Bug 35775 - Some object classes in extended attributes raise "invalid structural object class chain"
Some object classes in extended attributes raise "invalid structural object c...
Product: UCS
Classification: Unclassified
Component: UDM - Extended Attributes
UCS 3.2
All Linux
: P5 normal (vote)
: UCS 4.0-0-errata
Assigned To: Florian Best
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2014-09-02 14:13 CEST by ch
Modified: 2020-05-27 14:03 CEST (History)
7 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): External feedback, Usability
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description ch 2014-09-02 14:13:57 CEST
Adding an extended attribute with the objectClass inetOrgPerson to the user/Template module makes the Attributes unusable in templates (LDAP Error):

The LDAP object could not be saved: LDAP Error Object class violation: invalid structural object class chain (univentionUserTemplate/organizationalPerson)
Comment 1 Janis Meybohm univentionstaff 2014-09-16 10:34:33 CEST
 Ticket#: 2014091621000219

Customer reportet this when adding an EA for "ou" (organizationalPerson) to the usertemplate module.
Comment 2 Florian Best univentionstaff 2014-12-04 00:58:02 CET
If I understand correctly:
You want to create a user template which adds the object class organizationalPerson/inetOrgPerson to the user which will be created by that template?

Then this approach is wrong. You would have to create that extended attribute for a user (not for a user template). And then a user template have to be created which sets a value for the extended attribute. (which is currently not possible).

I'll check in a few days if this is possible using 2 extended attributes.
Comment 3 Florian Best univentionstaff 2015-01-07 15:58:41 CET
A LDAP schema extension is required which adds a auxiliary object class with the wanted attributes as "MAY". The following example works:

objectclass     ( 2.16.840.1.113730.3.2.2123456789
    NAME 'univentionInetOrgPerson'
        DESC 'Auxiliary object class which allows to use inetOrgPersion attributes in user templates'
        MAY (
                audio $ businessCategory $ carLicense $ departmentNumber $
                displayName $ employeeNumber $ employeeType $ givenName $
                homePhone $ homePostalAddress $ initials $ jpegPhoto $
                labeledURI $ mail $ manager $ mobile $ o $ pager $
                photo $ roomNumber $ secretary $ uid $ userCertificate $
                x500uniqueIdentifier $ preferredLanguage $
                userSMIMECertificate $ userPKCS12 )

The following extended attribute adds 'carLicense' to Users and User templates:

dn: cn=template,cn=custom attributes,cn=univention,dc=ldap,dc=base
cn: template
univentionObjectType: settings/extended_attribute
univentionUDMPropertyLdapMapping: carLicense
univentionUDMPropertyValueMayChange: 1
univentionUDMPropertyObjectClass: univentionInetOrgPerson
univentionUDMPropertyModule: settings/usertemplate
univentionUDMPropertyModule: users/user
univentionUDMPropertyShortDescription: carLicense
univentionUDMPropertyCLIName: carLicense
objectClass: top
objectClass: univentionUDMProperty
objectClass: univentionObject
univentionUDMPropertyLayoutDisable: 0
univentionUDMPropertyDoNotSearch: 0
univentionUDMPropertyMultivalue: 0
univentionUDMPropertyVersion: 2
univentionUDMPropertyValueRequired: 0
univentionUDMPropertyLayoutFullWidth: 0
univentionUDMPropertyDeleteObjectClass: 0
univentionUDMPropertyLayoutTabAdvanced: 0
univentionUDMPropertyLayoutOverwriteTab: 0
univentionUDMPropertyValueNotEditable: 0

We could also add all attributes from inetOrgPerson and parent object classes into the univentionUserTemplate schemata.
Comment 4 Florian Best univentionstaff 2015-01-14 12:39:48 CET
The schema for univentionUserTemplate has been adapted to include all attributes from person, organizationalPerson and inetOrgPerson.

To add the attribute carLicense to User and UserTemplate two extended attributes with the same "UDM CLI name" have to be created:
1. Modules=User, LDAP object class=inetOrgPerson, LDAP attribute=carLicense
2. Modules="Settings: User Template", LDAP object class=univentionUserTemplate, LDAP attribute=carLicense

Fix: svn r57312 r57313
Package: univention-ldap
Version: 11.0.11-2.731.201501141228
Branch: ucs_4.0-0
Scope: errata4.0-0
YAML: 2015-01-14-univention-ldap.yaml
Comment 5 Arvid Requate univentionstaff 2015-01-14 17:31:04 CET
Ok, all attributes from inetOrgPerson, organizationalPerson and person are now allowed for univentionUserTemplate as well.

Functional test: Ok
Advisory: Ok
Comment 6 Janek Walkenhorst univentionstaff 2015-01-22 11:53:05 CET