How to deal with objects in cn=temporary




I guess this topic and a possible answer is something with more or less public interest.

It appears at least when looking at the current status of that the handling of objects in cn=temporary is not fully documented. As there are also other open issues mentioning that the handling of object locks could be improved. Especially when testing migration scenarios with bulk adds of objects I have seen that locking objects remain in the containers below cn=temporary. Subsequent attempts to create objects with the locked attributes will not be possible until the lock is removed.
In the past I have removed those objects by using the LDAP-browser in UMC. But I have doubts that this is the intended method.
Finally I used the search function (strike! :wink: ) and came across objectClass: lock.

Am I correct with the assumption that using “udm settings/lock …” is the right way to deal with the locks and all other objects in cn=temporary should never be touched?

On my production system I have also noticed that there are lots of remnants in cn=sid,cn=temporary. Can I remove those too?

Thanks for reading,


Hi Dirk,

I dare to say: yes, lock objects underneath cn=temporary can safely be removed via UMC or UDM as long as …

  • … there is currently no LDAP modification going on (a colleague doing some imports, S4-Connector still busy syncing SIDs or a longer lasting UCS@school import, for example)
  • … only the lock objects are deleted and not the containers (e.g. cn=sid)

The lock objects are used to ensure the uniqueness of certain attributes during the object creation (or modification). The main reason why lock objects keep hanging around is that UDM is not that good in cleaning up those locks if something goes wrong during the object creation process (see also [Bug]41711[/Bug]).

Best regards,