[389-users] Re: Migration from OpenLDAP to 389 DS
Hi I am succeeded and I write here just for case if someone else needs it. I had to add rights to these two users. My ldif file: dn: l=Kranj,c=si changetype: modify add: aci aci: (targetattr = "*") (version 3.0; acl "give sysadmin full rights"; allow(all) (userdn = "ldap:///uid=mnadmin,ou=User,l=Kranj,c=SI"; or userdn = "ldap:///uid=sysadmin,ou=User,l=Kranj,c=SI"; or userdn = "ldap:///uid=openmnadmin,ou=User,l=Kranj,c=SI";);) BR, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On Thu, 2017-06-22 at 13:45 +0200, Ludwig Krispenz wrote: > Hi, > > 389-ds has an access control mechanism which allows fine grained access > to entries, attributes for different types of operation and based on > various criteria like d,n group membership, role, and you should get > familiar with the basics before just adding specific acis: > > https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control > > for your specific request you could do something like: > > dn: l=kranj,c=si > aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all ) > userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";;) > > not that in 389-ds acis have to be placed at the top of the subtree they > should apply > Another tip is to always use targetattr = "attr " rather than targetattr !=. != causes lots of problems, it's better to be explicit in what is allowed. -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane signature.asc Description: This is a digitally signed message part ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, 389-ds has an access control mechanism which allows fine grained access to entries, attributes for different types of operation and based on various criteria like d,n group membership, role, and you should get familiar with the basics before just adding specific acis: https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control for your specific request you could do something like: dn: l=kranj,c=si aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all ) userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";;) not that in 389-ds acis have to be placed at the top of the subtree they should apply Ludwig On 06/22/2017 12:31 PM, Kalan Blaz wrote: Hi Mark, Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two “super users” which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my “super users” are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 108 ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 1 So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does? Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org -- Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi Mark, Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two “super users” which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my “super users” are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 108 ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 1 So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does? Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi Mark, Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two "super users" which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my "super users" are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 108 ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses # numResponses: 1 So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does? Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/19/2017 03:14 AM, Blaz Kalan wrote: > I added these two lines to 99user.ldif: > > ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: > object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI > ) > AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: > Uniform Resource Identifier with optional label' EQUALITY caseExactMatch > SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) > > And looks fine. > > But for > AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change > sequence number of the entry content' EQUALITY CSNMatch ORDERING > CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE > NO-USER-MODIFICATION USAGE directoryOperation ) > > I get an error: > (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID > "1.3.6.1.4.1.4203.666.11.2.1" Well, you can change the syntax to 1.3.6.1.4.1.1466.115.121.1.15, or remove entryCSN from the user ldif. entryCSN is only used by Openldap's replication protocol, it serves no purpose in 389 and can be removed if you want to. Regards, Mark > > BR, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
I added these two lines to 99user.ldif: ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI ) AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) And looks fine. But for AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) I get an error: (Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID "1.3.6.1.4.1.4203.666.11.2.1" BR, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, yes I find all these attributes and class in openLDAP schema files, there is: olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation ) olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) Br, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/16/2017 02:58 AM, Blaz Kalan wrote: > Hi Mark, thank you very much. > I actually always imported data with java LDAP browser/editor. Now I try with > ldapmodify and I am succeded with user passwords. > > Now I have only few unresolved things. > > For atribute entryUUID in exported data I use nsuniqueid for 389 import. > > But I do not know, which atributes represent this tree atributes from > opdanLDAP: > 'Object class violation. unknown object class "labeledURIObject" > 'Object class violation. attribute "labeledURI" not allowed > 'Object class violation. attribute "entryCSN" not allowed > > Which object and atributes I should used instead of them. The server itself does not use these attributes, so this is really what your clients would need. Only you can answer that :) Anyway somewhere in your openldap environment this schema is defined, and it has not been migrated to 389 yet. Sorry I don't know Openldap so I can not tell you where to find it, but it should be there somewhere. > > Best regards, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi Mark, thank you very much. I actually always imported data with java LDAP browser/editor. Now I try with ldapmodify and I am succeded with user passwords. Now I have only few unresolved things. For atribute entryUUID in exported data I use nsuniqueid for 389 import. But I do not know, which atributes represent this tree atributes from opdanLDAP: 'Object class violation. unknown object class "labeledURIObject" 'Object class violation. attribute "labeledURI" not allowed 'Object class violation. attribute "entryCSN" not allowed Which object and atributes I should used instead of them. Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/15/2017 07:48 AM, Blaz Kalan wrote: > Hi, > > Sorry, I checked again and we use base64 coded passwords: > userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0= The server always base64 ecodes passwords - that is fine and expected > > what do you suggest in this case? > > But even if I try with md5, I get an error. > > ldif: > dn: uid=mnadmin,ou=User,l=Kranj,c=SI > uid: mnadmin > objectClass: inetOrgPerson > objectClass: organizationalPerson > objectClass: person > objectClass: itUserOC > description: Administrator > sn: mnadmin > cn: mnadmin > userPassword: {MD5}CY9rzUYh03PK3k6DJie09g== > structuralObjectClass: inetOrgPerson > nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6 > creatorsName: cn=ldapadmin,l=Kranj,c=SI > createTimestamp: 20151105074714Z > itUserLocked: FALSE > itSuperUser: TRUE > itPasswordExpire: 200504101330Z > itLastLogin: 200504101330Z > modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI > modifyTimestamp: 20151105074859Z > > > error: > Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent > by the server was 'Constraint violation. invalid password syntax - passwords > with storage scheme are not allowed'. The object is: LDAPEntry: > uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute > {type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin', > values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'} > LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='} > LDAPAttribute {type='objectclass', > values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute > {type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked', > values='FALSE'} LDAPAttribute {type='modifytimestamp', > values='20151105074859Z'} LDAPAttribute {type='modifiersname', > values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid', > values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute > {type='createtimestamp', values='20151105074714Z'} LDAPAttribute { > type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute > {type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire', > values='200504101330Z'} LDAPAttribute {type='description', > values='Administrator'} LDAPAttribute {type='structuralobjectclass', > values='inetOrgPerson'}. Okay this is expected if you try and add a prehashed password as a regular user. So how are you adding these entries exactly? If you are using ldapmodify, then you need to bind as the directory manager to bypass these constraints. Or, import the entire user ldif using ldif2db which also bypasses these checks. Regards, Mark > > Thank you very much. > BR, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, Sorry, I checked again and we use base64 coded passwords: userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0= what do you suggest in this case? But even if I try with md5, I get an error. ldif: dn: uid=mnadmin,ou=User,l=Kranj,c=SI uid: mnadmin objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: itUserOC description: Administrator sn: mnadmin cn: mnadmin userPassword: {MD5}CY9rzUYh03PK3k6DJie09g== structuralObjectClass: inetOrgPerson nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6 creatorsName: cn=ldapadmin,l=Kranj,c=SI createTimestamp: 20151105074714Z itUserLocked: FALSE itSuperUser: TRUE itPasswordExpire: 200504101330Z itLastLogin: 200504101330Z modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI modifyTimestamp: 20151105074859Z error: Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent by the server was 'Constraint violation. invalid password syntax - passwords with storage scheme are not allowed'. The object is: LDAPEntry: uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute {type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin', values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'} LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='} LDAPAttribute {type='objectclass', values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute {type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked', values='FALSE'} LDAPAttribute {type='modifytimestamp', values='20151105074859Z'} LDAPAttribute {type='modifiersname', values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid', values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute {type='createtimestamp', values='20151105074714Z'} LDAPAttribute { type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute {type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire', values='200504101330Z'} LDAPAttribute {type='description', values='Administrator'} LDAPAttribute {type='structuralobjectclass', values='inetOrgPerson'}. Thank you very much. BR, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/14/2017 07:41 AM, Blaz Kalan wrote: > Hi again, > > Finally it looks like that I’m somehow succeeded whit importing data from > openLDAP to 389 DS, but I had to do a few things about which I am not sure if > they are OK. > > I change 99user.ldif to: > dn: cn=schema > objectClass: top > objectClass: ldapSubentry > objectClass: subschema > cn: schema > aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo > us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a > llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo > logyManagement,o=NetscapeRoot";) > aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a > ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc > apeRoot";) > aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l > dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi. > iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";) > modifiersName: cn=directory manager > modifyTimestamp: 20170526075714Z > numSubordinates: 1 > objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC > 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) > objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC > 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) > … > > It looks OK. I also see added attributes whit 389-console. > > When I am importing the data I received this errors: > > The error sent by the server was 'Object class violation. attribute > "entryuuid" not allowed > The error sent by the server was 'Object class violation. attribute > "entrycsn" not allowed > The error sent by the server was 'Object class violation. unknown object > class "labeledURIObject" > The error sent by the server was 'Object class violation. attribute > "labeledURI" not allowed These attributes are not part of 389's standard schema. So that implies there is still more Openldap schema to migrate to 389 before you should try the import. > > Here I just deleted those rows with commands (I am not sure, what here is the > right way): > > sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif > sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif > sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif > sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif > > Another error was: > Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible > with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute > [itUserPolicyProfileId] Syntax 1.3.6.1.4.1.1466.115.121.1.27 is an "integer" syntax. A caseIgnore matching rule does not apply to a number. So this error makes sense and is correct. > > Here again I just delete all “SUBSTR caseIgnoreSubstringsMatch” from exported > data ldif file. (What here?) Well it should be removed from attributes that use the integer syntax, but for other syntax's you might need/want it. So you need look through each attribute and confirm what its syntax is before removing the matching rule. > > Then I must change all user passwords, because I cannot import md5 passwords. > Here is probably setting while exporting data that passwords are in plain > text? 389 does support MD5 passwords, so the password below should work fine. Are you getting errors? Regards, Mark > So change was from: > userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0= > to: > userPassword: test > > > After that, import succeeded. > > Best Regards, > Blaz > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi again, Finally it looks like that I’m somehow succeeded whit importing data from openLDAP to 389 DS, but I had to do a few things about which I am not sure if they are OK. I change 99user.ldif to: dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo logyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc apeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi. iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20170526075714Z numSubordinates: 1 objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) … It looks OK. I also see added attributes whit 389-console. When I am importing the data I received this errors: The error sent by the server was 'Object class violation. attribute "entryuuid" not allowed The error sent by the server was 'Object class violation. attribute "entrycsn" not allowed The error sent by the server was 'Object class violation. unknown object class "labeledURIObject" The error sent by the server was 'Object class violation. attribute "labeledURI" not allowed Here I just deleted those rows with commands (I am not sure, what here is the right way): sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif Another error was: Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute [itUserPolicyProfileId] Here again I just delete all “SUBSTR caseIgnoreSubstringsMatch” from exported data ldif file. (What here?) Then I must change all user passwords, because I cannot import md5 passwords. Here is probably setting while exporting data that passwords are in plain text? So change was from: userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0= to: userPassword: test After that, import succeeded. Best Regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, thank you very much for your help, but I still have problems :( I add schema to 99user.ldif: dn: cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: schema aci: (target="ldap:///cn=schema";)(targetattr !="aci")(version 3.0;acl "anonymo us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";;) aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo logyManagement,o=NetscapeRoot";) aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc apeRoot";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi. iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";) modifiersName: cn=directory manager modifyTimestamp: 20170526075714Z numSubordinates: 1 dn: cn=itnetmanager,cn=schema objectClass: top objectClass: ldapSubentry objectClass: subschema cn: itnetmanager creatorsName: cn=directory manager modifiersName: cn=directory manager createTimestamp: 20170613072328Z modifyTimestamp: 20170613072328Z dn: cn=itnetmanager, cn=schema objectclass: top objectclass: ldapSubentry objectclass: subschema objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) ... and I do not have any errors when I resrart dirsrv: [13/Jun/2017:12:42:45.703352975 +0200] slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0 [13/Jun/2017:12:42:45.725145416 +0200] slapd shutting down - closing down internal subsystems and plugins [13/Jun/2017:12:42:45.760637613 +0200] Waiting for 4 database threads to stop [13/Jun/2017:12:42:46.080192896 +0200] All database threads now stopped [13/Jun/2017:12:42:46.107869191 +0200] slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects [13/Jun/2017:12:42:46.173323031 +0200] slapd stopped. [13/Jun/2017:12:42:46.397936154 +0200] 389-Directory/1.3.5.10 B2017.102.203 starting up [13/Jun/2017:12:42:46.552160523 +0200] slapd started. Listening on All Interfaces port 389 for LDAP requests But when I try to import exported data (from openldap) to 389 DS with 389-console, I get these errors: Error adding object 'dn: itSnmpProfileId=SNMP_V2C,ou=SnmpProfile,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "itSnmpProfileOC" Error adding object 'dn: itProductId=ES_KONTRON,ou=Product,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "itProductOC" ... So it looks like that shema is not picked up (because all this classes I have in 99user.ldif Second most common error in reject file is: Error adding object 'dn: itContainerId=1048870,ou=Container,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "labeledURIObject" Data is: dn: itContainerId=1048870,ou=Container,l=Kranj,c=SI itSerialNumber: 10 itParentContainerId: 1048860 itContainerName: 16/10 itRegType: 1 objectClass: itContainerOC objectClass: labeledURIObject itConfigurationNeeded: FALSE itContainerStatus: 0 itContainerType: 2 itContainerId: 1048870 structuralObjectClass: itContainerOC creatorsName: uid=mnadmin,ou=User,l=Kranj,c=SI createTimestamp: 20160610065455Z modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI modifyTimestamp: 20160610065455Z Could you please help me also at this two problems? Thanks! Best regards, Blaz ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/09/2017 03:32 AM, Blaz Kalan wrote: > Hi, thank you all. Now I am a little further. > > My current tmp ldif file is as follows: > > dn: cn=schema, cn=config > objectclass: top > objectclass: ldapSubentry > objectclass: subschema > > dn: cn=itnetmanager, cn=schema, cn=config > objectclass: top > objectclass: ldapSubentry > objectclass: subschema > > objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC > 'IskratelprepaidPinSub' MUST ( itPrepaidPin ) ) > attributeTypes: ( 1.3.6.1.4.1.1332.1000.10.1 NAME ('itPrepaidPin' 'ppin') > DESC 'IskratelprepaidPIN' EQUALITY numericStringMatch SUBSTR > caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE ) > > When I try to import this file, I do not get any errors, and I can see schema > and itnetmanager "folders" with ldap browser. But, I cannot see any entries > (objectClasses or attributeTypes). What am I doing still wrong? This is the expected behavior as "attributeTypes" and "objectClasses" are operational attributes. The client needs to explicitly ask for them. Here is an example with ldapsearch: ldapsearch -D "cn=directory manager" -w password -b "cn=schema" objectclass=top attributetypes objectclasses But... I want to point something else out that will cause issues for you next... You are adding schema under "cn=config" - that is incorrect. It should be added under "cn=schema", otherwise it will not be picked up by the server. So just strip off cn=config from the DN's in your ldif. Then you add it via ldapmodify, or just drop the ldif file (naming it to 99user.ldif first) into server's schema dir and restarting the server: /etc/dirsrv/slapd-INSTANCE/schema https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/extending_the_directory_schema#extending-the-schema Regards, Mark > Thank you! > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, thank you all. Now I am a little further. My current tmp ldif file is as follows: dn: cn=schema, cn=config objectclass: top objectclass: ldapSubentry objectclass: subschema dn: cn=itnetmanager, cn=schema, cn=config objectclass: top objectclass: ldapSubentry objectclass: subschema objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin ) ) attributeTypes: ( 1.3.6.1.4.1.1332.1000.10.1 NAME ('itPrepaidPin' 'ppin') DESC 'IskratelprepaidPIN' EQUALITY numericStringMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE ) When I try to import this file, I do not get any errors, and I can see schema and itnetmanager "folders" with ldap browser. But, I cannot see any entries (objectClasses or attributeTypes). What am I doing still wrong? Thank you! ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On 06/08/2017 03:05 AM, b.ka...@iskratel.si wrote: > Hi, yes, I would need a little more help. Now I delete most of records from > exported ldif file, that I have simple file for editing and testing. I also > deleted {xx}. > > My ldif file is now: > > dn: cn=itnetmanager, cn=schema, cn=config > olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES > C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) > olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE > SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) > olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount' > DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus > $ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i > tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId)) > olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC ' > IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM > ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode > $ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i > tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi > nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP > repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV > alidityTime )) > olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.5 NAME 'itPrepaidCoupon' DES > C 'IskratelprepaidCoupon' MUST ( itPrepaidCin $ itCouponSerialNr $ itCouponS > tatus $ itAmountChargeUnit $ itDateOfValidity) MAY ( itValidityExtension ) > ) > objectClass: olcSchemaConfig > cn: itnetmanager You need to remove the "olc" from the attribute name. For 389 it must be "objectclasses", and "attributetypes" > > > If I try to import this ldif, I get error: > Entry "cn=itnetmanager,cn=schema,cn=config" has unknown object class > "olcSchemaConfig" > > I know that 389 DS doesn't have olcSchemaConfig, but I don't know what to set > for ofobjectClass. You would typically use: objectclass: top objectclass: ldapSubentry objectclass: subschema > ___ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
Hi, yes, I would need a little more help. Now I delete most of records from exported ldif file, that I have simple file for editing and testing. I also deleted {xx}. My ldif file is now: dn: cn=itnetmanager, cn=schema, cn=config olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount' DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus $ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId)) olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC ' IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode $ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV alidityTime )) olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.5 NAME 'itPrepaidCoupon' DES C 'IskratelprepaidCoupon' MUST ( itPrepaidCin $ itCouponSerialNr $ itCouponS tatus $ itAmountChargeUnit $ itDateOfValidity) MAY ( itValidityExtension ) ) objectClass: olcSchemaConfig cn: itnetmanager If I try to import this ldif, I get error: Entry "cn=itnetmanager,cn=schema,cn=config" has unknown object class "olcSchemaConfig" I know that 389 DS doesn't have olcSchemaConfig, but I don't know what to set for ofobjectClass. ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
On Wed, 2017-06-07 at 08:25 +, b.ka...@iskratel.si wrote: > I'm completely new in LDAP and I have one task to do. Task is > migration from OpenLDAP to 389 DS. > I have installed 389 and now I try to import schema from OpenLDAP. > First I create export of schema from OpenLDAP. The schema format between openldap and 389 is pretty different. I would be approaching this to see if 389 already supports what you need (we probably do)! Then from there, you need to identify custom schema on a case by case basis. It'll be a bit time consuming, but it's the best method here I think. Hope that helps, if you need more advice, let me know. -- Sincerely, William Brown Software Engineer Red Hat, Australia/Brisbane signature.asc Description: This is a digitally signed message part ___ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org
[389-users] Re: Migration from OpenLDAP to 389 DS
openldap heavily uses the "orderd value or entry prefix", so youhave numbers {nnn} in the dns and attributes like: cn={12}itnetmanager or olcAttributeTypes: {262} ... I would first try to remove these {nnn} stuff and retry On 06/07/2017 10:25 AM, b.ka...@iskratel.si wrote: Hi, I'm completely new in LDAP and I have one task to do. Task is migration from OpenLDAP to 389 DS. I have installed 389 and now I try to import schema from OpenLDAP. First I create export of schema from OpenLDAP. config.ldif is done with command: slapcat -F /opt/ldap/mn/slapd.d/ -b "cn=config" > conf.ldif itnetmanager.ldif is done via java LDAP Browser. Then I try to convert this ldif files with scripts at http://www.port389.org/docs/389ds/scripts.html, but I did not succeed. Can someone help me, how can I convert ldif files from OpenLDAP, that be useful for import to 389 DS? Here are few rows from both file: itnetmanager_schema_export.ldif dn: cn={12}itnetmanager, cn=schema, cn=config olcObjectClasses: {0} ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) ) olcObjectClasses: {1} ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) ) olcObjectClasses: {2} ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount' DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus $ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId)) olcObjectClasses: {3} ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC ' IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode $ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV alidityTime )) ... olcAttributeTypes: {262} ( 1.3.6.1.4.1.1332.1000.10.266 NAME ('itDefaultPolic yProfile') DESC 'Is User Policy Default' EQUALITY booleanMatch SUBSTR caseIg noreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcAttributeTypes: {263} ( 1.3.6.1.4.1.1332.1000.10.267 NAME ('itPasswordHist ory') DESC 'User Password History' EQUALITY caseIgnoreMatch SUBSTR caseIgnor eSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) objectClass: olcSchemaConfig cn: {12}itnetmanager config.ldif dn: cn=config olcLogLevel: 0 olcConnMaxPending: 100 olcConcurrency: 0 olcWriteTimeout: 0 olcArgsFile: /var/run/openldap/slapd_mn.args olcIndexSubstrAnyStep: 2 olcSockbufMaxIncoming: 262143 olcTLSCertificateKeyFile: /opt/ldap/mn/certs/password objectClass: olcGlobal olcIndexIntLen: 4 olcConnMaxPendingAuth: 1000 olcTLSCertificateFile: "OpenLDAP Server" cn: config olcIndexSubstrIfMinLen: 2 olcAttributeOptions: lang- olcPidFile: /var/run/openldap/slapd_mn.pid olcConfigDir: /opt/ldap/mn/slapd.d/ olcReverseLookup: FALSE olcGentleHUP: FALSE olcTLSCACertificatePath: /opt/ldap/mn/certs olcReadOnly: FALSE olcTLSVerifyClient: never olcThreads: 16 olcIndexSubstrAnyLen: 4 olcToolThreads: 1 olcSockbufMaxIncomingAuth: 16777215 olcIdleTimeout: 0 olcSaslSecProps: noplain,noanonymous olcConfigFile: /opt/ldap/mn/slapd.conf olcAuthzPolicy: none olcIndexSubstrIfMaxLen: 4 olcAllows: bind_v2 olcLocalSSF: 71 dn: cn=schema, cn=config olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABS TRACT MUST objectClass ) olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC 'RFC4512: extensible object' SUP top AUXILIARY ) olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STR UCTURAL MUST aliasedObjectName ) ... olcAccess: {2}to attrs=itPasswordFtp by group/groupOfUniqueNames/uniqueMembe r.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none olcAccess: {3}to attrs=itPasswordDb by group/groupOfUniqueNames/uniqueMember .exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none olcDbConfig: {0}# Set location for txn log files olcDbConfig: {1}set_lg_dir /opt/ldap/mn/ldapDB olcDbConfig: {2}# Set cache size 20MB olcDbConfig: {3}set_cachesize 0 20971520 0 olcDbConfig: {4}set_lg_regionmax 262144 olcDbConfig: {5}set_lg_bsize 2097152 olcDbConfig: {6}# Automatically remove log files that are no longer needed. olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE olcDbConfig: {8}# Just use these settings when doing slapadd... olcDbConfig: {9}# set_flags DB_TXN_NOSYNC olcDbIDLcacheSize: 0 objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDbShmKey: 0 olcMaxDerefDepth: 10 olcLastMod: TRUE olcDbCacheFree: 5 olcDbCacheSize: 15 olcDbDirtyRead: FALSE olcReadOnly: FALSE olcDbSearchStack: 16 olcDatabase: {2}bdb olcDbDNcacheSize: 0 olcRootPW: {