2:24 p.m.
Hi,
I am currently in the process of moving our LDAP-Servers from old
CentOS 7 Servers to new Debian 11 Servers. In the process I am
exporting all databases from the old server to ldif files and importing
those files on the new server.
When I import such a file I get a lot (basically for every single entry)
of warnings and errors in the errors-log like the following:
[08/Nov/2022:21:01:52.272475719 +0100] - ERR - oc_check_allowed_sv - Entry
"cn=219058,ou=accounts,o=demo" -- attribute "entrylevelrights" not
allowed
[08/Nov/2022:21:01:52.273547001 +0100] - WARN - import_producer - import demo: Skipping
entry "cn=219058,ou=accounts,o=demo" which violates schema, ending line 9232514
of file "/var/lib/dirsrv/slapd-ldap-master/ldif/demo.ldif"
I can't make heads or tails of this. I exported the ldif using the
389-console using "Export Databases" and I import them via Cockpit
using "Initialize Suffix" for the Suffix o=demo
I cannot find this attribute in any schema-file on either the old or
the new servers. Where does this come from, and how do I solve this
issue?
Thanks in advance
Julian
3:12 p.m.
On Tue, 2022-11-08 at 21:24 +0100, Julian Kippels wrote:
Hi,
I am currently in the process of moving our LDAP-Servers from old
CentOS 7 Servers to new Debian 11 Servers. In the process I am
exporting all databases from the old server to ldif files and
importing
those files on the new server.
When I import such a file I get a lot (basically for every single
entry)
of warnings and errors in the errors-log like the following:
[08/Nov/2022:21:01:52.272475719 +0100] - ERR - oc_check_allowed_sv -
Entry "cn=219058,ou=accounts,o=demo" -- attribute
"entrylevelrights"
not allowed
[08/Nov/2022:21:01:52.273547001 +0100] - WARN - import_producer -
import demo: Skipping entry "cn=219058,ou=accounts,o=demo" which
violates schema, ending line 9232514 of file "/var/lib/dirsrv/slapd-
ldap-master/ldif/demo.ldif"
I can't make heads or tails of this. I exported the ldif using the
389-console using "Export Databases" and I import them via Cockpit
using "Initialize Suffix" for the Suffix o=demo
I cannot find this attribute in any schema-file on either the old or
the new servers. Where does this come from
a custom schema on the 1.2.2 box?
, and how do I solve this
issue?
I'm curious what objectclasses are found under the
cn=219058,ou=accounts,o=demo object, and whether entrylevelrights is
listed as an attribute for this object.
If so, and the attribute is unneeded, perhaps remove this attribute
from the ldif prior to importing?
Mark
3:39 p.m.
On 11/8/22 4:12 PM, Christian, Mark wrote:
On Tue, 2022-11-08 at 21:24 +0100, Julian Kippels wrote:
> Hi,
>
> I am currently in the process of moving our LDAP-Servers from old
> CentOS 7 Servers to new Debian 11 Servers. In the process I am
> exporting all databases from the old server to ldif files and
> importing
> those files on the new server.
>
> When I import such a file I get a lot (basically for every single
> entry)
> of warnings and errors in the errors-log like the following:
>
> [08/Nov/2022:21:01:52.272475719 +0100] - ERR - oc_check_allowed_sv -
> Entry "cn=219058,ou=accounts,o=demo" -- attribute
"entrylevelrights"
> not allowed
> [08/Nov/2022:21:01:52.273547001 +0100] - WARN - import_producer -
> import demo: Skipping entry "cn=219058,ou=accounts,o=demo" which
> violates schema, ending line 9232514 of file "/var/lib/dirsrv/slapd-
> ldap-master/ldif/demo.ldif"
>
> I can't make heads or tails of this. I exported the ldif using the
> 389-console using "Export Databases" and I import them via Cockpit
> using "Initialize Suffix" for the Suffix o=demo
>
> I cannot find this attribute in any schema-file on either the old or
> the new servers. Where does this come from
a custom schema on the 1.2.2 box?
This attribute is used by GER (get effective rights) it's not supposed
to be written to the entry. At least not when you "export" the database
to ldif.
How did you generate these ldifs? Did you use db2ldif, or ldapsearch?
If you used ldapsearch, then stop. Please use db2ldif/db2ldif.pl
Mark R
> , and how do I solve this
> issue?
I'm curious what objectclasses are found under the
cn=219058,ou=accounts,o=demo object, and whether entrylevelrights is
listed as an attribute for this object.
If so, and the attribute is unneeded, perhaps remove this attribute
from the ldif prior to importing?
Mark
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
2:41 a.m.
Hi,
Am Tue, 8 Nov 2022 16:39:20 -0500
schrieb Mark Reynolds <mareynol(a)redhat.com>:
How did you generate these ldifs? Did you use db2ldif, or
ldapsearch? If you used ldapsearch, then stop. Please use
db2ldif/db2ldif.pl
I created the ldifs using the Java 389-console, loggin in as directory
manager and using the "Export Databases"-Task on the master server.
What's weird about this is, I closed and reopened 398-console, did the
exact same steps to create the ldifs and now those attributes are gone
from the ldif. I will look into using db2ldif anyway. Thanks for the
suggestion.
Julian
3:57 a.m.
Hi All,
Long time lurker here, probably a stupid question if you are upgrading to newer distro
releases wouldnt it make sense to just replicate things over to the new server and
decommission the old?
Regards,
Jonathan
________________________________
From: Julian Kippels <kippels(a)hhu.de>
Sent: 09 November 2022 09:41
To: 389-users(a)lists.fedoraproject.org <389-users(a)lists.fedoraproject.org>
Subject: [389-users] Re: Upgrading from 1.2.2 to 1.4.4
Hi,
Am Tue, 8 Nov 2022 16:39:20 -0500
schrieb Mark Reynolds <mareynol(a)redhat.com>:
How did you generate these ldifs? Did you use db2ldif, or
ldapsearch? If you used ldapsearch, then stop. Please use
db2ldif/db2ldif.pl
I created the ldifs using the Java 389-console, loggin in as directory
manager and using the "Export Databases"-Task on the master server.
What's weird about this is, I closed and reopened 398-console, did the
exact same steps to create the ldifs and now those attributes are gone
from the ldif. I will look into using db2ldif anyway. Thanks for the
suggestion.
Julian
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:
https://link.edgepilot.com/s/5353705e/8Hp8ovsp30_NMAcWaQfCyg?u=https://do...
List Guidelines:
https://link.edgepilot.com/s/cd8b71a5/Pt5FTNs3VECz_DXDkyrwpg?u=https://fe...
List Archives:
https://link.edgepilot.com/s/adacc523/ci-RyE4zSUWsOSXAfAKvoA?u=https://li...
Do not reply to spam, report it:
https://link.edgepilot.com/s/09732669/PdftMkbq8ku1mOsCnVgOdA?u=https://pa...
Links contained in this email have been replaced. If you click on a link in the email
above, the link will be analyzed for known threats. If a known threat is found, you will
not be able to proceed to the destination. If suspicious content is detected, you will see
a warning.
6:36 a.m.
On 11/9/22 3:41 AM, Julian Kippels wrote:
Hi,
Am Tue, 8 Nov 2022 16:39:20 -0500
schrieb Mark Reynolds <mareynol(a)redhat.com>:
> How did you generate these ldifs? Did you use db2ldif, or
> ldapsearch? If you used ldapsearch, then stop. Please use
> db2ldif/db2ldif.pl
I created the ldifs using the Java 389-console, loggin in as directory
manager and using the "Export Databases"-Task on the master server.
What's weird about this is, I closed and reopened 398-console, did the
exact same steps to create the ldifs and now those attributes are gone
from the ldif. I will look into using db2ldif anyway.
Ok the console does use db2ldif in this case. So I can not explain why
those attributes were appearing, but you should be good to go now.
Mark
Thanks for the
suggestion.
Julian
_______________________________________________
389-users mailing list -- 389-users(a)lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproje...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
527
days inactive
528
days old
389-users@lists.fedoraproject.org
5 comments
4 participants
participants (4)
-
Christian, Mark -
Jonathan Aquilina -
Julian Kippels -
Mark Reynolds