Stefan,
thank you for your swift reply!
What I did for now is, I did an export without the operational attributes.
This could then be imported except of two entries because of a object
class violation.
To explain the entire path, first only these two did not go in, because
of the missing
OU from the position within the LDIF:
#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:10:56.292
#!ERROR [LDAP: error code 32 - NO_SUCH_OBJECT: failed for Add
Request : ClientEntry dn: cn=Beat
Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch objectClass:
organizationalPerson objectClass: person objectClass:
inetOrgPerson objectClass: organization objectClass: top o:
NetSuccess GmbH sn: Burgener cn: Beat Burgener mobile:
+41796536636 telephonenumber: +41316603030 uid: bbu
userpassword: 'XXX' initials: bbu mail:
[email protected] givenname: Beat displayname: Beat
Burgener : Parent ou=NS,ou=Customers,dc=netsuccess,dc=ch not found]
dn: cn=Beat Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Beat Burgener
displayname: Beat Burgener
givenname: Beat
initials: bbu
mail: [email protected]
mobile: +41796536636
o: NetSuccess GmbH
sn: Burgener
telephonenumber: +41316603030
uid: bbu
userpassword:: XXX
#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:10:56.308
#!ERROR [LDAP: error code 32 - NO_SUCH_OBJECT: failed for Add
Request : ClientEntry dn: cn=Marco
Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch objectClass:
organizationalPerson objectClass: person objectClass:
inetOrgPerson objectClass: organization objectClass: top o:
NetSuccess GmbH sn: Zuehlke cn: Marco Zuehlke mobile:
+41792631452 telephonenumber: +41316603030 uid: mzu
userpassword: 'XXX ...' initials: mzu mail:
[email protected] givenname: Marco displayname: Marco
Zühlke : Parent ou=NS,ou=Customers,dc=netsuccess,dc=ch not found]
dn: cn=Marco Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Marco Zuehlke
displayname:: TWFyY28gWsO8aGxrZQ==
givenname: Marco
initials: mzu
mail: [email protected]
mobile: +41792631452
o: NetSuccess GmbH
sn: Zuehlke
telephonenumber: +41316603030
uid: mzu
userpassword:: XXX
The above is related to the fact, that the OU was not there when the
object should be created. I then re-run the import
once with "update existing" and once without. Both do not work for the
two entires above:
#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:32:49.677
#!ERROR [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for
Add Request : ClientEntry dn: cn=Beat
Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch objectClass:
organizationalPerson objectClass: person objectClass:
inetOrgPerson objectClass: organization objectClass: top o:
NetSuccess GmbH sn: Burgener cn: Beat Burgener mobile:
+41796536636 telephonenumber: +41316603030 uid: bbu
userpassword: 'XXX ...' initials: bbu mail:
[email protected] givenname: Beat displayname: Beat
Burgener : Entry 2.5.4.3=beat
burgener,2.5.4.11=ns,2.5.4.11=customers,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
contains more than one STRUCTURAL ObjectClass:
[<2.16.840.1.113730.3.2.2, inetOrgPerson>, <2.5.6.4, organization>]]
dn: cn=Beat Burgener,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Beat Burgener
displayname: Beat Burgener
givenname: Beat
initials: bbu
mail: [email protected]
mobile: +41796536636
o: NetSuccess GmbH
sn: Burgener
telephonenumber: +41316603030
uid: bbu
userpassword:: XXX
#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:32:49.692
#!ERROR [LDAP: error code 65 - OBJECT_CLASS_VIOLATION: failed for
Add Request : ClientEntry dn: cn=Marco
Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch objectClass:
organizationalPerson objectClass: person objectClass:
inetOrgPerson objectClass: organization objectClass: top o:
NetSuccess GmbH sn: Zuehlke cn: Marco Zuehlke mobile:
+41792631452 telephonenumber: +41316603030 uid: mzu
userpassword: 'XXX ...' initials: mzu mail:
[email protected] givenname: Marco displayname: Marco
Zühlke : Entry 2.5.4.3=marco
zuehlke,2.5.4.11=ns,2.5.4.11=customers,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
contains more than one STRUCTURAL ObjectClass:
[<2.16.840.1.113730.3.2.2, inetOrgPerson>, <2.5.6.4, organization>]]
dn: cn=Marco Zuehlke,ou=NS,ou=Customers,dc=netsuccess,dc=ch
objectClass: organizationalPerson
objectClass: person
objectClass: inetOrgPerson
objectClass: organization
objectClass: top
cn: Marco Zuehlke
displayname:: TWFyY28gWsO8aGxrZQ==
givenname: Marco
initials: mzu
mail: [email protected]
mobile: +41792631452
o: NetSuccess GmbH
sn: Zuehlke
telephonenumber: +41316603030
uid: mzu
userpassword:: XXX
Well it was in Apache 1.0.2 like this I guess, so why should that not
work in 1.5.5?
Maybe this classes are left from a test and are not really used, but
anyway, maybe
there is something to learn ...
BTW: I removed the object class "organization" from both objects as no
attribute of this
class was assigned anyway and then it worked out ...
Okey, that I did manage to do ...
Now, with the operational attributes and the subentires, I'm not really
a master on that,
unfortunately - not yet, I guess.
Well, I exported the subentries ( 3pcs) without the operational attributes.
Those, I could not import. I then also exported the operational
attributes with the subentries,
as I expect the missing definition of the Prescriptive ACI to be a
problem ...
This didn't work either:
#!RESULT ERROR
#!CONNECTION ldap://10.255.100.16:389
#!DATE 2009-10-21T16:48:06.693
#!ERROR [LDAP: error code 16 - NO_SUCH_ATTRIBUTE: failed for Add
Request : ClientEntry dn:
cn=SE_LDAP_Full_Administrators,dc=netsuccess,dc=ch objectClass:
subentry objectClass: accessControlSubentry objectClass: top
prescriptiveaci: { identificationTag "ACI LDAP Full Administration
rights", precedence 100, authenticationLevel simple, itemOrUserFirst
userFirst: { userClasses { userGroup {
"cn=LDAP_Perm_Full_Administrators,ou=groups,ou=system" } },
userPermissions { { protectedItems { entry,
allUserAttributeTypesAndValues }, grantsAndDenials { grantImport,
grantReturnDN, grantModify, grantFilterMatch, grantRead, grantBrowse,
grantInvoke, grantExport, grantRemove, grantCompare,
grantDiscloseOnError, grantAdd, grantRename } } } } }
accessControlSubentries:
2.5.4.3=se_ldap_full_administrators,0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
createTimestamp: 20090830192901Z cn: SE_LDAP_Full_Administrators
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
subtreespecification: { } modifyTimestamp: 20090917095431Z
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system :
Administration point
0.9.2342.19200300.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch does
not contain an administrativeRole attribute! An administrativeRole
attribute in the administrative point is required to add a subordinate
subentry.]
dn: cn=SE_LDAP_Full_Administrators,dc=netsuccess,dc=ch
objectClass: subentry
objectClass: accessControlSubentry
objectClass: top
cn: SE_LDAP_Full_Administrators
accessControlSubentries: 2.5.4.3=se_ldap_full_administrators,0.9.2342.192003
00.100.1.25=netsuccess,0.9.2342.19200300.100.1.25=ch
createTimestamp: 20090830192901Z
creatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=system
modifyTimestamp: 20090917095431Z
prescriptiveaci: { identificationTag "ACI LDAP Full Administration rights",
precedence 100, authenticationLevel simple, itemOrUserFirst userFirst: { us
erClasses { userGroup { "cn=LDAP_Perm_Full_Administrators,ou=groups,ou=syst
em" } }, userPermissions { { protectedItems { entry, allUserAttributeTypesA
ndValues }, grantsAndDenials { grantImport, grantReturnDN, grantModify, gra
ntFilterMatch, grantRead, grantBrowse, grantInvoke, grantExport, grantRemov
e, grantCompare, grantDiscloseOnError, grantAdd, grantRename } } } } }
subtreespecification: { }
Note: The access control is not enabled in ApacheDS for now, but I do
not expect this to be
the reason why the import does not work.
As I have both version on the same system and not listening on different
ports (OK, I could change
that), I have to start/stop all the time...
So, maybe you have a hint / a micro how to on how I have to proceed to
achieve my goal ...
I guess I have to:
1. Import the system partition objects (might those include the
operational attributes already?)
=> this more or less works
2. Import the custom partition objects without the operational attributes
=> this works if the supplemental object class "organization" is
removed from the two objects
3. Import the subentries (check subentires on control section) - should
those include the op. attr?
=> This I didn't manage to get in
4. Import the op. attr for the custom partition (otherwise I loose the
creator/creation time)
=> This I didn't test, but I expect issues with the ACI description?!
I could only export
the relevant attributes ...
Thank you
Beat
