #!DATE 2013-05-22T14:56:03.039 > #!ERROR [LDAP: error code 53 - UnwillingToPerform] > dn: cn=config > changetype: modify > replace: objectClass > objectClass: olcConfig > objectClass: olcGlobal > objectClass: top It's not necessarily a bug. I think LDAP clients should not act too "smart" and therefore should not automagically add object classes from the structural object class chain if they are not already present. You will run into issues with various LDAP server implementations - at least according to experiences I made with conducting interop testing with web2ldap and several server implementations.

A schema-aware client could auto-complete structural object class chain if adding a new entry though. But again: Don't be too smart.

May I ask which UI utility you're using?

Ciao, Michael.