Remove legacy UDM / LDAP objects with upgrade to UCS-5.0

With UCS-5.0 several legacy Univention Directory Manager (UDM) modules have been removed. Previously they were used to manage certain entries in LDAP, which become unmanageable after the upgrade: The data remains stored in LDAP, but the modules to create / show / modify / move / delete them is no longer available. In many cases this is unproblematic, but leads to long-term problems as folders containing such objects become un-removable, un-movable or un-renamable.
Therefore those entries should be deleted before the upgrade to UCS-5. This is checked during the upgrade procedure, which by default aborts if any such object is found.

Checking for legacy entries

  1. Download the script as file, for example by using wget.
  2. Execute it as the user root: sudo bash update_check_legacy_objects
  • If the script outputs nothing, your system does not contain any legacy entries (anymore) and you are safe to upgrade.
  • If any legacy objects are found, they are printed to output:
Starting (Di 6. Okt 08:56:58 CEST 2020):
        The following objects are no longer supported with UCS-5:
                dn: cn=default-settings,cn=thinclient,cn=policies,dc=phahn,dc=qa
                dn: cn=OpenStack,cn=CloudType,cn=Virtual Machine Manager,dc=phahn,dc=qa
        They must be removed before the update can be done.
        See <> for details.

        This check can be disabled by setting the UCR variable 'update50/ignore_legacy_objects' to 'yes'.

There are two types of entries:

  1. STRUCTURAL object classes define the structure of each entry. As each entry has exactly one such class defining its purpose, it’s easy to identify those entries and to remove the complete entry.
  2. AUXILIARY object classes are add-on classes, which can be added on top of any other classes. In most cases they are used for Extended Attributes, which allow them to store arbitrary data with each entry. In this case only the associated attributes should be deleted, not the complete entry!

Deleting entries

Danger: deleting the objects cannot be undone easily. At least make sure you have a recent backup of your LDAP database, which is by default created daily by the cron-job /etc/cron.d/univention-ldap-server invoking /usr/sbin/univention-ldap-backup and stored in /var/univention-backup/.

  • Either go through that list manually and use the corresponding udm "$module" remove --dn "$dn" command to delete the entries.
  • As an alternative you can also use ldapdelete -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret "$dn", which saves you from looking up the required UDM module name for each entry.
  • You can also invoke the same script again with the alternative command line argument delete_legacy_objects to delete all legacy objects:
    sudo bash delete_legacy_objects

Deleting auxiliary classes

Deleting auxiliary classes is more complicated as they function as add-ons to other entries: Instead of deleting the complete entry only the additional attributes and the objectClass must be removed from the entry. The procedure is described in detail in

This is also performed as part of sudo bash delete_legacy_objects.

Optional: Schema removal

Deleting the entries is sufficient, but the LDAP schema definitions can also be removed after all entries based on them have been deleted. As OpenLDAP does not allow schema removal, this requires a complete “dump-restore” cycle, which is described in more detail in

Alternative: keep entries

If you cannot or don’t want to remove the objects now and still want to manage them, you can still use an UCS-4.x system to do so.
Just make sure to delete those objects before you upgrade your last system to UCS-5. Otherwise you have to setup a new system based on UCS-4 and then can use that system again to manage those objects.

Quoting the warning from above again:

Your may experience problems when renaming, removing or moving containers containing those legacy objects.

You have been warned!

The update check can be disabled by setting the UCR variable update50/ignore_legacy_objects to yes on each system before the update to UCS-5.0 is started.

List of affected LDAP Object classes and their UDM modules

Each entry names the “LDAP Object class”, the name of the managing UDM module (if any) and a short description to give you a hint for what the information is used.


  • univentionSamba4WinsHost: Extended attributes for Samba4WINS configuration.
  • univentionAdminUserSettings: UDM module settings/user to manager user preferences.

Univention Virtual Machine Manager (UVMM)

  • univentionVirtualMachineCloudConnection: UDM module uvmm/cloudconnection to manage Cloud connections
  • univentionVirtualMachineCloudType: UDM module uvmm/cloudtyp to manage Cloud connection types like OpenStack or AWS
  • univentionVirtualMachine: UDM module uvmm/info to manage additional information per virtual machine like profile, associated user or free-form description.
  • univentionVirtualMachineProfile: UDM module uvmm/profile to manage profiles for Qemu/KVM virtual machines defining default values for new virtual machines.
  • univentionVirtualMachineGroupOC: Extended attributes per group; was newer used
  • univentionVirtualMachineHostOC: Extended attributes per host for associating the managing UVMM

Univention Corporate Client (UCC)

  • univentionCorporateClient: UDM module computers/corporateclient to manage the machine account
  • univentionCorporateClientSession: UDM module settings/ucc_session to manage client sessions
  • univentionCorporateClientAutostart: LDAP class to manage autostart scripts
  • univentionCorporateClientImage: UDM module settings/ucc_image to manage the image to use
  • univentionPolicyCorporateClientUser: UDM policy policies/ucc_user to manage the user session
  • univentionPolicyCorporateClientComputer: UDM policy policies/ucc_hardware to manage access to local hardware
  • univentionPolicyCorporateClientDesktop: UDM policy policies/ucc_desktop to manage desktop environment variables
  • univentionPolicySoftwareupdates: UDM policy policies/ucc_software to manage software update
  • univentionPolicyCorporateClient: LDAP super class for all UCC policies.

UCS Thin Client Services (UCS TCS)

  • univentionPolicyAutoStart: UDM policy to manage autostart script for Thin-/Managed-/Mobile-Clients
  • univentionPolicyThinClient: UDM policy to manage packages to install/remove
  • univentionThinClient: UDM module computers/thinclient to manage machine accounts of Thin-Clients
  • univentionMobileClient: UDM module computers/mobileclient to manage machine accounts of Mobile-Clients
  • univentionFatClient: UDM module computers/fatclient to manage machine account of Fat-Clients

This topic was automatically closed after 60 minutes. New replies are no longer allowed.