Re: (ITS#7605) Configuration entries (under cn=config) does not allow 'objectclass' attribute modification to include full object classes hierarchy
On 23 mai 2013, at 19:26, Michael Ströder michael@stroeder.com wrote:
pa@marcelot.net wrote:
It looks like it's not possible to modify the 'objectClass' attribute of configuration entries.
I have some code generating entries for OpenLDAP configuration from a UI utility and updating existing configuration entries in DIT. This code generates entries with the 'objectClass' attribute containing the full object class hierarchy (all the way to 'top') and not only the highest structural object class (which is the case of default OpenLDAP configuration).
When updating the configuration in the DIT, the code then tries to complete the 'objectClass' attribute with the full list of object classes. That operations ends with "error code 53- UnwillingToPerform".
Here's an example on the "cn=config" entry: #!RESULT ERROR #!CONNECTION ldap://10.211.55.13:389 #!DATE 2013-05-22T14:56:03.039 #!ERROR [LDAP: error code 53 - UnwillingToPerform] dn: cn=config changetype: modify replace: objectClass objectClass: olcConfig objectClass: olcGlobal objectClass: top
It's not necessarily a bug.
I think LDAP clients should not act too "smart" and therefore should not automagically add object classes from the structural object class chain if they are not already present. You will run into issues with various LDAP server implementations - at least according to experiences I made with conducting interop testing with web2ldap and several server implementations.
Right, it's just that this kind of modifications is perfectly valid. I mean, I'm not breaking any LDAP rule or concept and if I add the same entry (as a new entry) with the full object class hierarchy, the server is allowing it without a hitch. I still think it should be possible to modify the objectclass but I'll take into account that the implementation does not allow it (yet? ;-)).
A schema-aware client could auto-complete structural object class chain if adding a new entry though. But again: Don't be too smart.
Exactly, that's why I updated my code to do. Let's be dumb, sometimes...
May I ask which UI utility you're using?
Sure, that's an internal application we wrote to edit some parts of the OpenLDAP configuration.
Ciao, Michael.
Regards, Pierre-Arnaud
-
pa@marcelot.net