Hello, perhaps someone can help me with this issue, as I am an LDAP novice.
I am migrating from an IBM Tivoli LDAP server to OpenLDAP 2.4.10 running under Solaris 10. I have the new service up and running, and am trying to export entries from old to new ldap servers using an LDAP Browser/Editor.
There are additional schema entries to be considered, and these have been configured with a line in the slapd.conf file as follows; include /usr/local/etc/openldap/schema/npr.schema
And npr.schema contains; objectClass ( 1.3.6.1.4.1.4203.1.4.6 NAME 'openbookmarks' DESC 'NPR GMIS Report Bookmark' MAY displayName AUXILIARY )
objectClass ( 1.3.6.1.4.1.4203.1.4.5 NAME 'vpnbookmarks' DESC 'NPR MDNS Report Bookmark' MAY displayName AUXILIARY )
objectClass ( 1.3.6.1.4.1.4203.1.4.4 NAME 'openscheduledreports' DESC 'NPR GMIS Scheduled Report' MAY displayName AUXILIARY )
objectClass ( 1.3.6.1.4.1.4203.1.4.3 NAME 'vpnscheduledreports' DESC 'NPR MDNS Scheduled Report' MAY displayName AUXILIARY )
objectClass ( 1.3.6.1.4.1.4203.1.4.2 NAME 'usergruas' DESC 'NPR User GRUAs' MAY displayName AUXILIARY )
objectClass ( 1.3.6.1.4.1.4203.1.4.7 NAME 'useraccounts' DESC 'NPR User Accounts' MAY displayName AUXILIARY )
objectClass ( 1.3.6.1.4.1.4203.1.4.0 NAME 'newaccntlist' DESC 'NPR User Account Lists' MAY displayName AUXILIARY )
attributetype ( 1.3.6.1.4.1.4203.1.4.0 NAME ( 'newaccntlist' ) SUP name ) attributetype ( 1.3.6.1.4.1.4203.1.4.7 NAME ( 'useraccounts' ) SUP name ) attributetype ( 1.3.6.1.4.1.4203.1.4.2 NAME ( 'usergruas' ) SUP name ) attributetype ( 1.3.6.1.4.1.4203.1.4.3 NAME ( 'vpnscheduledreports' ) SUP name ) attributetype ( 1.3.6.1.4.1.4203.1.4.4 NAME ( 'openscheduledreports' ) SUP name ) attributetype ( 1.3.6.1.4.1.4203.1.4.5 NAME ( 'vpnbookmarks' ) SUP name ) attributetype ( 1.3.6.1.4.1.4203.1.4.6 NAME ( 'openbookmarks' ) SUP name )
But when I run the import approx 1000 out of the 4000 entries are discarded with errors such as; Root error: [LDAP: error code 21 - vpnscheduledreports: value #0 invalid per syntax] 05:21:23 PM: Failed to synchronize entries Root error: [LDAP: error code 21 - vpnbookmarks: value #0 invalid per syntax] 05:21:24 PM: Failed to synchronize entries Root error: [LDAP: error code 21 - useraccounts: value #0 invalid per syntax]
It is obviously complaining about the entries that use the additional scheme attributes, but I have no idea why. Any help is greatly appreciated.
Lydon, Mark writes:
Root error: [LDAP: error code 21 - vpnscheduledreports: value #0 invalid per syntax] 05:21:23 PM: Failed to synchronize entries Root error: [LDAP: error code 21 - vpnbookmarks: value #0 invalid per syntax] 05:21:24 PM: Failed to synchronize entries Root error: [LDAP: error code 21 - useraccounts: value #0 invalid per syntax]
These attributes are derived from attribute 'name', so they get Directory String syntax (like most LDAP attributes). Directory String in LDAPv3 takes a non-empty UTF-8 string. Maybe your attributes are Latin-1, and your old server either is an LDAPv2 server (LDAPv2 character sets were a complete jungle) or does not check the syntax? If so the correct fix is to convert to UTF-8. However maybe that breaks your current applications, if they expect Latin-1... (You could hack the schema to use another syntax, but that easily becomes a maintenance nightmare and could have compatibility problems of its own.)
Thanks for this. Having studied the standard schema files, there seems to be no definition for the 'name' attribute (there is one entry that is commented out, if I uncomment it out LDAP complains about duplicate attributes) - is it somehow "built-in" to the system?
I can't even add the attributes manually via the browser - I see error in the slapd log saying; ntry (o=ATT,dc=npr), attribute 'openscheduledreports' not allowed entry failed schema check: attribute 'openscheduledreports' not allowed conn=1 op=7 RESULT tag=103 err=65 text=attribute 'openscheduledreports' not allowed
I'm not really sure what you mean about UTF-8 and Latin-1....looking at the LDIF export file I see data like this for the problem attributes; vpnbookmarks: Site to Site Response Time=/cgi-bin/VPN/s2sresp.pl?MONTH=-1m&g_
output_type=HTML&ACCOUNT_CODE=OMRNGRUA:1;FR6HLO00,BEOMR,NLOMN,DKOMRON,SE OMR, CHKZOM,NO615501,FIOMRON&pgsz=50
vpnscheduledreports: 999533103=outputformat>>HTML,,shortname>>Monthly%20Frame
%20Delivery%20CWT,,status>>a,,buildsLeft>>i,,date>>2001-09-03,,_id>>9995 3310
3,,lastBuild>>2008-10-01,,private>>no,,description>>,,service>>NPR,,freq uenc
y>>w0,,userprofile>>,,domain>>,,emailrecipients>>thomas_cordier%40nl.ibm .com
,,user>>thomas,,reportURL>>http%3A%2F%2F141.94.158.230%2Fcgi-bin%2FVPN%2 Fpca
p_frdel.pl%3FMONTH%3D-1m%26g_output_type%3DCSV%26ACCOUNT_CODE%3DCWTGRUA% 253A
1%253BCWAG%252CSECWL%252CPTCWT%252CNLCWT%252CITY634%252CGBCWT%252CDKWAGO NS%2
52CESCWT%252CCHCWT%252CCHKWLT%252CAPTR%252CDEONL%252CFR4COA00%252CBEWGL% 26pg
sz%3D5000%26%2FALL%253AFROMROUT%253A%2521%257E%253AIGN%26%2FALL%253AFROM ROUT
%253A%2521%257E%253AEhningen%26%2FALL%253ATOROUT%253A%2521%257E%253AIGN% 26%2
FALL%253ATOROUT%253A%2521%257E%253AEhningen,,organization>>AT%26T%20Glob al%2 0Network%20Services
openbookmarks: Link Usage=/cgi-bin/Opennet/link_usage.pl?ACCOUNT_CODE=&DATE=& g_output_type=HTML&pgsz=150&tonen=Show
Regards,
Mark
-----Original Message----- From: Hallvard Breien Furuseth [mailto:h.b.furuseth@usit.uio.no] Sent: 02 October 2008 16:16 To: Lydon, Mark Cc: openldap-technical@openldap.org Subject: Re: OpenLDAP 2.4.10 Import Errors
Lydon, Mark writes:
Root error: [LDAP: error code 21 - vpnscheduledreports: value #0 invalid per syntax] 05:21:23 PM: Failed to synchronize entries Root error: [LDAP: error code 21 - vpnbookmarks: value #0 invalid per syntax] 05:21:24 PM: Failed to synchronize entries Root error: [LDAP: error code 21 - useraccounts: value #0 invalid per syntax]
These attributes are derived from attribute 'name', so they get Directory String syntax (like most LDAP attributes). Directory String in LDAPv3 takes a non-empty UTF-8 string. Maybe your attributes are Latin-1, and your old server either is an LDAPv2 server (LDAPv2 character sets were a complete jungle) or does not check the syntax? If so the correct fix is to convert to UTF-8. However maybe that breaks your current applications, if they expect Latin-1... (You could hack the schema to use another syntax, but that easily becomes a maintenance nightmare and could have compatibility problems of its own.)
-- Hallvard
Lydon, Mark writes:
Thanks for this. Having studied the standard schema files, there seems to be no definition for the 'name' attribute (there is one entry that is commented out, if I uncomment it out LDAP complains about duplicate attributes) - is it somehow "built-in" to the system?
Yes, it's hardcoded in the C source. That's why it's commented out.
I can't even add the attributes manually via the browser - I see error in the slapd log saying; ntry (o=ATT,dc=npr), attribute 'openscheduledreports' not allowed entry failed schema check: attribute 'openscheduledreports' not allowed conn=1 op=7 RESULT tag=103 err=65 text=attribute 'openscheduledreports' not allowed
err=65 is objectClassViolation (see in rfc4511). The LDAP entry's objectClass attribute does not contain an object class which allows attribute 'openscheduledreports' to be included in the entry. I.e. the attribute is listed as a 'MUST' or 'MAY' attribute in the object class definition in the schema.
If you don't know what I'm talking about, you had better read up on LDAP a bit. E.g.: http://en.wikipedia.org/wiki/Ldap#Directory_structure http://en.wikipedia.org/wiki/Ldap#Schema
Looking again at the schema you posted, there is no object class there which allows the 'openscheduledreports' attribute. OTOH there are object classes with the same names as the attributes. Maybe that's a special hack on your old server which allows those attributes to be included. If so I guess the schema will need to be hacked anyway.
I'm not really sure what you mean about UTF-8 and Latin-1.... looking at the LDIF export file I see data like this for the problem attributes; (...)
That's not valid LDIF format - but perhaps your mailer reformatted it or something. Anyway, it looks like a non-empty 7-bit (ASCII) string, which should be fine for an attribute which inherits 'name's syntax.
I suggest you post a whole LDIF entry, not just the attribute, so we can see what object classes etc are there. And base64-encode it or post just an URL to where it can be found, so your mailer doesn't munge it. Remove personal info and passwords you do not want to post though...
Thanks for your help here.....I am gradually learning.
The original server had the setting "schemacheck off" in slapd.conf. I discovered that the variable wasn't supported in 2.4 and commented it out, but now I understand what it actually does.
I have updated several objectclasses in core.schema (probably bad practice) and I can now successfully import most entries. I need to add some brand new objectclasses to finally fix things, which I am working on now. Thanks you for your help.
Regards,
Mark
Please consider the environment... Do you need to print this email?
-----Original Message----- From: Hallvard Breien Furuseth [mailto:h.b.furuseth@usit.uio.no] Sent: 03 October 2008 12:40 To: Lydon, Mark Cc: openldap-technical@openldap.org Subject: RE: OpenLDAP 2.4.10 Import Errors
Lydon, Mark writes:
Thanks for this. Having studied the standard schema files, there seems to be no definition for the 'name' attribute (there is one entry
that is commented out, if I uncomment it out LDAP complains about duplicate attributes) - is it somehow "built-in" to the system?
Yes, it's hardcoded in the C source. That's why it's commented out.
I can't even add the attributes manually via the browser - I see error
in the slapd log saying; ntry (o=ATT,dc=npr), attribute 'openscheduledreports' not allowed entry failed schema check: attribute 'openscheduledreports' not allowed conn=1 op=7 RESULT tag=103 err=65 text=attribute
'openscheduledreports'
not allowed
err=65 is objectClassViolation (see in rfc4511). The LDAP entry's objectClass attribute does not contain an object class which allows attribute 'openscheduledreports' to be included in the entry. I.e. the attribute is listed as a 'MUST' or 'MAY' attribute in the object class definition in the schema.
If you don't know what I'm talking about, you had better read up on LDAP a bit. E.g.: http://en.wikipedia.org/wiki/Ldap#Directory_structure http://en.wikipedia.org/wiki/Ldap#Schema
Looking again at the schema you posted, there is no object class there which allows the 'openscheduledreports' attribute. OTOH there are object classes with the same names as the attributes. Maybe that's a special hack on your old server which allows those attributes to be included. If so I guess the schema will need to be hacked anyway.
I'm not really sure what you mean about UTF-8 and Latin-1.... looking at the LDIF export file I see data like this for the problem attributes; (...)
That's not valid LDIF format - but perhaps your mailer reformatted it or something. Anyway, it looks like a non-empty 7-bit (ASCII) string, which should be fine for an attribute which inherits 'name's syntax.
I suggest you post a whole LDIF entry, not just the attribute, so we can see what object classes etc are there. And base64-encode it or post just an URL to where it can be found, so your mailer doesn't munge it. Remove personal info and passwords you do not want to post though...
-- Hallvard
openldap-technical@openldap.org
-
Hallvard B Furuseth -
Lydon, Mark