directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Beat Burgener | NetSuccess GmbH <beat.burge...@netsuccess.ch>
Subject [ApacheDS] Data Migration from 1.0.2 to 1.5.5, AccessControlSubentries
Date Wed, 21 Oct 2009 14:59:47 GMT
Stefan,

thank you for your swift reply!

What I did for now is, I did an export without the operational attributes.
This could then be imported except of two entries because of a object 
class violation.
To explain the entire path, first only these two did not go in, because 
of the missing
OU from the position within the LDIF:

#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:10:56.292
#!ERROR [LDAP: error code 32 - NO_SUCH_OBJECT: failed for     Add 
Request : ClientEntry     dn: cn=Beat 
Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch     objectClass: 
organizationalPerson     objectClass: person     objectClass: 
inetOrgPerson     objectClass: organization     objectClass: top     o: 
NetSuccess GmbH     sn: Burgener     cn: Beat Burgener     mobile: 
+41796536636     telephonenumber: +41316603030     uid: bbu     
userpassword: 'XXX'     initials: bbu     mail: 
beat.burgener@netsuccess.ch     givenname: Beat     displayname: Beat 
Burgener : Parent ou=NS,ou=Customers,dc=netsuccess,dc=ch not found]
dn: cn=Beat Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Beat Burgener
displayname: Beat Burgener
givenname: Beat
initials: bbu
mail: beat.burgener@netsuccess.ch
mobile: +41796536636
o: NetSuccess GmbH
sn: Burgener
telephonenumber: +41316603030
uid: bbu
userpassword:: XXX

#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:10:56.308
#!ERROR [LDAP: error code 32 - NO_SUCH_OBJECT: failed for     Add 
Request : ClientEntry     dn: cn=Marco 
Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch     objectClass: 
organizationalPerson     objectClass: person     objectClass: 
inetOrgPerson     objectClass: organization     objectClass: top     o: 
NetSuccess GmbH     sn: Zuehlke     cn: Marco Zuehlke     mobile: 
+41792631452     telephonenumber: +41316603030     uid: mzu     
userpassword: 'XXX ...'     initials: mzu     mail: 
marco.zuehlke@netsuccess.ch     givenname: Marco     displayname: Marco 
Zühlke : Parent ou=NS,ou=Customers,dc=netsuccess,dc=ch not found]
dn: cn=Marco Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Marco Zuehlke
displayname:: TWFyY28gWsO8aGxrZQ==
givenname: Marco
initials: mzu
mail: marco.zuehlke@netsuccess.ch
mobile: +41792631452
o: NetSuccess GmbH
sn: Zuehlke
telephonenumber: +41316603030
uid: mzu
userpassword:: XXX


The above is related to the fact, that the OU was not there when the 
object should be created. I then re-run the import
once with "update existing" and once without. Both do not work for the 
two entires above:

#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:32:49.677
#!ERROR [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for     
Add Request : ClientEntry     dn: cn=Beat 
Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch     objectClass: 
organizationalPerson     objectClass: person     objectClass: 
inetOrgPerson     objectClass: organization     objectClass: top     o: 
NetSuccess GmbH     sn: Burgener     cn: Beat Burgener     mobile: 
+41796536636     telephonenumber: +41316603030     uid: bbu     
userpassword: 'XXX ...'     initials: bbu     mail: 
beat.burgener@netsuccess.ch     givenname: Beat     displayname: Beat 
Burgener : Entry 2.5.4.3=beat 
burgener,2.5.4.11=ns,2.5.4.11=customers,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch

contains more than one STRUCTURAL ObjectClass: 
[<2.16.840.1.113730.3.2.2, inetOrgPerson>, <2.5.6.4, organization>]]
dn: cn=Beat Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Beat Burgener
displayname: Beat Burgener
givenname: Beat
initials: bbu
mail: beat.burgener@netsuccess.ch
mobile: +41796536636
o: NetSuccess GmbH
sn: Burgener
telephonenumber: +41316603030
uid: bbu
userpassword:: XXX

#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:32:49.692
#!ERROR [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for     
Add Request : ClientEntry     dn: cn=Marco 
Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch     objectClass: 
organizationalPerson     objectClass: person     objectClass: 
inetOrgPerson     objectClass: organization     objectClass: top     o: 
NetSuccess GmbH     sn: Zuehlke     cn: Marco Zuehlke     mobile: 
+41792631452     telephonenumber: +41316603030     uid: mzu     
userpassword: 'XXX ...'     initials: mzu     mail: 
marco.zuehlke@netsuccess.ch     givenname: Marco     displayname: Marco 
Zühlke : Entry 2.5.4.3=marco 
zuehlke,2.5.4.11=ns,2.5.4.11=customers,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch

contains more than one STRUCTURAL ObjectClass: 
[<2.16.840.1.113730.3.2.2, inetOrgPerson>, <2.5.6.4, organization>]]
dn: cn=Marco Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Marco Zuehlke
displayname:: TWFyY28gWsO8aGxrZQ==
givenname: Marco
initials: mzu
mail: marco.zuehlke@netsuccess.ch
mobile: +41792631452
o: NetSuccess GmbH
sn: Zuehlke
telephonenumber: +41316603030
uid: mzu
userpassword:: XXX

Well it was in Apache 1.0.2 like this I guess, so why should that not 
work in 1.5.5?
Maybe this classes are left from a test and are not really used, but 
anyway, maybe
there is something to learn ...

BTW: I removed the object class "organization" from both objects as no 
attribute of this
class was assigned anyway and then it worked out ...

Okey, that I did manage to do ...

Now, with the operational attributes and the subentires, I'm not really 
a master on that,
unfortunately - not yet, I guess.

Well, I exported the subentries ( 3pcs) without the operational attributes.
Those, I could not import. I then also exported the operational 
attributes with the subentries,
as I expect the missing definition of the Prescriptive ACI to be a 
problem ...
This didn't work either:

#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:48:06.693
#!ERROR [LDAP: error code 16 - NO_SUCH_ATTRIBUTE: failed for     Add 
Request : ClientEntry     dn: 
cn=SE_LDAP_Full_Administrators,dc=netsuccess,dc=ch     objectClass: 
subentry     objectClass: accessControlSubentry     objectClass: top     
prescriptiveaci: { identificationTag "ACI LDAP Full Administration 
rights", precedence 100, authenticationLevel simple, itemOrUserFirst 
userFirst: { userClasses { userGroup { 
"cn=LDAP_Perm_Full_Administrators,ou=groups,ou=system" } }, 
userPermissions { { protectedItems { entry, 
allUserAttributeTypesAndValues }, grantsAndDenials { grantImport, 
grantReturnDN, grantModify, grantFilterMatch, grantRead, grantBrowse, 
grantInvoke, grantExport, grantRemove, grantCompare, 
grantDiscloseOnError, grantAdd, grantRename } } } } }     
accessControlSubentries: 
2.5.4.3=se_ldap_full_administrators,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
    
createTimestamp: 20090830192901Z     cn: SE_LDAP_Full_Administrators     
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system     
subtreespecification: { }     modifyTimestamp: 20090917095431Z     
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system : 
Administration point 
0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch does 
not contain an administrativeRole attribute! An administrativeRole 
attribute in the administrative point is required to add a subordinate 
subentry.]
dn: cn=SE_LDAP_Full_Administrators,dc=netsuccess,dc=ch
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: SE_LDAP_Full_Administrators
accessControlSubentries: 2.5.4.3=se_ldap_full_administrators,0.9.2342.192003
 00.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
createTimestamp: 20090830192901Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20090917095431Z
prescriptiveaci: { identificationTag "ACI LDAP Full Administration rights",
 precedence 100, authenticationLevel simple, itemOrUserFirst userFirst: { us
 erClasses { userGroup { "cn=LDAP_Perm_Full_Administrators,ou=groups,ou=syst
 em" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesA
 ndValues }, grantsAndDenials { grantImport, grantReturnDN, grantModify, gra
 ntFilterMatch, grantRead, grantBrowse, grantInvoke, grantExport, grantRemov
 e, grantCompare, grantDiscloseOnError, grantAdd, grantRename } } } } }
subtreespecification: { }


Note: The access control is not enabled in ApacheDS for now, but I do 
not expect this to be
the reason why the import does not work.

As I have both version on the same system and not listening on different 
ports (OK, I could change
that), I have to start/stop all the time...

So, maybe you have a hint / a micro how to on how I have to proceed to 
achieve my goal ...

I guess I have to:

1. Import the system partition objects (might those include the 
operational attributes already?)
   => this more or less works
2. Import the custom partition objects without the operational attributes
  => this works if the supplemental object class "organization" is 
removed from the two objects
3. Import the subentries (check subentires on control section) - should 
those include the op. attr?
    => This I didn't manage to get in
4. Import the op. attr for the custom partition (otherwise I loose the 
creator/creation time)
   => This I didn't test, but I expect issues with the ACI description?! 
I could only export
         the relevant attributes ...


Thank you

Beat














Mime
View raw message