Re: (ITS#7605) Configuration entries (under cn=config) does not allow 'objectclass' attribute modification to include full object classes hierarchy
On 23 mai 2013, at 16:31, Howard Chu hyc@symas.com wrote:
pa@marcelot.net wrote:
Full_Name: Pierre-Arnaud Marcelot Version: 2.4.35 OS: Linux Mint URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (78.226.4.211)
Hi,
It looks like it's not possible to modify the 'objectClass' attribute of configuration entries.
Correct. The config DIT has very rigid schema and layout rules.
Indeed.
I have some code generating entries for OpenLDAP configuration from a UI utility and updating existing configuration entries in DIT. This code generates entries with the 'objectClass' attribute containing the full object class hierarchy (all the way to 'top') and not only the highest structural object class (which is the case of default OpenLDAP configuration).
When updating the configuration in the DIT, the code then tries to complete the 'objectClass' attribute with the full list of object classes. That operations ends with "error code 53- UnwillingToPerform".
Don't do that.
Sure, that's why I have a *bad* workaround to not update the 'objectClass' attribute even if the original and my generated one don't match. Still, looking at LDAP standards, that doesn't seem to be a naughty operation at all and nothing is really wrong with the resulting entry.
Regards, Pierre-Arnaud
Here's an example on the "cn=config" entry: #!RESULT ERROR #!CONNECTION ldap://10.211.55.13:389 #!DATE 2013-05-22T14:56:03.039 #!ERROR [LDAP: error code 53 - UnwillingToPerform] dn: cn=config changetype: modify replace: objectClass objectClass: olcConfig objectClass: olcGlobal objectClass: top
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-
pa@marcelot.net