2016-09-19 7:20 GMT-04:00 Nikos Voutsinas <nvout...@gunet.gr>:
> Dear all,

Hello Nikos,

>
> The symptom:
>
> An ldap user object in the source DIT is built around the Structural
> ObjectClass :inetOrgPerson.
>
> When the user leaves the organisation then the deprovisioning process
> requires her/his ldap object to change to a new form which is now built
> around a new Structural ObjectClass (account) and keeps a minimal set of
> attributes.
>
> However when LSC tries to convey this transformation to the destination LDAP
> the operation fails with the Error: LDAP: error code 69 - structural object
> class modification from 'inetOrgPerson' to 'account' not allowed. The
> destination LDAP is an OpenLdap 2.4
>
> The cause:
>
> The structural object class of an object is determined at creation (based
> upon values of objectClass) and cannot be changed. The only way to alter the
> structural object class is to delete and re-create the object.
>
> The (suggested) solution:
> At least OpenLdap, supports a control (OID: 1.3.6.1.4.1.4203.666.5.12) that
> can be used to relax  restrictions like this one. OpenLdap's implementation
> follows a mechanism described by an expired IETF Draft (The LDAP Relax Rules
> Control) that can be found here:
> https://tools.ietf.org/id/draft-zeilenga-ldap-relax-03.txt.
>
> The question:
> Is there a way to handle this situation via LSC, and activate this control
> when required or in anyway control the controls used by LSC operations?
>


Sadly it is not yet possible. There is a feature request for this:
http://tools.lsc-project.org/issues/318

The other solution for the moment is to use the executable plugin that
will launch ldapmodify commands to update the entries. See
http://lsc-project.org/wiki/documentation/plugins/executable


Clément.
_______________________________________________________________
Ldap Synchronization Connector (LSC) - http://lsc-project.org

lsc-users mailing list
lsc-users@lists.lsc-project.org
http://lists.lsc-project.org/listinfo/lsc-users

Reply via email to