When deleting a user (via usrmgr.exe or similar), SAMBA appears to remove the
relevant objectclass and some attributes, but it doesn't remove all of them, and
this can cause the ldap modification to fail. Specifically:
[2005/11/02 17:21:17, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(340)
ldapsam_delete_entry: Could not delete attributes for
uid=test,ou=Users,dc=labs,dc=ntrg,dc=com, error: Object class violation
(attribute 'displayName' not allowed)
Other objectClasses use displayName (including inetOrgPerson), so I can see why
the safe/default behavior would be to leave this alone. But in the absence of
those other objectClasses, the attribute is orphaned (as in this case), and the
The hard/complex/correct behavior would be to probe the other objectclasses and
schema, to see if any other bound objectclasses might be using those attributes.
A simpler but less-correct method might be to define another option, such as
"delete all attributes", which would cause all of the reused attributes WITH THE
EXCEPTION OF UID to be deleted.