2016-09-19 7:20 GMT-04:00 Nikos Voutsinas <[email protected]>: > Dear all,
Hello Nikos, > > The symptom: > > An ldap user object in the source DIT is built around the Structural > ObjectClass :inetOrgPerson. > > When the user leaves the organisation then the deprovisioning process > requires her/his ldap object to change to a new form which is now built > around a new Structural ObjectClass (account) and keeps a minimal set of > attributes. > > However when LSC tries to convey this transformation to the destination LDAP > the operation fails with the Error: LDAP: error code 69 - structural object > class modification from 'inetOrgPerson' to 'account' not allowed. The > destination LDAP is an OpenLdap 2.4 > > The cause: > > The structural object class of an object is determined at creation (based > upon values of objectClass) and cannot be changed. The only way to alter the > structural object class is to delete and re-create the object. > > The (suggested) solution: > At least OpenLdap, supports a control (OID: 1.3.6.1.4.1.4203.666.5.12) that > can be used to relax restrictions like this one. OpenLdap's implementation > follows a mechanism described by an expired IETF Draft (The LDAP Relax Rules > Control) that can be found here: > https://tools.ietf.org/id/draft-zeilenga-ldap-relax-03.txt. > > The question: > Is there a way to handle this situation via LSC, and activate this control > when required or in anyway control the controls used by LSC operations? > Sadly it is not yet possible. There is a feature request for this: http://tools.lsc-project.org/issues/318 The other solution for the moment is to use the executable plugin that will launch ldapmodify commands to update the entries. See http://lsc-project.org/wiki/documentation/plugins/executable Clément. _______________________________________________________________ Ldap Synchronization Connector (LSC) - http://lsc-project.org lsc-users mailing list [email protected] http://lists.lsc-project.org/listinfo/lsc-users
