With UCS-5.0 several legacy Univention Directory Manager (UDM) modules have been removed. Previously they were used to manage certain entries in LDAP, which become unmanageable after the upgrade: The data remains stored in LDAP, but the modules to create / show / modify / move / delete them is no longer available. In many cases this is unproblematic, but leads to long-term problems as folders containing such objects become un-removable, un-movable or un-renamable.
Therefore those entries should be deleted before the upgrade to UCS-5. This is checked during the upgrade procedure, which by default aborts if any such object is found.
Checking for legacy entries
-
Download the script as file
check.sh, for example by usingwget. - Execute it as the user
root:sudo bash check.sh update_check_legacy_objects
- If the script outputs nothing, your system does not contain any legacy entries (anymore) and you are safe to upgrade.
- If any legacy objects are found, they are printed to output:
Starting check.sh (Di 6. Okt 08:56:58 CEST 2020):
The following objects are no longer supported with UCS-5:
dn: cn=default-settings,cn=thinclient,cn=policies,dc=phahn,dc=qa
dn: cn=OpenStack,cn=CloudType,cn=Virtual Machine Manager,dc=phahn,dc=qa
They must be removed before the update can be done.
See <https://help.univention.com/t/16227> for details.
This check can be disabled by setting the UCR variable 'update50/ignore_legacy_objects' to 'yes'.
There are two types of entries:
-
STRUCTURALobject classes define the structure of each entry. As each entry has exactly one such class defining its purpose, it’s easy to identify those entries and to remove the complete entry. -
AUXILIARYobject classes are add-on classes, which can be added on top of any other classes. In most cases they are used for Extended Attributes, which allow them to store arbitrary data with each entry. In this case only the associated attributes should be deleted, not the complete entry!
Deleting entries
Danger: deleting the objects cannot be undone easily. At least make sure you have a recent backup of your LDAP database, which is by default created daily by the cron-job /etc/cron.d/univention-ldap-server invoking /usr/sbin/univention-ldap-backup and stored in /var/univention-backup/.
- Either go through that list manually and use the corresponding
udm "$module" remove --dn "$dn"command to delete the entries. - As an alternative you can also use
ldapdelete -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret "$dn", which saves you from looking up the required UDM module name for each entry. - You can also invoke the same script again with the alternative command line argument
delete_legacy_objectsto delete all legacy objects:
sudo bash check.sh delete_legacy_objects
Deleting auxiliary classes
Deleting auxiliary classes is more complicated as they function as add-ons to other entries: Instead of deleting the complete entry only the additional attributes and the objectClass must be removed from the entry. The procedure is described in detail in
This is also performed as part of sudo bash check.sh delete_legacy_objects.
Optional: Schema removal
Deleting the entries is sufficient, but the LDAP schema definitions can also be removed after all entries based on them have been deleted. As OpenLDAP does not allow schema removal, this requires a complete “dump-restore” cycle, which is described in more detail in
Alternative: keep entries
If you cannot or don’t want to remove the objects now and still want to manage them, you can still use an UCS-4.x system to do so.
Just make sure to delete those objects before you upgrade your last system to UCS-5. Otherwise you have to setup a new system based on UCS-4 and then can use that system again to manage those objects.
Quoting the warning from above again:
Your may experience problems when renaming, removing or moving containers containing those legacy objects.
You have been warned!
The update check can be disabled by setting the UCR variable update50/ignore_legacy_objects to yes on each system before the update to UCS-5.0 is started.
List of affected LDAP Object classes and their UDM modules
Each entry names the “LDAP Object class”, the name of the managing UDM module (if any) and a short description to give you a hint for what the information is used.
Miscellaneous
-
univentionSamba4WinsHost: Extended attributes for Samba4WINS configuration -
univentionAdminUserSettings: Global per user settings for UDM -
univentionPolicySharePrintQuota: UDM policypolicies/print_quotato manage quotas per printer -
univentionXConfigurationChoices: UDM modulesettings/xconfig_choicesto configure X11 -
univentionMailQuota: UDM policypolicies/mailquotafor Cyrus IMAPd
Univention Corporate Client (UCC)
-
univentionCorporateClient: UDM modulecomputers/corporateclientto manage the machine account -
univentionCorporateClientSession: UDM modulesettings/ucc_sessionto manage client sessions -
univentionCorporateClientAutostart: LDAP class to manage autostart scripts -
univentionCorporateClientImage: UDM modulesettings/ucc_imageto manage the image to use -
univentionPolicyCorporateClientUser: UDM policypolicies/ucc_userto manage the user session -
univentionPolicyCorporateClientComputer: UDM policypolicies/ucc_hardwareto manage access to local hardware -
univentionPolicyCorporateClientDesktop: UDM policypolicies/ucc_desktopto manage desktop environment variables -
univentionPolicySoftwareupdates: UDM policypolicies/ucc_softwareto manage software update -
univentionPolicyCorporateClient: LDAP super class for all UCC policies
Univention Thin Client Services (UCS TCS)
-
univentionPolicyAutoStart: UDM policypolicies/autostartto manage autostart scripts -
univentionPolicyThinClient: UDM policypolicies/thinclientto manage user sessions -
univentionThinClient: UDM modulecomputers/thinclientto manage the machine account of thin clients -
univentionMobileClient: UDM modulecomputers/mobileclientto manage the machine account notebooks -
univentionFatClient: UDM modulecomputers/managedclientto manage the machine account desktop clients