1

I have set up OpenLDAP 2.4.50 on alpine 3.12.1 and fed cosine, inetorgperson and nis LDIF schemas to it using ldapadd. Now I wanted to add a custom object class. I added an entry cn=mystuff,cn=schema,cn=config, objectclass olcSchemaConfig which worked fine. Now I wanted to add an new objectClass that would provide me some kind of account class with extra information. The idea is simple: create an objectClass that inherits from person as well as posixAccount. Her goes my LDIF...

dn: cn={4}mystuff,cn=schema,cn=config
changetype: modify
add: olcObjectClasses
olcObjectClasses: ( 1.3.6.1.4.1.999999.1.2.3 NAME 'myAccount' DESC 'A full acc
 ount as I want it.' SUP ( person $ posixAccount ) STRUCTURAL )

The problem is that OpenLDAP wouldn't let me. It states olcObjectClasses: user-defined ObjectClass has inappropriate SUPerior: "posixAccount"

I suppose multiple inheritance is not allowed in LDAP the way I'm trying to use it but I couldn't find any reference telling me why.

To make a long story short: how can I create an objectClass that comprises of both, person and posixAccount? And if it's not possible, please tell me exactly why.

Timor
  • 161
  • 10

2 Answers2

3

I found the solution myself reading through https://www.rfc-editor.org/rfc/rfc4512 . The objectClass I am trying to create is STRUCTURAL whereas one of the super classes (posixAccount) is AUXILIARY. Following the RFC this is not allowed:

section 2.4.2 states

"Structural object classes cannot subclass auxiliary object classes."

and furthermore section 2.4.3 states

"Auxiliary object classes cannot subclass structural object classes."

In the end this means that multiple inheritance of an object class never works if your super classes are mixed regarding STRUCTURAL and AUXILIARY. I cannot see a good reason for this but nevertheless it's simply not possible by specification.

Community
  • 1
Timor
  • 161
  • 10
  • Great that you were able to solve it. But it seems like you accidently created a second account. You should [have your accounts merged](https://serverfault.com/help/merging-accounts), so you can accept your answer. Otherwise the question will stay as "unanswered" in the system. – Gerald Schneider Nov 11 '20 at 11:30
  • I realized that something's amiss here account-wise and have e-mailed support already. Once the merge is complete, I will. Thanks for pointing me to it! – Timor Nov 11 '20 at 22:16
1

I think you’re running into this limitation https://www.rfc-editor.org/rfc/rfc4512#section-2.4.2

”An object or alias entry is characterised by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class.”

Community
  • 1
Bob
  • 5,335
  • 5
  • 24
  • Thank you for you answer @HermanB . I'm afraid this is not about object or alias entries, but about object classes. I very much appreciate your efforts tho. – Timor Nov 16 '20 at 23:59