Ldap – Using ldapModify to delete objectClass in LDAP entry

ldap

I have a need to delete three different objectClasses from a bunch of LDAP entries. Here's my ldif file:

dn: uid=user,ou=People,dc=example,dc=net
changetype: modify
delete: objectClass
objectClass: top
-
delete: objectClass
objectClass: organizationalPerson
-
delete: objectClass
objectClass: person

When I run the ldapmodify command, I get the following output:

ldap_initialize( ldap://server.net )
delete objectClass:
        top
delete objectClass:
        organizationalPerson
delete objectClass:
        person
modifying entry "uid=user,ou=People,dc=example,dc=net"
modify complete

However, when I perform an ldapsearch on that user, all the objectClasses are still there. Clearly, it matches the object class name otherwise it would complain.

Best Answer

I suspect your entries have attributes that require the objectClasses your are trying to remove. You need to remove the attributes that depend on the objectClasses before you remove the object class.

I don't know which LDAP server you are using, but I have had to remove entries to remove object clasees. This was done by extracting the record, removing the original record, and adding the record with a modified list of object classes. The add fails if you keep attributes not supported by the new object class hierarchy.

Related Solutions

Centos – How to add ACIs to OpenLDAP properly

Figured out that it's probably better to just do it the bdb.ldif way. What I did was like the above, but I made a few changes.

olcAccess: {0}to attrs=userPassword,shadowLastChange,loginShell by dn="cn=manager,dc=bromosapien,dc=net" write by anonymous auth by self write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=manager,dc=bromosapien,dc=net" write by group.exact="cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net" write by * read

What I did instead was, I labeled each line with braces and a number. I also added the ability for a user to change their login shell (because I allow Bash, ksh, and zsh, we default to bash). I then created a groupOfNames container inside of the Group OU. Like this.

dn: cn=LDAPADMIN,ou=Group,dc=bromosapien,dc=net
objectClass: groupOfNames
objectClass: top
cn: LDAPADMIN
member: uid=zera,ou=People,dc=angelsofclockwork,dc=net
member: uid=sithlord,ou=People,dc=angelsofclockwork,dc=net

Of course, this requires the memberOf overlay.

The memberOf overlay I used is below:

% vi modules.ldif

dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib64/openldap
olcModuleLoad: memberof

% vi memberof.ldif

dn: olcOverlay=memberof,olcDatabase={2}bdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

Linux – LDAP+SAMBA login issues

I solved the issue by running following command:

smbpasswd -w <MyLiteralPassword>

Best Answer

Related Solutions

Centos – How to add ACIs to OpenLDAP properly

Linux – LDAP+SAMBA login issues

Related Topic