Hi Michael
I added it using ldapadd.
I removed the account ObjectClass and now only use applicationProcess:
# preset, Service Accounts, blah dn: uid=preset,ou=Service Accounts,dc=blah objectClass: top objectClass: extensibleObject objectClass: applicationProcess uid: preset cn: preset sn: preset givenName: preset title: Password Reset Account description: Service Account For Resetting Passwords
Thanks,
Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug@med.cornell.edu O: 212-746-6305 F: 212-746-8690
On Mon, Jan 8, 2018 at 4:49 PM, Michael Ströder michael@stroeder.com wrote:
Douglas Duckworth wrote:
adding new entry "uid=preset,ou=Service Accounts,dc=blah ldap_add: Object class violation (65) additional info: invalid structural object class chain (account/applicationProcess)
A directory entry must have a *single* structural object class. While there are usually multiple structural object classes listed only one of them is *the* structural object class. The others are parent object classes of the structural object class.
Since 'account' and 'applicationProcess' both directly SUP abstract object class 'top' they count as two distinct structural object classes.
Though this does work as it's now in the LDAP server:
dn: uid=preset,ou=Service Accounts,dc=blah objectClass: top objectClass: account objectClass: applicationProcess objectClass: simpleSecurityObject
It's invalid and you might run into issues modifying this entry later. You should choose either 'account' or 'applicationProcess'.
BTW: It should normally not be possible to add such entry. How did you add it? With slapadd or by using Relax Rules Control?
Ciao, Michael.