2016-09-19 7:20 GMT-04:00 Nikos Voutsinas <nvout...@gunet.gr>:
> Dear all,

Hello Nikos,

> The symptom:
> An ldap user object in the source DIT is built around the Structural
> ObjectClass :inetOrgPerson.
> When the user leaves the organisation then the deprovisioning process
> requires her/his ldap object to change to a new form which is now built
> around a new Structural ObjectClass (account) and keeps a minimal set of
> attributes.
> However when LSC tries to convey this transformation to the destination LDAP
> the operation fails with the Error: LDAP: error code 69 - structural object
> class modification from 'inetOrgPerson' to 'account' not allowed. The
> destination LDAP is an OpenLdap 2.4
> The cause:
> The structural object class of an object is determined at creation (based
> upon values of objectClass) and cannot be changed. The only way to alter the
> structural object class is to delete and re-create the object.
> The (suggested) solution:
> At least OpenLdap, supports a control (OID: that
> can be used to relax  restrictions like this one. OpenLdap's implementation
> follows a mechanism described by an expired IETF Draft (The LDAP Relax Rules
> Control) that can be found here:
> https://tools.ietf.org/id/draft-zeilenga-ldap-relax-03.txt.
> The question:
> Is there a way to handle this situation via LSC, and activate this control
> when required or in anyway control the controls used by LSC operations?

Sadly it is not yet possible. There is a feature request for this:

The other solution for the moment is to use the executable plugin that
will launch ldapmodify commands to update the entries. See

Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list

Reply via email to