I am getting the following error when I attempt to add the account objectclass to an existing LDAP account:
invalid structural object class chain (inetOrgPerson/account)
I read an explanation of which the cliffnote version was "an person is a person, not an account, so the two objectclasses can't be on the same entry".
While that logic makes sense, I have many accounts on a Sun Directory instance that have both objectclasses. I am trying to migrate entries from Sun to an existing OpenLDAP instance, but because of this error I am unable to implement this objectclass. Ultimately, the functionality I am trying to implement is Linux Authentication. I have successfully added posixAccount and shadowAccount objectclasses, but am unable to add account.
Any thoughts? Thanks much!!!,
Andy Carlson Moody Bible Institute Identity Administrator | Information Systems 312-329-4385 www.moody.eduhttp://www.moody.edu
--On Friday, February 10, 2012 3:18 PM -0600 Andy Carlson andy.carlson@moody.edu wrote:
While that logic makes sense, I have many accounts on a Sun Directory instance that have both objectclasses. I am trying to migrate entries from Sun to an existing OpenLDAP instance, but because of this error I am unable to implement this objectclass. Ultimately, the functionality I am trying to implement is Linux Authentication. I have successfully added posixAccount and shadowAccount objectclasses, but am unable to add account.
This is why one shouldn't use Sun One Directory. It allows you to do completely invalid things. You will need to separate out your people & accounts into unique entries, as should have been done originally.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On Fri, Feb 10, 2012, at 03:18 PM, Andy Carlson wrote:
I am getting the following error when I attempt to add the account objectclass to an existing LDAP account:
invalid structural object class chain (inetOrgPerson/account)
I read an explanation of which the cliffnote version was “an person is a person, not an account, so the two objectclasses can’t be on the same entry”.
While that logic makes sense, I have many accounts on a Sun Directory instance that have both objectclasses. I am trying to migrate entries from Sun to an existing OpenLDAP instance, but because of this error I am unable to implement this objectclass. Ultimately, the functionality I am trying to implement is Linux Authentication. I have successfully added posixAccount and shadowAccount objectclasses, but am unable to add account.
Any thoughts? Thanks much!!!,
Andy Carlson
Moody Bible Institute
Identity Administrator | Information Systems 312-329-4385
[1]www.moody.edu
I had a similar situation when I tried to upgrade a very old ldap installation that did not enforce strict schema checking. It used the account objectclass with another structural objectclass. I used some sed scripts to modify the the ldif by replacing the account objectclass with hostobject since I needed the host attribute. There were some other violations that need to be worked through, but eventually got it sorted out.
References
openldap-technical@openldap.org
-
Andy Carlson -
ldap@mm.st -
Quanah Gibson-Mount