Hi everyone, currently I would like to move the LDAP tool from OpenLDAP and 389 Directory Server. The data and configuration are saved in OpenLDAP and I would like to migrate to 389 Directory Server. So far, migration runs well but after migration I cannot see the data in 389 Directory Server.
My environment server:
- Ubuntu 22.04 in WSL 2. - OpenLDAP version 2.5.13 (run slapd -VV) - 389 Directory Server version 2.0.15-1 ( https://packages.ubuntu.com/jammy/389-ds https://packages.ubuntu.com/jammy/389-ds)
Here's my GitHub repo to reproduce the migration steps from OpenLDAP to 389 Directory Server: https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed
I also follow the YouTube tutorial from this video presented by William Brown https://www.youtube.com/watch?v=qrbtWOXOhtA. Unfortunately, it doesn't work after the migration step. Could you please guide me how to solve the problem? Thank you.
On 3/13/23 10:08 PM, Kresna Satya wrote:
Hi everyone, currently I would like to move the LDAP tool from OpenLDAP and 389 Directory Server. The data and configuration are saved in OpenLDAP and I would like to migrate to 389 Directory Server. So far, migration runs well but after migration I cannot see the data in 389 Directory Server.
In regards to step 19 did you run dsidm as root(sudo)? Otherwise it would not pick up your ".dsrc" settings, which explains why it's not seeing your basedn setting. You could always
add "-b dc=example,dc=com" to dsidm. You don't need .dsrc, but it makes things a lot easier.
Also since you are not using "cn=directory manager" in your .dsrc. you need to make sure this "cn=admin" account has access control instructions (aci) that gives it access to the database:
https://access.redhat.com/documentation/en-us/red_hat_directory_server/11/ht...
HTH,
Mark
My environment server:
- Ubuntu 22.04 in WSL 2.
- OpenLDAP version 2.5.13 (run slapd -VV)
- 389 Directory Server version 2.0.15-1 (https://packages.ubuntu.com/jammy/389-ds)
Here's my GitHub repo to reproduce the migration steps from OpenLDAP to 389 Directory Server:https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed
I also follow the YouTube tutorial from this video presented by William Brownhttps://www.youtube.com/watch?v=qrbtWOXOhtA. Unfortunately, it doesn't work after the migration step. Could you please guide me how to solve the problem? Thank you.
389-users mailing list --389-users@lists.fedoraproject.org To unsubscribe send an email to389-users-leave@lists.fedoraproject.org Fedora Code of Conduct:https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines:https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.... Do not reply to spam, report it:https://pagure.io/fedora-infrastructure/new_issue
On 15 Mar 2023, at 02:32, Mark Reynolds mareynol@redhat.com wrote:
On 3/13/23 10:08 PM, Kresna Satya wrote:
Hi everyone, currently I would like to move the LDAP tool from OpenLDAP and 389 Directory Server. The data and configuration are saved in OpenLDAP and I would like to migrate to 389 Directory Server. So far, migration runs well but after migration I cannot see the data in 389 Directory Server.
In regards to step 19 did you run dsidm as root(sudo)?
did you follow the post migration check list? The most common cause of this is lack of aci's on the directory data since 389-ds access controls are different to openldap's.
-- Sincerely,
William Brown
Senior Software Engineer, Identity and Access Management SUSE Labs, Australia
Hi, I forget to add aci to 389-ds. Now, I try it with commands below: 1. sudo dsconf -D 'cn=admin,dc=example,dc=org' ldap://localhost:389 plugin root-dn enable and I get result Enabled plugin 'RootDN Access Control'. 2. sudo ldapmodify -f aci.ldif -x -D 'cn=admin,dc=example,dc=org' -w 1234567890. But the result modifying entry "dc=example,dc=org" ldap_modify: No such object (32). Here's my aci.ldif file:
```bash dn: dc=example,dc=org changetype: modify add: aci aci: (targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");) aci: (targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)
- ```
I also add those steps in my GitHub repo if you would like to check: https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed/blob/main/R...
Yes, you're right. I add sudo and the result run as I expected, it shows content file of ldap.conf. Next step is add access control instructions (aci) and I try it with commands below: 1. sudo dsconf -D 'cn=admin,dc=example,dc=org' ldap://localhost:389 plugin root-dn enable and I get result Enabled plugin 'RootDN Access Control'. 2. sudo ldapmodify -f aci.ldif -x -D 'cn=admin,dc=example,dc=org' -w 1234567890. But the result modifying entry "dc=example,dc=org" ldap_modify: No such object (32). Here's my aci.ldif file:
```bash dn: dc=example,dc=org changetype: modify add: aci aci: (targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");) aci: (targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)
- ```
I also add those steps in my GitHub repo if you would like to check: https://github.com/kresnasatya/migrate-openldap-to-389-ds-failed/blob/main/R...
389-users@lists.fedoraproject.org