masarati@aero.polimi.it wrote:
Henrik Dige Semark wrote:
slapd[28381]: entry failed schema check: structural object class modification from 'account' to 'inetOrgPerson' not allowed [..] What do I have to do to allow structural object changes ?
It's forbidden by LDAPv3 specs. An LDAP client which is implemented to modify the structural object class is seriously broken.
The "normal" procedure would be to delete an object and recreate it with the required structural modifications.
Strictly speaking it's not the same entry anymore even though it has the same DN. But the entryUUID attribute has changed then. Since this might be used for robust syncing of user entries with other user databases in case of name changes you might loose the link.
OpenLDAP allows you to do something equivalent atomically using the "relax" control (<draft-zeilenga-ldap-relax>, a work in progress) on top of a modify operation that modifies the entry by deleting the now inappropriate attrs and adding the now appropriate ones within a single modification that leaves the object in a consistent state. The user needs to have "manage" access privileges on all the data that's modified.
web2ldap 1.1.x now has even better support for that.
As it is a work in progress, its functionality may change a little bit across versions. For example, in earlier versions, the modify operation had to explicitly deal with changing the (operational) attribute structuralObjectClass. Recent versions do not allow this, but rather recompute it according to the final values of the objectClass attribute, provided they result in a consistent inheritance relationship.
Hmm, so the input field for structuralObjectClass should not be enabled which is another special case for the UI if this control is in effect...
You can play with the demo: http://demo.web2ldap.de:1760/web2ldap/ldapparams?ldap:///dc=uninett,dc=no
Ciao, Michael.