Mailing-List: contact users-help@directory.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@directory.apache.org
Message-ID: <4ADE3BD9.2030706@apache.org>
Date: Wed, 21 Oct 2009 00:38:17 +0200
From: Stefan Seelmann <seelmann@apache.org>
User-Agent: Thunderbird 2.0.0.23 (X11/20090817)
MIME-Version: 1.0
To: users@directory.apache.org
Subject: Re: [ApacheDS] Data Migration from 1.0.2 to 1.5.5,
 AccessControlSubentries
References: <4ADDDC3B.807@netsuccess.ch>
In-Reply-To: <4ADDDC3B.807@netsuccess.ch>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Hi Beat,

Beat Burgener | NetSuccess GmbH wrote:
> Hi folks
> 
> I attempted to transfer my (little) LDAP data from ApacheDS 1.0.2. to
> Apache 1.5.5
> (using Studio 1.4.0)
> 
> Well, I was not really successful ...
> 
> What I did is, I exported the system and our partition from 1.0.2
> (including the operation attributes
> as we use ACI) to separate LDIF files ...
> 
> I removed everything from the system.ldif that was not "custom"  to not
> interfere with objects
> in the new version (and did also not allow to overwrite anything ...)
> This one went in like a charm ....

I'm not sure if you need to migrate anything from the system partition,
except if you added custom objects. (Ok, I see now that your mzu_adm
user existst in the system partition)

> Now, I imported our partition, but there, some errors are reported (we
> only have approx. 80
> entries for now, some failed).
> 
> After some further investigation, this was related to the fact, that
> there were some dependencies
> like the OU should exist where the object should go. But in the LDIF,
> the OU was created
> later than the object itself ... okey, not that dramatic I thought and I
> should re-run the import
> later again, which should work out ...

Yes, we plan to add a "re-order" feature for LDIFs. but multiple
re-imports should do the job ;-)

> But I have other issues, that I could not explain ...
> 
> In the import log, for example, I get this:
> 
> #!RESULT OK
> #!CONNECTION ldap://10.255.100.16:389
> #!DATE 2009-10-20T17:01:14.568
> dn: ou=DDT,ou=Customers,dc=netsuccess,dc=ch
> objectClass: organizationalUnit
> objectClass: top
> ou: DDT
> accessControlSubentries:
> 2.5.4.3=se_ldap_customer_limited_read_access,0.9.23
> 42.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
> accessControlSubentries:
> 2.5.4.3=se_ldap_full_administrators,0.9.2342.192003
> 00.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
> createTimestamp: 20091019143703Z
> creatorsName: 2.5.4.3=mzu_adm,2.5.4.11=users,2.5.4.11=system

Ok, you should can't add operational attributes (in your case:
accessControlSubentries, createTimestamp, creatorsName). They are
created by the server.

I think that this entry wasn't created but I don't know why you get a
"OK". I'll check tomorrow if this is a server or studio problem.

> But I cannot see this OU under customer!
> I also get an error in the Studio like:
> 
> Attempt to lookup non-existant entry:
> 2.5.4.3=se_ldap_customer_limited_read_access,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch]
> 
> Why some of the OU's are displayed and some not.
> From those I can see, they have also the subentry defined ?!
> 
> I can also not see the Subentries in the top level of the partition, as
> it was defined before ...
> I couldn't find their definition in the exportet LDIF either (well,
> maybe I didn't search for the right stuff, as I'm not that an expert ...)

Are the sub-entries included in your LDIF? You need to export "normal
entries" and "subentries" separately. You could export the latter by
selecting "Subentries Control" in the export wizard.

Kind Regards,
Stefan