finally clear on error 69

[Jon Roberts <jon@mentata.com>]

This is off-list, but I wanted to get back to you. Actually, I'm not 
receiving openldap-software mailing list messages anymore and you may 
have noticed my last few posts didn't make the list either. It may be 
because of a routing failure my provider blessed me with last week which 
caused a lot of my mail to bounce back to senders. I just hope it's not 
because I'm no longer welcome; I haven't been able to re-subscribe.

Back to the question: is there any way to add valid structural 
objectclasses to an existing entry that already has a strucutural 
objectclass through the protocol? Regardless of how I got it, I now feel 
like I have an answer I can rest with: "No".

Tony Earnshaw wrote:
> O.k. ldapmodify is telling you that you cannot change a person to an 
> organizationalPerson. But you can add an organizationalPerson to a 
> person. Those are the rules. I didn't make them up, but Openldap 2.1 is 
> pretty strict about them. 2.0 wasn't.

Actually, from what I read in the RFC's, this is left to the 
implementation, so it isn't a hard/fast rule per LDAP. There really is 
no reason such an operation can't be accomplished through the protocol, 
but I'm sure there's a very good software reason why it's not allowed in 
OpenLDAP.

> Try *adding* the following 'ldapadd' ldif entry:
...
> Don't say it doesn't work, I just did it for you.
> "Oh, but that's not what I want." says Jon. "I want to modify." 
> Nevertheless, that's what you are going to have to work around. 

If it were a matter of getting the data straight, I wouldn't hesitate to 
LDIF in and out. The problem for me is that I have a function in my 
software offering (my extend servlet) that now has a new limitation. At 
least now I know it doesn't apply to all objectclasses and can give an 
appropriate error message if somebody tries to extend with structural ones.

> Remember 
> the hierarchy I described? Your Internet site is all about hierarchy, so 
> you should be able to understand.

Actually, my site is more about the oligarchy ;)

> What you can do, is on your old 2.0.x machine
...

That machine has long been rebuilt. I haven't seen 2.0 for many months 
now, and shall not again.

>  You can do vi's 
> ':g/whatihad/s//whatiwant/gc' can't you? If not, now's a good time to 
> learn :) Don't forget what ^ and $ mean in vi. 

Are you kidding me? vim is my IDE!

> I just had to do it for a 
> high school in Amsterdam - all the students, all the lecturers, all the 
> machines etc. etc. Took me a morning to do.

I'm sorry for your drudgery, but I'm glad to hear OpenLDAP makes the 
educational market in Europe. I actually plan to transition to teaching 
high school in a few years (and maybe even emigrate to Europe myself 
someday); all this LDAP knowledge is absolutely coming with me.

> If you're using a gtk Unix/Linux, consider compiling and installing GQ 
> 0.7.0b2. It'll teach you a lot. That's how I learned.

You talk about this tool so much, if I didn't know better I'd think they 
were passing you some sort of kickback :)

As I said repeatedly, the schema constraints weren't the mystery for me, 
it was the particular error response. I understand now how the issue 
relates to structural objectclasses, but hopefully you understand now 
that the oc hierarchy and required attributes are irrelevant. You can't 
add a structural objectclass to an entry through a modify in OpenLDAP 
2.1, period.

Thanks for the attention though. It makes me happy to know that there is 
another joker in the deck, and I can report I've learned things from 
several of your other posts. Even if it isn't mutual, you have my respect.

Best,

Jon

<aside>
You know it's a small, surreal world when a country band from the 
Netherlands name themselves after my grandfather's warplane:

http://www.thespokanechiefs.com/
</aside>