Rich,
Thanks for the prompt reply.
Ok, I'll not assume that SSL is the problem.
My setup is:
SSL is enabled in its original configuration on the source.
updated autofs and mozilla ldif files.
db2ldif to export the userRoot and NetscapeRoot databases.
Modified just the source /opt/fedora-ds/admin-serv/config/adm.conf and
local.conf to replace cn=Fedora with cn=389
The migration fails during migration of the Administration Server with:
check_and_add_entry: Entry not found cn=Tasks, cn=admin-serv-punch,
cn=389 Administration Server, cn=Server Group,
cn=punch.midwest-tool.com,
ou=midwest-tool.com, o=NetscapeRoot error No
such object
I'll send the debug log directly to you.
Craig Swanson
Craig Swanson wrote:
I am hoping for guidance in migrating this SSL enabled directory to
389-ds.
From: fedora-ds 1.0.4 on fc6 i386
To: 389-ds 1.1 on fedora 12 i386. The fedora 12 is on a new box
with the same IP address and hostname.
SSL is enabled on the source directory and source admin server.
I have read the SSL HowTo, so I understand that the certs are stored
differently under 1.1.
Is it possible to import the existing SSL certs and set up the
configuration so that the migration will succeed?
migration is supposed to take
care of all of that for you
If not, how do I correctly remove SSL from the source configuration?
I could set up SSL on the target after the migration.
Thank you,
Craig Swanson
----------Supporting information ---------------------
So far I have done this 1.0.4 to 1.1 prep:
I have modified the source schema to use the updated autofs and
mozilla ldif files.
I have run db2ldif to export the userRoot and NetscapeRoot databases.
I have modified the source /opt/fedora-ds/admin-serv/config/adm.conf
and local.conf to replace cn=Fedora with cn=389
adm.conf - ok
local.conf - not so good - this is just a read-only copy of information
stored in o=NetscapeRoot in the actual database.
Bad outcomes:
I ran the cross platform migration in order to pull from the modified
ldif files.
migrate-ds-admin.pl -d --crossplatform --oldsroot=/opt/fedora-ds.104
--actualsroot=/opt/fedora-ds -f /opt/migratePunch.inf
The migration failed because I had not dealt with the SSL. Debug output:
+[27/Apr/2010:12:44:26 -0400] - 389-Directory/1.2.5 B2010.012.2035
starting up
+[27/Apr/2010:12:44:26 -0400] - I'm resizing my cache now...cache was
208736256 and is now 8388608
+[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
key for cipher AES
+[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES
in attrcrypt_cipher_init
+[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in
attrcrypt_init
+[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
key for cipher 3DES
+[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES
in attrcrypt_cipher_init
+[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in
attrcrypt_init
+[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
key for cipher AES
+[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES
in attrcrypt_cipher_init
+[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in
attrcrypt_init
+[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
key for cipher 3DES
+[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES
in attrcrypt_cipher_init
+[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in
attrcrypt_init
These errors are probably ok if you are not using the attribute
encryption feature. You ideally should not have these errors, but this
doesn't mean SSL won't work.
Disabling SSL in the source:
I have tried to disable SSL on the source directory and admin server
via the console.
Let's try to figure out what happened initially with migration
first.