directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Seelmann <>
Subject Re: [ApacheDS] Data Migration from 1.0.2 to 1.5.5, AccessControlSubentries
Date Thu, 22 Oct 2009 08:50:17 GMT
Beat Burgener | NetSuccess GmbH schrieb:
> contains more than one STRUCTURAL ObjectClass:
> [<2.16.840.1.113730.3.2.2, inetOrgPerson>, <, organization>]]
> Well it was in Apache 1.0.2 like this I guess, so why should that not
> work in 1.5.5?
> Maybe this classes are left from a test and are not really used, but
> anyway, maybe
> there is something to learn ...
> BTW: I removed the object class "organization" from both objects as no
> attribute of this
> class was assigned anyway and then it worked out ...

It is not allowed to add two structural object classes if they are not
within an inheritance hierarchy. Seems like 1.0.2 didn't check that.
1.5.5 is more strict to LDAP standards. So removing the "organization"
object class is the way to go.

> Now, with the operational attributes and the subentires, I'm not really
> a master on that,
> unfortunately - not yet, I guess.
> Well, I exported the subentries ( 3pcs) without the operational attributes.
> Those, I could not import. I then also exported the operational
> attributes with the subentries,
> as I expect the missing definition of the Prescriptive ACI to be a
> problem ...

As I already wrote in another mail, please try to export only user
attributes and the relevant operational attributes prescriptiveACI and

> This didn't work either:
> ...
> Administration point
> 0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch does
> not contain an administrativeRole attribute! An administrativeRole
> attribute in the administrative point is required to add a subordinate
> subentry.]

You need to add the 'administrativeRole' attribute to the parent of the
subentry (dc=netsuccess,dc=ch in your case). You could add the attribute
    administrativeRole: accessControlSpecificArea

> Note: The access control is not enabled in ApacheDS for now, but I do
> not expect this to be
> the reason why the import does not work.

No, that isn't a problem.

> I guess I have to:
> 1. Import the system partition objects (might those include the
> operational attributes already?)
>   => this more or less works
> 2. Import the custom partition objects without the operational attributes
>  => this works if the supplemental object class "organization" is
> removed from the two objects


> 3. Import the subentries (check subentires on control section) - should
> those include the op. attr?
>    => This I didn't manage to get in

Only prescriptiveACI and subtreeSpecification.

> 4. Import the op. attr for the custom partition (otherwise I loose the
> creator/creation time)

I'm not sure if that is possible at all. Those attributes are created
automatically. Could someone else comment on that?

Kind Regards,

View raw message