title: When schema rules attack link: https://onemoretech.wordpress.com/2011/01/06/when-schema-rules-attack/ author: lembobro description: post_id: 87 created: 2011/01/06 10:33:59 created_gmt: 2011/01/06 10:33:59 comment_status: open post_name: when-schema-rules-attack status: publish post_type: post

When schema rules attack

Was loading up an OpenLDAP directory with SunOne data and kept getting “ldap add: invalid structural object class chain” when trying to add an entry that was both a groupofuniquenames (static group) and groupofurls (dynamic group) object.

Turns out Sun’s rules for implementing the LDAP schema are a bit more lax than the standard that OpenLDAP follows.

There’s an FAQ entry on this.

This particular error refers to the rule about STRUCTURAL objectclasses, which states that an object is of one STRUCTURAL class, the structural class of the object. The object is said to belong to this class, zero or more auxiliaries classes, and their superclasses. While all of these classes are commonly listed in the objectClass attribute of the entry, one of these classes is the structural object class of the entry.

Basically the only option for me here is to modify the dyngroups.schema file to replace “top” with “groupOfUniqueNames” in the SUP directive for groupofURLs. Not a big change, but one that will probably come back to bit me down the road. The resulting change would look like this:

objectClass ( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP groupOfUniqueNames STRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $ owner $ seeAlso ) )

Copyright 2004-2019 Phil Lembo