[389-users] Re: Migration from OpenLDAP to 389 DS
Hi I am succeeded and I write here just for case if someone else needs it. I had to add rights to these two users. My ldif file: dn: l=Kranj,c=si changetype: modify add: aci aci: (targetattr = "*") (version 3.0; acl "give sysadmin full rights"; allow(all) (userdn = "ldap:///uid=mnadmin,ou=User,l=Kranj,c=SI"; or userdn = "ldap:///uid=sysadmin,ou=User,l=Kranj,c=SI"; or userdn = "ldap:///uid=openmnadmin,ou=User,l=Kranj,c=SI";);) BR, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On Thu, 2017-06-22 at 13:45 +0200, Ludwig Krispenz wrote: > Hi, > > 389-ds has an access control mechanism which allows fine grained access > to entries, attributes for different types of operation and based on > various criteria like d,n group membership, role, and you should get > familiar with the basics before just adding specific acis: > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control > > for your specific request you could do something like: > > dn: l=kranj,c=si > aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all ) > userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";;) > > not that in 389-ds acis have to be placed at the top of the subtree they > should apply > Another tip is to always use targetattr = "attr " rather than targetattr !=. != causes lots of problems, it's better to be explicit in what is allowed. -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane signature.asc Description: This is a digitally signed message part ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, 389-ds has an access control mechanism which allows fine grained access to entries, attributes for different types of operation and based on various criteria like d,n group membership, role, and you should get familiar with the basics before just adding specific acis: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control for your specific request you could do something like: dn: l=kranj,c=si aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all ) userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";;) not that in 389-ds acis have to be placed at the top of the subtree they should apply Ludwig On 06/22/2017 12:31 PM, Kalan Blaz wrote: Hi Mark, Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two “super users” which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my “super users” are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 108 ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 1 So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does? Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi Mark, Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two “super users” which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my “super users” are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 108 ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 1 So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does? Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi Mark, Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two "super users" which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my "super users" are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 108 ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 1 So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does? Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/19/2017 03:14 AM, Blaz Kalan wrote: > I added these two lines to 99user.ldif: > > ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: > object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI > ) > AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: > Uniform Resource Identifier with optional label' EQUALITY caseExactMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > > And looks fine. > > But for > AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change > sequence number of the entry content' EQUALITY CSNMatch ORDERING > CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE > NO-USER-MODIFICATION USAGE directoryOperation ) > > I get an error: > (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID > "1.3.6.1.4.1.4203.666.11.2.1" Well, you can change the syntax to 1.3.6.1.4.1.1466.115.121.1.15, or remove entryCSN from the user ldif. entryCSN is only used by Openldap's replication protocol, it serves no purpose in 389 and can be removed if you want to. Regards, Mark > > BR, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
I added these two lines to 99user.ldif: ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) And looks fine. But for AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) I get an error: (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID "1.3.6.1.4.1.4203.666.11.2.1" BR, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi,
yes I find all these attributes and class in openLDAP schema files, there is:
olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change
sequence number of the entry content' EQUALITY CSNMatch ORDERING
CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE
NO-USER-MODIFICATION USAGE directoryOperation )
olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC
'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY
labeledURI
olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079:
Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
Br, Blaz
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/16/2017 02:58 AM, Blaz Kalan wrote: > Hi Mark, thank you very much. > I actually always imported data with java LDAP browser/editor. Now I try with > ldapmodify and I am succeded with user passwords. > > Now I have only few unresolved things. > > For atribute entryUUID in exported data I use nsuniqueid for 389 import. > > But I do not know, which atributes represent this tree atributes from > opdanLDAP: > 'Object class violation. unknown object class "labeledURIObject" > 'Object class violation. attribute "labeledURI" not allowed > 'Object class violation. attribute "entryCSN" not allowed > > Which object and atributes I should used instead of them. The server itself does not use these attributes, so this is really what your clients would need. Only you can answer that :) Anyway somewhere in your openldap environment this schema is defined, and it has not been migrated to 389 yet. Sorry I don't know Openldap so I can not tell you where to find it, but it should be there somewhere. > > Best regards, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi Mark, thank you very much. I actually always imported data with java LDAP browser/editor. Now I try with ldapmodify and I am succeded with user passwords. Now I have only few unresolved things. For atribute entryUUID in exported data I use nsuniqueid for 389 import. But I do not know, which atributes represent this tree atributes from opdanLDAP: 'Object class violation. unknown object class "labeledURIObject" 'Object class violation. attribute "labeledURI" not allowed 'Object class violation. attribute "entryCSN" not allowed Which object and atributes I should used instead of them. Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/15/2017 07:48 AM, Blaz Kalan wrote:
> Hi,
>
> Sorry, I checked again and we use base64 coded passwords:
> userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
The server always base64 ecodes passwords - that is fine and expected
>
> what do you suggest in this case?
>
> But even if I try with md5, I get an error.
>
> ldif:
> dn: uid=mnadmin,ou=User,l=Kranj,c=SI
> uid: mnadmin
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: person
> objectClass: itUserOC
> description: Administrator
> sn: mnadmin
> cn: mnadmin
> userPassword: {MD5}CY9rzUYh03PK3k6DJie09g==
> structuralObjectClass: inetOrgPerson
> nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6
> creatorsName: cn=ldapadmin,l=Kranj,c=SI
> createTimestamp: 20151105074714Z
> itUserLocked: FALSE
> itSuperUser: TRUE
> itPasswordExpire: 200504101330Z
> itLastLogin: 200504101330Z
> modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI
> modifyTimestamp: 20151105074859Z
>
>
> error:
> Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent
> by the server was 'Constraint violation. invalid password syntax - passwords
> with storage scheme are not allowed'. The object is: LDAPEntry:
> uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute
> {type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin',
> values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'}
> LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='}
> LDAPAttribute {type='objectclass',
> values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute
> {type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked',
> values='FALSE'} LDAPAttribute {type='modifytimestamp',
> values='20151105074859Z'} LDAPAttribute {type='modifiersname',
> values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid',
> values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute
> {type='createtimestamp', values='20151105074714Z'} LDAPAttribute {
> type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute
> {type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire',
> values='200504101330Z'} LDAPAttribute {type='description',
> values='Administrator'} LDAPAttribute {type='structuralobjectclass',
> values='inetOrgPerson'}.
Okay this is expected if you try and add a prehashed password as a
regular user. So how are you adding these entries exactly?
If you are using ldapmodify, then you need to bind as the directory
manager to bypass these constraints. Or, import the entire user ldif
using ldif2db which also bypasses these checks.
Regards,
Mark
>
> Thank you very much.
> BR,
> Blaz
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi,
Sorry, I checked again and we use base64 coded passwords:
userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
what do you suggest in this case?
But even if I try with md5, I get an error.
ldif:
dn: uid=mnadmin,ou=User,l=Kranj,c=SI
uid: mnadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: itUserOC
description: Administrator
sn: mnadmin
cn: mnadmin
userPassword: {MD5}CY9rzUYh03PK3k6DJie09g==
structuralObjectClass: inetOrgPerson
nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6
creatorsName: cn=ldapadmin,l=Kranj,c=SI
createTimestamp: 20151105074714Z
itUserLocked: FALSE
itSuperUser: TRUE
itPasswordExpire: 200504101330Z
itLastLogin: 200504101330Z
modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI
modifyTimestamp: 20151105074859Z
error:
Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent by
the server was 'Constraint violation. invalid password syntax - passwords with
storage scheme are not allowed'. The object is: LDAPEntry:
uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute
{type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin',
values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'}
LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='}
LDAPAttribute {type='objectclass',
values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute
{type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked',
values='FALSE'} LDAPAttribute {type='modifytimestamp',
values='20151105074859Z'} LDAPAttribute {type='modifiersname',
values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid',
values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute
{type='createtimestamp', values='20151105074714Z'} LDAPAttribute {
type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute
{type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire',
values='200504101330Z'} LDAPAttribute {type='description',
values='Administrator'} LDAPAttribute {type='structuralobjectclass',
values='inetOrgPerson'}.
Thank you very much.
BR,
Blaz
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/14/2017 07:41 AM, Blaz Kalan wrote: > Hi again, > > Finally it looks like that I’m somehow succeeded whit importing data from > openLDAP to 389 DS, but I had to do a few things about which I am not sure if > they are OK. > > I change 99user.ldif to: > dn: cn=schema > objectClass: top > objectClass: ldapSubentry > objectClass: subschema > cn: schema > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo > us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a > llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo > logyManagement,o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a > ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc > apeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l > dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi. > iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";) > modifiersName: cn=directory manager > modifyTimestamp: 20170526075714Z > numSubordinates: 1 > objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC > 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) > objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC > 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) > … > > It looks OK. I also see added attributes whit 389-console. > > When I am importing the data I received this errors: > > The error sent by the server was 'Object class violation. attribute > "entryuuid" not allowed > The error sent by the server was 'Object class violation. attribute > "entrycsn" not allowed > The error sent by the server was 'Object class violation. unknown object > class "labeledURIObject" > The error sent by the server was 'Object class violation. attribute > "labeledURI" not allowed These attributes are not part of 389's standard schema. So that implies there is still more Openldap schema to migrate to 389 before you should try the import. > > Here I just deleted those rows with commands (I am not sure, what here is the > right way): > > sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif > sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif > sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif > sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif > > Another error was: > Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible > with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute > [itUserPolicyProfileId] Syntax 1.3.6.1.4.1.1466.115.121.1.27 is an "integer" syntax. A caseIgnore matching rule does not apply to a number. So this error makes sense and is correct. > > Here again I just delete all “SUBSTR caseIgnoreSubstringsMatch” from exported > data ldif file. (What here?) Well it should be removed from attributes that use the integer syntax, but for other syntax's you might need/want it. So you need look through each attribute and confirm what its syntax is before removing the matching rule. > > Then I must change all user passwords, because I cannot import md5 passwords. > Here is probably setting while exporting data that passwords are in plain > text? 389 does support MD5 passwords, so the password below should work fine. Are you getting errors? Regards, Mark > So change was from: > userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0= > to: > userPassword: test > > > After that, import succeeded. > > Best Regards, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi again, Finally it looks like that I’m somehow succeeded whit importing data from openLDAP to 389 DS, but I had to do a few things about which I am not sure if they are OK. I change 99user.ldif to: dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo logyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc apeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi. iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20170526075714Z numSubordinates: 1 objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) … It looks OK. I also see added attributes whit 389-console. When I am importing the data I received this errors: The error sent by the server was 'Object class violation. attribute "entryuuid" not allowed The error sent by the server was 'Object class violation. attribute "entrycsn" not allowed The error sent by the server was 'Object class violation. unknown object class "labeledURIObject" The error sent by the server was 'Object class violation. attribute "labeledURI" not allowed Here I just deleted those rows with commands (I am not sure, what here is the right way): sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif Another error was: Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute [itUserPolicyProfileId] Here again I just delete all “SUBSTR caseIgnoreSubstringsMatch” from exported data ldif file. (What here?) Then I must change all user passwords, because I cannot import md5 passwords. Here is probably setting while exporting data that passwords are in plain text? So change was from: userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0= to: userPassword: test After that, import succeeded. Best Regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, thank you very much for your help, but I still have problems :( I add schema to 99user.ldif: dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo logyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc apeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi. iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20170526075714Z numSubordinates: 1 dn: cn=itnetmanager,cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: itnetmanager creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20170613072328Z modifyTimestamp: 20170613072328Z dn: cn=itnetmanager, cn=schema objectclass: top objectclass: ldapSubentry objectclass: subschema objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) ... and I do not have any errors when I resrart dirsrv: [13/Jun/2017:12:42:45.703352975 +0200] slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [13/Jun/2017:12:42:45.725145416 +0200] slapd shutting down - closing down internal subsystems and plugins [13/Jun/2017:12:42:45.760637613 +0200] Waiting for 4 database threads to stop [13/Jun/2017:12:42:46.080192896 +0200] All database threads now stopped [13/Jun/2017:12:42:46.107869191 +0200] slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [13/Jun/2017:12:42:46.173323031 +0200] slapd stopped. [13/Jun/2017:12:42:46.397936154 +0200] 389-Directory/1.3.5.10 B2017.102.203 starting up [13/Jun/2017:12:42:46.552160523 +0200] slapd started. Listening on All Interfaces port 389 for LDAP requests But when I try to import exported data (from openldap) to 389 DS with 389-console, I get these errors: Error adding object 'dn: itSnmpProfileId=SNMP_V2C,ou=SnmpProfile,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "itSnmpProfileOC" Error adding object 'dn: itProductId=ES_KONTRON,ou=Product,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "itProductOC" ... So it looks like that shema is not picked up (because all this classes I have in 99user.ldif Second most common error in reject file is: Error adding object 'dn: itContainerId=1048870,ou=Container,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "labeledURIObject" Data is: dn: itContainerId=1048870,ou=Container,l=Kranj,c=SI itSerialNumber: 10 itParentContainerId: 1048860 itContainerName: 16/10 itRegType: 1 objectClass: itContainerOC objectClass: labeledURIObject itConfigurationNeeded: FALSE itContainerStatus: 0 itContainerType: 2 itContainerId: 1048870 structuralObjectClass: itContainerOC creatorsName: uid=mnadmin,ou=User,l=Kranj,c=SI createTimestamp: 20160610065455Z modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI modifyTimestamp: 20160610065455Z Could you please help me also at this two problems? Thanks! Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/09/2017 03:32 AM, Blaz Kalan wrote:
> Hi, thank you all. Now I am a little further.
>
> My current tmp ldif file is as follows:
>
> dn: cn=schema, cn=config
> objectclass: top
> objectclass: ldapSubentry
> objectclass: subschema
>
> dn: cn=itnetmanager, cn=schema, cn=config
> objectclass: top
> objectclass: ldapSubentry
> objectclass: subschema
>
> objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC
> 'IskratelprepaidPinSub' MUST ( itPrepaidPin ) )
> attributeTypes: ( 1.3.6.1.4.1.1332.1000.10.1 NAME ('itPrepaidPin' 'ppin')
> DESC 'IskratelprepaidPIN' EQUALITY numericStringMatch SUBSTR
> caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE )
>
> When I try to import this file, I do not get any errors, and I can see schema
> and itnetmanager "folders" with ldap browser. But, I cannot see any entries
> (objectClasses or attributeTypes). What am I doing still wrong?
This is the expected behavior as "attributeTypes" and "objectClasses"
are operational attributes. The client needs to explicitly ask for
them. Here is an example with ldapsearch:
ldapsearch -D "cn=directory manager" -w password -b "cn=schema"
objectclass=top attributetypes objectclasses
But... I want to point something else out that will cause issues for
you next...
You are adding schema under "cn=config" - that is incorrect. It should
be added under "cn=schema", otherwise it will not be picked up by the
server. So just strip off cn=config from the DN's in your ldif. Then
you add it via ldapmodify, or just drop the ldif file (naming it to
99user.ldif first) into server's schema dir and restarting the server:
/etc/dirsrv/slapd-INSTANCE/schema
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/extending_the_directory_schema#extending-the-schema
Regards,
Mark
> Thank you!
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, thank you all. Now I am a little further.
My current tmp ldif file is as follows:
dn: cn=schema, cn=config
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
dn: cn=itnetmanager, cn=schema, cn=config
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC
'IskratelprepaidPinSub' MUST ( itPrepaidPin ) )
attributeTypes: ( 1.3.6.1.4.1.1332.1000.10.1 NAME ('itPrepaidPin' 'ppin') DESC
'IskratelprepaidPIN' EQUALITY numericStringMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE )
When I try to import this file, I do not get any errors, and I can see schema
and itnetmanager "folders" with ldap browser. But, I cannot see any entries
(objectClasses or attributeTypes). What am I doing still wrong?
Thank you!
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/08/2017 03:05 AM, b.ka...@iskratel.si wrote:
> Hi, yes, I would need a little more help. Now I delete most of records from
> exported ldif file, that I have simple file for editing and testing. I also
> deleted {xx}.
>
> My ldif file is now:
>
> dn: cn=itnetmanager, cn=schema, cn=config
> olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
> C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
> olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
> SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
> olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
> DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
> $ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
> tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
> olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
> IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
> ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
> $ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
> tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
> nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
> repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
> alidityTime ))
> olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.5 NAME 'itPrepaidCoupon' DES
> C 'IskratelprepaidCoupon' MUST ( itPrepaidCin $ itCouponSerialNr $ itCouponS
> tatus $ itAmountChargeUnit $ itDateOfValidity) MAY ( itValidityExtension )
> )
> objectClass: olcSchemaConfig
> cn: itnetmanager
You need to remove the "olc" from the attribute name. For 389 it must
be "objectclasses", and "attributetypes"
>
>
> If I try to import this ldif, I get error:
> Entry "cn=itnetmanager,cn=schema,cn=config" has unknown object class
> "olcSchemaConfig"
>
> I know that 389 DS doesn't have olcSchemaConfig, but I don't know what to set
> for ofobjectClass.
You would typically use:
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
> ___
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, yes, I would need a little more help. Now I delete most of records from
exported ldif file, that I have simple file for editing and testing. I also
deleted {xx}.
My ldif file is now:
dn: cn=itnetmanager, cn=schema, cn=config
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.5 NAME 'itPrepaidCoupon' DES
C 'IskratelprepaidCoupon' MUST ( itPrepaidCin $ itCouponSerialNr $ itCouponS
tatus $ itAmountChargeUnit $ itDateOfValidity) MAY ( itValidityExtension )
)
objectClass: olcSchemaConfig
cn: itnetmanager
If I try to import this ldif, I get error:
Entry "cn=itnetmanager,cn=schema,cn=config" has unknown object class
"olcSchemaConfig"
I know that 389 DS doesn't have olcSchemaConfig, but I don't know what to set
for ofobjectClass.
___
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On Wed, 2017-06-07 at 08:25 +, b.ka...@iskratel.si wrote: > I'm completely new in LDAP and I have one task to do. Task is > migration from OpenLDAP to 389 DS. > I have installed 389 and now I try to import schema from OpenLDAP. > First I create export of schema from OpenLDAP. The schema format between openldap and 389 is pretty different. I would be approaching this to see if 389 already supports what you need (we probably do)! Then from there, you need to identify custom schema on a case by case basis. It'll be a bit time consuming, but it's the best method here I think. Hope that helps, if you need more advice, let me know. -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane signature.asc Description: This is a digitally signed message part ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
openldap heavily uses the "orderd value or entry prefix", so youhave
numbers {nnn} in the dns and attributes like:
cn={12}itnetmanager
or
olcAttributeTypes: {262} ...
I would first try to remove these {nnn} stuff and retry
On 06/07/2017 10:25 AM, b.ka...@iskratel.si wrote:
Hi,
I'm completely new in LDAP and I have one task to do. Task is migration from
OpenLDAP to 389 DS.
I have installed 389 and now I try to import schema from OpenLDAP. First I
create export of schema from OpenLDAP.
config.ldif is done with command: slapcat -F /opt/ldap/mn/slapd.d/ -b
"cn=config" > conf.ldif
itnetmanager.ldif is done via java LDAP Browser.
Then I try to convert this ldif files with scripts at
http://www.port389.org/docs/389ds/scripts.html, but I did not succeed.
Can someone help me, how can I convert ldif files from OpenLDAP, that be useful
for import to 389 DS?
Here are few rows from both file:
itnetmanager_schema_export.ldif
dn: cn={12}itnetmanager, cn=schema, cn=config
olcObjectClasses: {0} ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: {3} ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
...
olcAttributeTypes: {262} ( 1.3.6.1.4.1.1332.1000.10.266 NAME ('itDefaultPolic
yProfile') DESC 'Is User Policy Default' EQUALITY booleanMatch SUBSTR caseIg
noreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {263} ( 1.3.6.1.4.1.1332.1000.10.267 NAME ('itPasswordHist
ory') DESC 'User Password History' EQUALITY caseIgnoreMatch SUBSTR caseIgnor
eSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
objectClass: olcSchemaConfig
cn: {12}itnetmanager
config.ldif
dn: cn=config
olcLogLevel: 0
olcConnMaxPending: 100
olcConcurrency: 0
olcWriteTimeout: 0
olcArgsFile: /var/run/openldap/slapd_mn.args
olcIndexSubstrAnyStep: 2
olcSockbufMaxIncoming: 262143
olcTLSCertificateKeyFile: /opt/ldap/mn/certs/password
objectClass: olcGlobal
olcIndexIntLen: 4
olcConnMaxPendingAuth: 1000
olcTLSCertificateFile: "OpenLDAP Server"
cn: config
olcIndexSubstrIfMinLen: 2
olcAttributeOptions: lang-
olcPidFile: /var/run/openldap/slapd_mn.pid
olcConfigDir: /opt/ldap/mn/slapd.d/
olcReverseLookup: FALSE
olcGentleHUP: FALSE
olcTLSCACertificatePath: /opt/ldap/mn/certs
olcReadOnly: FALSE
olcTLSVerifyClient: never
olcThreads: 16
olcIndexSubstrAnyLen: 4
olcToolThreads: 1
olcSockbufMaxIncomingAuth: 16777215
olcIdleTimeout: 0
olcSaslSecProps: noplain,noanonymous
olcConfigFile: /opt/ldap/mn/slapd.conf
olcAuthzPolicy: none
olcIndexSubstrIfMaxLen: 4
olcAllows: bind_v2
olcLocalSSF: 71
dn: cn=schema, cn=config
olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABS
TRACT MUST objectClass )
olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC
'RFC4512: extensible object' SUP top AUXILIARY )
olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STR
UCTURAL MUST aliasedObjectName )
...
olcAccess: {2}to attrs=itPasswordFtp by group/groupOfUniqueNames/uniqueMembe
r.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcAccess: {3}to attrs=itPasswordDb by group/groupOfUniqueNames/uniqueMember
.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcDbConfig: {0}# Set location for txn log files
olcDbConfig: {1}set_lg_dir /opt/ldap/mn/ldapDB
olcDbConfig: {2}# Set cache size 20MB
olcDbConfig: {3}set_cachesize 0 20971520 0
olcDbConfig: {4}set_lg_regionmax 262144
olcDbConfig: {5}set_lg_bsize 2097152
olcDbConfig: {6}# Automatically remove log files that are no longer needed.
olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {8}# Just use these settings when doing slapadd...
olcDbConfig: {9}# set_flags DB_TXN_NOSYNC
olcDbIDLcacheSize: 0
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDbShmKey: 0
olcMaxDerefDepth: 10
olcLastMod: TRUE
olcDbCacheFree: 5
olcDbCacheSize: 15
olcDbDirtyRead: FALSE
olcReadOnly: FALSE
olcDbSearchStack: 16
olcDatabase: {2}bdb
olcDbDNcacheSize: 0
olcRootPW: {
