Hello,
 
at the moment we have installed OpenLDAP 2.3.17 on our production servers. Recently we've decided to upgrade to 2.4.9 version and we came across an issue which doesn't seem easy to solve.
It's about the "c" (country) attribute syntax definition which has been changed in the core schema between 2.3.17 and 2.4. In older days this attribute allowed string values, but now it has been limited to 2-characters only ("Country String").
Country value is a part of suffix in our DIT (e.g. l=$locality,c=$country), the problem is that our users in some cases used 3 or more letters for country attribute . This was on 2.3 server. Now I want to upgrade the server to the new version and at the same time I want to convert the old-fashioned slapd.conf configuration to dynamic one (slapd.d).  When I try to bring up the database, the server fail to start and I get the following error:
 
(a snippet from slapd debug):
...
>>> dnPrettyNormal: <olcDatabase={-1}frontend>
<<< dnPrettyNormal: <olcDatabase={-1}frontend>, <olcDatabase={-1}frontend>
>>> dnNormalize: <cn=config>
<<< dnNormalize: <cn=config>
>>> dnNormalize: <cn=config>
<<< dnNormalize: <cn=config>
<= str2entry(olcDatabase={-1}frontend) -> 0x828cba4
>>> dnPrettyNormal: <l=kranj,c=slo>
ldap_err2string
config error processing olcDatabase={-1}frontend,cn=config: <olcDefaultSearchBase> invalid DN 21 (Invalid syntax)
send_ldap_result: conn=-1 op=0 p=0
slapd destroy: freeing system resources.
slapd stopped.
connections_destroy: nothing to destroy.
 
OK, I understand that this is happening because of schema violation, but nevertheless, I still need some advices or tips, how to avoid getting into trubles when upgrading the servers. Is there an easy way to get rid of the problem, but still using this type of suffix with country value longer that 2 characters?
 
Thanks a lot.
Best Regards,
Domen