Hi Michael

I added it using ldapadd.

I removed the account ObjectClass and now only use applicationProcess:

# preset, Service Accounts, blah
dn: uid=preset,ou=Service Accounts,dc=blah
objectClass: top
objectClass: extensibleObject
objectClass: applicationProcess
uid: preset
cn: preset
sn: preset
givenName: preset
title: Password Reset Account
description: Service Account For Resetting Passwords




Thanks,

Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug@med.cornell.edu
O: 212-746-6305
F: 212-746-8690

On Mon, Jan 8, 2018 at 4:49 PM, Michael Ströder <michael@stroeder.com> wrote:
Douglas Duckworth wrote:
> adding new entry "uid=preset,ou=Service Accounts,dc=blah
> ldap_add: Object class violation (65)
>         additional info: invalid structural object class chain
> (account/applicationProcess)

A directory entry must have a *single* structural object class. While
there are usually multiple structural object classes listed only one of
them is *the* structural object class. The others are parent object
classes of the structural object class.

Since 'account' and 'applicationProcess' both directly SUP abstract
object class 'top' they count as two distinct structural object classes.

> Though this does work as it's now in the LDAP server:
>
> dn: uid=preset,ou=Service Accounts,dc=blah
> objectClass: top
> objectClass: account
> objectClass: applicationProcess
> objectClass: simpleSecurityObject

It's invalid and you might run into issues modifying this entry later.
You should choose either 'account' or 'applicationProcess'.

BTW: It should normally not be possible to add such entry.
How did you add it? With slapadd or by using Relax Rules Control?

Ciao, Michael.