9:08 p.m.
Hi everyone, currently I would like to move the LDAP tool from OpenLDAP and
389 Directory Server. The data and configuration are saved in OpenLDAP and
I would like to migrate to 389 Directory Server. So far, migration runs
well but after migration I cannot see the data in 389 Directory Server.
My environment server:
- Ubuntu 22.04 in WSL 2.
- OpenLDAP version 2.5.13 (run slapd -VV)
- 389 Directory Server version 2.0.15-1 (
<https://packages.ubuntu.com/jammy/389-ds>
https://packages.ubuntu.com/jammy/389-ds)
Here's my GitHub repo to reproduce the migration steps from OpenLDAP to 389
Directory Server:
<https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed>
https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed
I also follow the YouTube tutorial from this video presented by William
Brown https://www.youtube.com/watch?v=qrbtWOXOhtA. Unfortunately, it
doesn't work after the migration step. Could you please guide me how to
solve the problem? Thank you.
10:32 a.m.
New subject: Migration from OpenLDAP to 389 Directory Server Failed
On 3/13/23 10:08 PM, Kresna Satya wrote:
Hi everyone, currently I would like to move the LDAP tool from
OpenLDAP and 389 Directory Server. The data and configuration are
saved in OpenLDAP and I would like to migrate to 389 Directory Server.
So far, migration runs well but after migration I cannot see the data
in 389 Directory Server.
In regards to step 19 did you run dsidm as root(sudo)? Otherwise it
would not pick up your ".dsrc" settings, which explains why it's not
seeing your basedn setting. You could always
add "-b dc=example,dc=com" to dsidm. You don't need .dsrc, but it makes
things a lot easier.
Also since you are not using "cn=directory manager" in your .dsrc. you
need to make sure this "cn=admin" account has access control
instructions (aci) that gives it access to the database:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11...
HTH,
Mark
My environment server:
* Ubuntu 22.04 in WSL 2.
* OpenLDAP version 2.5.13 (run slapd -VV)
* 389 Directory Server version 2.0.15-1
(https://packages.ubuntu.com/jammy/389-ds)
Here's my GitHub repo to reproduce the migration steps from OpenLDAP
to 389 Directory
Server:https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed
I also follow the YouTube tutorial from this video presented by
William Brownhttps://www.youtube.com/watch?v=qrbtWOXOhtA.
Unfortunately, it doesn't work after the migration step. Could you
please guide me how to solve the problem? Thank you.
_______________________________________________
389-users mailing list --389-users(a)lists.fedoraproject.org
To unsubscribe send an email to389-users-leave(a)lists.fedoraproject.org
Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines
List
Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fe...
Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
--
Directory Server Development Team
5:31 p.m.
New subject: Migration from OpenLDAP to 389 Directory Server Failed
On 15 Mar 2023, at 02:32, Mark Reynolds <mareynol(a)redhat.com>
wrote:
On 3/13/23 10:08 PM, Kresna Satya wrote:
> Hi everyone, currently I would like to move the LDAP tool from OpenLDAP and 389
Directory Server. The data and configuration are saved in OpenLDAP and I would like to
migrate to 389 Directory Server. So far, migration runs well but after migration I cannot
see the data in 389 Directory Server.
In regards to step 19 did you run dsidm as root(sudo)?
did you follow the post migration check list? The most common cause of this is lack of
aci's on the directory data since 389-ds access controls are different to
openldap's.
--
Sincerely,
William Brown
Senior Software Engineer,
Identity and Access Management
SUSE Labs, Australia
7:09 p.m.
New subject: Migration from OpenLDAP to 389 Directory Server Failed
Hi, I forget to add aci to 389-ds. Now, I try it with commands below:
1. sudo dsconf -D 'cn=admin,dc=example,dc=org' ldap://localhost:389 plugin root-dn
enable and I get result Enabled plugin 'RootDN Access Control'.
2. sudo ldapmodify -f aci.ldif -x -D 'cn=admin,dc=example,dc=org' -w 1234567890.
But the result modifying entry "dc=example,dc=org" ldap_modify: No such object
(32). Here's my aci.ldif file:
```bash
dn: dc=example,dc=org
changetype: modify
add: aci
aci: (targetattr="dc || description ||
objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl
"Enable anyone domain read"; allow (read, search,
compare)(userdn="ldap:///anyone");)
aci: (targetattr="ou ||
objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0;
acl "Enable anyone ou read"; allow (read, search,
compare)(userdn="ldap:///anyone");)
-
```
I also add those steps in my GitHub repo if you would like to check:
https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed/blob/mai...
7:08 p.m.
New subject: Migration from OpenLDAP to 389 Directory Server Failed
Yes, you're right. I add sudo and the result run as I expected, it shows content file
of ldap.conf. Next step is add access control instructions (aci) and I try it with
commands below:
1. sudo dsconf -D 'cn=admin,dc=example,dc=org' ldap://localhost:389 plugin root-dn
enable and I get result Enabled plugin 'RootDN Access Control'.
2. sudo ldapmodify -f aci.ldif -x -D 'cn=admin,dc=example,dc=org' -w 1234567890.
But the result modifying entry "dc=example,dc=org" ldap_modify: No such object
(32). Here's my aci.ldif file:
```bash
dn: dc=example,dc=org
changetype: modify
add: aci
aci: (targetattr="dc || description ||
objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl
"Enable anyone domain read"; allow (read, search,
compare)(userdn="ldap:///anyone");)
aci: (targetattr="ou ||
objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0;
acl "Enable anyone ou read"; allow (read, search,
compare)(userdn="ldap:///anyone");)
-
```
I also add those steps in my GitHub repo if you would like to check:
https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed/blob/mai...
408
days inactive
409
days old
389-users@lists.fedoraproject.org
4 comments
3 participants
participants (3)
-
Kresna Satya -
Mark Reynolds -
William Brown