Adam Tauno Williams writes:
OK, I understand that this is happening because of schema violation, but nevertheless, I still need some advices or tips, how to avoid getting into trubles when upgrading the servers. Is there an easy way to get rid of the problem, but still using this type of suffix with country value longer that 2 characters?
Slapcat and fix the values; the 2 character abbreviations are an ISO standard you can download. Modify your application to only accept legitimate country codes.
http://www.iso.org/iso/country_codes/iso_3166_code_lists/english_country_names_and_code_elements.htm
Or use 'co' (friendlyCountryName) from cosine.schema instead, though a 'c' attribute is required as well for friendlyCountry objects.
Or if renaming the DIT is not feasible in the short run, edit core.schema for now and put back the OpenLDAP 2.3 definition of 'c', which came from RFC 2256. OpenLDAP 2.4 uses the RFC 4519 definition, which matches the X.500 definition. Note that editing an existing attribute's schema definition also requires a slapcat/slapadd. This will not interoperate with other software which expect 2-letter 'c' attributes, so you do need to move away from your current DIT.
Maybe attributes exist somewhere for 3-letter and numberic 3-digit country codes as well. If not, you could submit an internet-draft for such attributes. Or suggest changing 'c' to allow both 2- and 3-letter codes, though I doubt that would be accepted. The latter would also need to be coordinated with an X.500 change.