Dear all,

The symptom:

An ldap user object in the source DIT is built around the Structural ObjectClass :inetOrgPerson.

When the user leaves the organisation then the deprovisioning process requires her/his ldap object to change to a new form which is now built around a new Structural ObjectClass (account) and keeps a minimal set of attributes.

However when LSC tries to convey this transformation to the destination LDAP the operation fails with the Error: LDAP: error code 69 - structural object class modification from 'inetOrgPerson' to 'account' not allowed. The destination LDAP is an OpenLdap 2.4

The cause:

The structural object class of an object is determined at creation (based upon values of objectClass) and cannot be changed. The only way to alter the structural object class is to delete and re-create the object.

The (suggested) solution:
At least OpenLdap, supports a control (OID: 1.3.6.1.4.1.4203.666.5.12) that can be used to relax restrictions like this one. OpenLdap's implementation follows a mechanism described by an expired IETF Draft (The LDAP Relax Rules Control) that can be found here: https://tools.ietf.org/id/draft-zeilenga-ldap-relax-03.txt.

The question:
Is there a way to handle this situation via LSC, and activate this control when required or in anyway control the controls used by LSC operations?

Thank you in advance
Nikos

_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to