With UCS-5.0 several legacy Univention Directory Manager (UDM) modules have been removed. Previously they were used to manage certain entries in LDAP, which become unmanageable after the upgrade: The data remains stored in LDAP, but the modules to create / show / modify / move / delete them is no longer available. In many cases this is unproblematic, but leads to long-term problems as folders containing such objects become un-removable, un-movable or un-renamable.
Therefore those entries should be deleted before the upgrade to UCS-5. This is checked during the upgrade procedure, which by default aborts if any such object is found.
Checking for legacy entries
Download the script as file
check.sh, for example by using
- Execute it as the user
sudo bash check.sh update_check_legacy_objects
- If the script outputs nothing, your system does not contain any legacy entries (anymore) and you are safe to upgrade.
- If any legacy objects are found, they are printed to output:
Starting check.sh (Di 6. Okt 08:56:58 CEST 2020): The following objects are no longer supported with UCS-5: dn: cn=default-settings,cn=thinclient,cn=policies,dc=phahn,dc=qa dn: cn=OpenStack,cn=CloudType,cn=Virtual Machine Manager,dc=phahn,dc=qa They must be removed before the update can be done. See <https://help.univention.com/t/16227> for details. This check can be disabled by setting the UCR variable 'update50/ignore_legacy_objects' to 'yes'.
There are two types of entries:
STRUCTURALobject classes define the structure of each entry. As each entry has exactly one such class defining its purpose, it’s easy to identify those entries and to remove the complete entry.
AUXILIARYobject classes are add-on classes, which can be added on top of any other classes. In most cases they are used for Extended Attributes, which allow them to store arbitrary data with each entry. In this case only the associated attributes should be deleted, not the complete entry!
Danger: deleting the objects cannot be undone easily. At least make sure you have a recent backup of your LDAP database, which is by default created daily by the cron-job
/usr/sbin/univention-ldap-backup and stored in
- Either go through that list manually and use the corresponding
udm "$module" remove --dn "$dn"command to delete the entries.
- As an alternative you can also use
ldapdelete -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret "$dn", which saves you from looking up the required UDM module name for each entry.
- You can also invoke the same script again with the alternative command line argument
delete_legacy_objectsto delete all legacy objects:
sudo bash check.sh delete_legacy_objects
Deleting auxiliary classes
Deleting auxiliary classes is more complicated as they function as add-ons to other entries: Instead of deleting the complete entry only the additional attributes and the
objectClass must be removed from the entry. The procedure is described in detail in
This is also performed as part of
sudo bash check.sh delete_legacy_objects.
Optional: Schema removal
Deleting the entries is sufficient, but the LDAP schema definitions can also be removed after all entries based on them have been deleted. As OpenLDAP does not allow schema removal, this requires a complete “dump-restore” cycle, which is described in more detail in
Alternative: keep entries
If you cannot or don’t want to remove the objects now and still want to manage them, you can still use an UCS-4.x system to do so.
Just make sure to delete those objects before you upgrade your last system to UCS-5. Otherwise you have to setup a new system based on UCS-4 and then can use that system again to manage those objects.
Quoting the warning from above again:
Your may experience problems when renaming, removing or moving containers containing those legacy objects.
You have been warned!
The update check can be disabled by setting the UCR variable
yes on each system before the update to UCS-5.0 is started.
List of affected LDAP Object classes and their UDM modules
Each entry names the “LDAP Object class”, the name of the managing UDM module (if any) and a short description to give you a hint for what the information is used.
univentionSamba4WinsHost: Extended attributes for Samba4WINS configuration.
univentionAdminUserSettings: UDM module
settings/userto manager user preferences.
Univention Virtual Machine Manager (UVMM)
univentionVirtualMachineCloudConnection: UDM module
uvmm/cloudconnectionto manage Cloud connections
univentionVirtualMachineCloudType: UDM module
uvmm/cloudtypto manage Cloud connection types like OpenStack or AWS
univentionVirtualMachine: UDM module
uvmm/infoto manage additional information per virtual machine like profile, associated user or free-form description.
univentionVirtualMachineProfile: UDM module
uvmm/profileto manage profiles for Qemu/KVM virtual machines defining default values for new virtual machines.
univentionVirtualMachineGroupOC: Extended attributes per group; was newer used
univentionVirtualMachineHostOC: Extended attributes per host for associating the managing UVMM
Univention Corporate Client (UCC)
univentionCorporateClient: UDM module
computers/corporateclientto manage the machine account
univentionCorporateClientSession: UDM module
settings/ucc_sessionto manage client sessions
univentionCorporateClientAutostart: LDAP class to manage autostart scripts
univentionCorporateClientImage: UDM module
settings/ucc_imageto manage the image to use
univentionPolicyCorporateClientUser: UDM policy
policies/ucc_userto manage the user session
univentionPolicyCorporateClientComputer: UDM policy
policies/ucc_hardwareto manage access to local hardware
univentionPolicyCorporateClientDesktop: UDM policy
policies/ucc_desktopto manage desktop environment variables
univentionPolicySoftwareupdates: UDM policy
policies/ucc_softwareto manage software update
univentionPolicyCorporateClient: LDAP super class for all UCC policies.
UCS Thin Client Services (UCS TCS)
univentionPolicyAutoStart: UDM policy to manage autostart script for Thin-/Managed-/Mobile-Clients
univentionPolicyThinClient: UDM policy to manage packages to install/remove
univentionThinClient: UDM module
computers/thinclientto manage machine accounts of Thin-Clients
univentionMobileClient: UDM module
computers/mobileclientto manage machine accounts of Mobile-Clients
univentionFatClient: UDM module
computers/fatclientto manage machine account of Fat-Clients