On 23 mai 2013, at 19:26, Michael Ströder <[email protected]> wrote:
> [email protected] wrote: >> It looks like it's not possible to modify the 'objectClass' attribute of >> configuration entries. >> >> I have some code generating entries for OpenLDAP configuration from a UI >> utility >> and updating existing configuration entries in DIT. >> This code generates entries with the 'objectClass' attribute containing the >> full >> object class hierarchy (all the way to 'top') and not only the highest >> structural object class (which is the case of default OpenLDAP >> configuration). >> >> When updating the configuration in the DIT, the code then tries to complete >> the >> 'objectClass' attribute with the full list of object classes. >> That operations ends with "error code 53- UnwillingToPerform". >> >> >> Here's an example on the "cn=config" entry: >> #!RESULT ERROR >> #!CONNECTION ldap://10.211.55.13:389 >> #!DATE 2013-05-22T14:56:03.039 >> #!ERROR [LDAP: error code 53 - UnwillingToPerform] >> dn: cn=config >> changetype: modify >> replace: objectClass >> objectClass: olcConfig >> objectClass: olcGlobal >> objectClass: top > > It's not necessarily a bug. > > I think LDAP clients should not act too "smart" and therefore should not > automagically add object classes from the structural object class chain if > they are not already present. You will run into issues with various LDAP > server implementations - at least according to experiences I made with > conducting interop testing with web2ldap and several server implementations. Right, it's just that this kind of modifications is perfectly valid. I mean, I'm not breaking any LDAP rule or concept and if I add the same entry (as a new entry) with the full object class hierarchy, the server is allowing it without a hitch. I still think it should be possible to modify the objectclass but I'll take into account that the implementation does not allow it (yet? ;-)). > A schema-aware client could auto-complete structural object class chain if > adding a new entry though. But again: Don't be too smart. Exactly, that's why I updated my code to do. Let's be dumb, sometimes... > May I ask which UI utility you're using? Sure, that's an internal application we wrote to edit some parts of the OpenLDAP configuration. > Ciao, Michael. Regards, Pierre-Arnaud
