[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: still unclear on error 69

To: "'Jon Roberts'" <jon@mentata.com>, Tony Earnshaw <tonni@billy.demon.nl>, OpenLDAP-software@OpenLDAP.org
Subject: RE: still unclear on error 69
From: "Smits.Dolf" <dolf.smits@siemens.com>
Date: Wed, 13 Aug 2003 11:46:00 +0200

Hi,

The problem is not that you try to modify the objectClass attribute (which
is allowed!)

The problem is that you're trying to convert the object to a different sort
of object.
As organizationalPerson is defined as a (structural) subclass of person,
your're trying to "upgrade" an object to a different structural objectClass,
and that is forbidden.

The object is defined by the last "entry"  in the chain of structural
objectClasses.
You can always add any kind of auxiliary objectClass, adding inetorgperson
will work.

Greetings,

Dolf Smits
Siemens DirX directory consultant
Siemens Netherlands

-----Original Message-----
From: Jon Roberts [mailto:jon@mentata.com]
Sent: Monday, August 11, 2003 20:21
To: Tony Earnshaw; OpenLDAP-software@OpenLDAP.org
Subject: Re: still unclear on error 69

Tony Earnshaw wrote:
> Jon Roberts wrote:
>> If the server were down, the authentication failed, the user didn't 
>> have privileges to the data, etc.... there would've been a different 
>> error code telling me so. I think the 69 error is telling me something 
>> new and more specific, and I'd like to get to the bottom of it.
> 
> What it is telling you is, you have to have *all* the objectclasses 
> necessary in the hierarchy before it can add what you want. See my last 
> answer.

I read your post. Did you read mine?

I'm only using top, person, organizationalperson, and inetorgperson.
What's missing? I understood your point about conflicts in strucutural 
objectclasses, but it doesn't apply.

The 69 error occurs when I attempt a modify operation on the
objectclass attribute to go from a [top, person] entry to a [top,
person, organizationalperson] or [top, person, organizationalperson, 
inetorgperson] entry.

> Again the eternal premise: "If it works for 1,000 others, why doesn't 
it work for me?"

The only testimony I've heard for doing such an operation is from
another person who got the exact same error.

http://www.openldap.org/lists/openldap-software/200307/msg00644.html

Try it yourself. Assume and entry:

dn: cn=Mama, ou=People, o=family.org
objectclass: top
objectclass: person
cn: Mama
sn: Jones

Then try to implement the LDIF:

dn: cn=Mama, ou=People, o=family.org
changetype: modify
add: objectclass
objectclass: organizationalperson

And with ldapmodify you will get:

modifying entry "cn=Mama, ou=People, o=family.org"
ldapmodify: update failed: cn=Mama, ou=People, o=family.org
ldap_modify: Cannot modify object class (69)
         additional info: structural object class modification from 
'person' to 'organizationalperson' not allowed

Looks like Mama has to stay in the kitchen :(

I tried this on an OpenLDAP 2.1.22 server with a BDB backend I built and 
installed this morning. My question (rephrased) still stands: is there 
any way to add valid structural objectclasses to an existing entry that 
already has a strucutural objectclass through the protocol?

Jon Roberts
www.mentata.com

Follow-Ups:
- Re: still unclear on error 69
  - From: Tony Earnshaw <tonni@billy.demon.nl>
- Re: still unclear on error 69
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: Different TLSVerifyClient possible?
Next by Date: Re: Different TLSVerifyClient possible?
Index(es):
- Chronological
- Thread