Henrik Dige Semark wrote:
slapd[28381]: entry failed schema check: structural object class modification from 'account' to 'inetOrgPerson' not allowed [..] What do I have to do to allow structural object changes ?
It's forbidden by LDAPv3 specs. An LDAP client which is implemented to modify the structural object class is seriously broken.
Michael is correctly stating that you can't change the structural objectClass of an object using an LDAP operation as per the protocol specification. The "normal" procedure would be to delete an object and recreate it with the required structural modifications.
OpenLDAP allows you to do something equivalent atomically using the "relax" control (<draft-zeilenga-ldap-relax>, a work in progress) on top of a modify operation that modifies the entry by deleting the now inappropriate attrs and adding the now appropriate ones within a single modification that leaves the object in a consistent state. The user needs to have "manage" access privileges on all the data that's modified.
As it is a work in progress, its functionality may change a little bit across versions. For example, in earlier versions, the modify operation had to explicitly deal with changing the (operational) attribute structuralObjectClass. Recent versions do not allow this, but rather recompute it according to the final values of the objectClass attribute, provided they result in a consistent inheritance relationship.
p.