Problem:
From a joinscript you get
LDAP Error: Object class violation: invalid structural object class chain (person/univentionUserTemplate)
Investigation:
For the extended attributes of users/user the settings/usertemplate are automatically taken over. Since settings/usertemplate has a structural object class (which already allows all attributes from person,inetOrgPerson,…) no further structural object class can be attached to the object.
The challange is to find the causing extended attribute.
udm settings/extended_attribute list
udm settings/usertemplate list
DN: cn=manager,cn=custom attributes,cn=univention,dc=schein,dc=intern
CLIName: manager
copyable: 0
default: uid=schein,ou=Aktuell,ou=user,ou=schein.intern,dc=schein,dc=intern
deleteObjectClass: 0
disableUDMWeb: 0
doNotSearch: 0
fullWidth: 0
groupName: Organisation
groupPosition: None
hook: None
ldapMapping: manager
longDescription: None
mayChange: 1
module: users/user
multivalue: 0
name: manager
notEditable: 0
objectClass: person
overwritePosition: secretary
overwriteTab: 0
shortDescription: VorgesetzteR
syntax: UserDN
tabAdvanced: 0
tabName: General
tabPosition: 3
translationGroupName: de_DE: Organisation
translationTabName: de_DE: Allgemein
valueRequired: 0
version: 2
This custom attribute comes with the objectClass: person, which is the second, not allowed structual objectClass
Solution:
The following patch can be used as workaround:
--- /usr/lib/python2.7/dist-packages/univention/admin/handlers/settings/usertemplate.py.orig 2021-02-02 20:46:15.442391000 +0100
+++ /usr/lib/python2.7/dist-packages/univention/admin/handlers/settings/usertemplate.py 2021-02-02 20:47:11.770391000 +0100
@@ -40,7 +40,7 @@
translation = univention.admin.localization.translation('univention.admin.handlers.settings')
_ = translation.translate
-BLACKLISTED_OBJECT_CLASSES = {b'inetOrgPerson'}
+BLACKLISTED_OBJECT_CLASSES = {b'inetOrgPerson', b'person', b'organizationalPerson'}
module = 'settings/usertemplate'
operations = ['add', 'edit', 'remove', 'search', 'move']