Upgrade to UCS 5.x fail due existing legacy objects

Knappe · December 14, 2022, 9:07am

want to upgrade from 4.4-9 errata1350 to UCS 5.0-2 but the upgrade procedure fails.

/var/log/univention/updater.log:

Deleting object(s) with dn: cn=default-settings,cn=thinclient,cn=policies,dc=my,dc=domain,dc=de
# Deleting reference to cn=default-settings,cn=thinclient,cn=policies,dc=my,dc=domain,dc=de from dc=my,dc=domain,dc=de
ldap_modify: Referral (10)
	referrals:
		ldap://ucs-XXXX.my.domain.de:7389/dc=my,dc=domain,dc=de
modifying entry "dc=my,dc=domain,dc=de"

# Deleting reference to cn=default-settings,cn=thinclient,cn=policies,dc=my,dc=domain,dc=de from cn=default containers,cn=univention,dc=my,dc=domain,dc=de
ldap_modify: Referral (10)
	referrals:
		ldap://ucs-XXXX.my.domain.de:7389/cn=default%20containers,cn=univention,dc=my,dc=domain,dc=de
modifying entry "cn=default containers,cn=univention,dc=my,dc=domain,dc=de"

ldap_delete: Referral (10)
	referrals:
		ldap://ucs-XXXX.my.domain.de:7389/cn=default-settings,cn=thinclient,cn=policies,dc=my,dc=domain,dc=de
preupzKITGT.sh: ERROR: could not remove obsolete objects
# Error: Update aborted by pre-update script of release 5.0-0

Download & run bash script from here here without luck. Same results when manually erase/delete.

Found the post here and modifed to our needs but received same error:

# ldapmodify -f /tmp/ldap-legacy.ldif  -D cn=admin,$(ucr get ldap/base) -y /etc/ldap.secret
modifying entry "dc=my,dc=domain,dc=de"
ldap_modify: Referral (10)
	referrals:
		ldap://ucs-XXXX.my.domain.de:7389/dc=my,dc=domain,dc=de

The LDIF-File contains:

dn: dc=my,dc=domain,dc=de
changetype: modify
delete: univentionPolicyReference
univentionPolicyReference: cn=default-settings,cn=thinclient,cn=policies,dc=my,dc=domain,dc=de

Any hints how to proceed ?

pmhahn · December 14, 2022, 12:42pm

Please execute the script on your DC Master AKA Primary Directory Node: Running the script on a Backup or Slave/Replica does not work as the LDAP copy there is not writable and the OpenLDAP server there is trying to redirect your request for modification to the Primary, which has the only writable copy.
The tool does not follow automatically. If I remember ldapmodify at al correctly there is the option LDAP_OPT_REFERRALS to enable referral following, but our current code does not do this.

Knappe · December 14, 2022, 1:13pm

Please execute the script on your DC Master AKA Primary Directory Node

it was executed on the DC.

To be save below the error message from an backup server:

WARNING: Your domain controller master is still on version 4.4-9.
It is strongly recommended that the domain controller master is
always the first system to be updated during a release update.
This check can be skipped by setting the UCR
variable update44/ignore_version to yes.

Doesn´t contain the above LDIF -File the deletion of the reference ?
No, how can the command be composed correctly ?

The udm produces an access error:

udm “policies/policy” modify --dn “cn=thinclient,cn=policies,dc=my,dc=domain,dc=de” --policy-dereference “cn=default-container.cn=thinclient,cn=policies,dc=my,dc=domain,dc=de”
Modify policies/policy not allowed

it seems that this group object is blocked.

pmhahn · February 22, 2023, 4:07pm

The udm produces an access error:

The UDM module policies/policy is just a generic top-level module, which only supports list but not add / remove / modify. For that you must use the specific UDM module for that policy, e.g. policies/thinclient if I remember correctly. But the modules are only available when the UCS TCS-extension was installed, which only existed for UCS 2.x.

In you command you also swapped the DNs: You want to remove the policy from the container, so you should use udm containers/cn modify --dn 'cn=default-container.cn=thinclient,cn=policies,dc=my,dc=domain,dc=de' --policy-dereference 'cn=thinclient,cn=policies,dc=my,dc=domain,dc=de', which should work with plain UCS as it does not required UCS TCS at all.

Doesn´t contain the above LDIF -File the deletion of the reference ?

Yes, the LDIF-file contains the change, but it cannot be applied ad your LDAP server does not allow any change, but re-directs you to another server, where you’re supposed to do the change.

Do you have a file ~/.ldaprc or ~/ldaprc or ./ldaprc or /etc/ldap/ldap.conf with some strange setting? See man:ldap.conf(3) for details.

Please also try to add -H ldap://localhost:7389/ to your LDAP-commands, e.g. ldapsearch -H ldap://localhost:7389/ -x -D "cn=admin,$(ucr get ldap/base)" -y /etc/ldap.secret 1.1: It might be that they default to the LDAP default TCP port 389, where Samba4 is listing when installed.