LDAP error: invalid structural object class chain (organizationalUnit/referral)

Question

I am trying to import the following sample from Oracle's JNDI tutorial in my OpenLDAP instance using command:

ldapadd -x -D cn=admin,dc=example,dc=com -W -f refserver.ldif

where, refserver.ldif looks like this:

dn: o=JNDITutorial,dc=example,dc=com
o: JNDITutorial
objectclass: top
objectclass: organization

dn: ou=All, o=JNDITutorial,dc=example,dc=com
ou: All
objectclass: top
objectclass: organizationalunit

dn: ou=People, o=JNDITutorial,dc=example,dc=com
ou: People
objectclass: top
objectclass: organizationalunit
objectclass: referral
ref: ldap://10.97.98.201:389/ou=People,o=JNDITutorial

dn: ou=People, ou=All, o=JNDITutorial,dc=example,dc=com
ou: People
objectclass: top
objectclass: organizationalunit
objectclass: referral
ref: ldap://10.97.98.201:389/ou=People,o=JNDITutorial

dn: ou=NewHires, ou=All, o=JNDITutorial,dc=example,dc=com
ou: NewHires
objectclass: top
objectclass: organizationalunit
objectclass: referral
ref: ldap://10.97.98.201:389/ou=NewHires,o=JNDITutorial

This runs into partial success, reporting the following:

adding new entry "o=JNDITutorial,dc=example,dc=com"

adding new entry "ou=All, o=JNDITutorial,dc=example,dc=com"

adding new entry "ou=People, o=JNDITutorial,dc=example,dc=com"
ldap_add: Object class violation (65)
    additional info: invalid structural object class chain (organizationalUnit/referral)

I am trying to read up the cause from here. However, the cause and solution is a bit unclear to me. Can someone please shed some light on this and suggest remedy?

Thanks in advance!

Answer 1

The explanation is very simple, when you create an object in a LDAP directory, this object MUST be with a SINGLE structural class. In your case you mention two structural classes organizationalunit and referal.

A correct way to do what you want to do is to use a structural class and an auxiliary class.

extensibleObject is an auxiliary class that allow you to use any attribute you want.

Here is a sample

dn: ou=MyOU,ou=Monou,dc=societe,dc=com
objectClass: referral
objectClass: top
objectClass: extensibleObject
ou: MyOU
ref:: bGRhcDovLzEwLjk3Ljk4LjIwMTozODkvb3U9UGVvcGxlLG89Sk5ESVR1dG9yaWFsIA==

Remark : here you can see that the LDAP URL is coded in base64 (introduced by ::) it's better to do so in LDIF format. Apache Directory Studio is an open source product that allow you to test your OpenLdap graphicaly (you'll find inside a B64 converter), this tool can generate your LDIF files.