Rich,
Thanks for the prompt reply. Ok, I'll not assume that SSL is the problem.
My setup is: SSL is enabled in its original configuration on the source. updated autofs and mozilla ldif files. db2ldif to export the userRoot and NetscapeRoot databases. Modified just the source /opt/fedora-ds/admin-serv/config/adm.conf and local.conf to replace cn=Fedora with cn=389
The migration fails during migration of the Administration Server with: check_and_add_entry: Entry not found cn=Tasks, cn=admin-serv-punch, cn=389 Administration Server, cn=Server Group, cn=punch.midwest-tool.com, ou=midwest-tool.com, o=NetscapeRoot error No such object
I'll send the debug log directly to you.
Craig Swanson
Craig Swanson wrote:
I am hoping for guidance in migrating this SSL enabled directory to 389-ds.
From: fedora-ds 1.0.4 on fc6 i386 To: 389-ds 1.1 on fedora 12 i386. The fedora 12 is on a new box with the same IP address and hostname.
SSL is enabled on the source directory and source admin server.
I have read the SSL HowTo, so I understand that the certs are stored differently under 1.1. Is it possible to import the existing SSL certs and set up the configuration so that the migration will succeed?
migration is supposed to take care of all of that for you
If not, how do I correctly remove SSL from the source configuration? I could set up SSL on the target after the migration.
Thank you,
Craig Swanson
----------Supporting information ---------------------
So far I have done this 1.0.4 to 1.1 prep:
I have modified the source schema to use the updated autofs and mozilla ldif files. I have run db2ldif to export the userRoot and NetscapeRoot databases. I have modified the source /opt/fedora-ds/admin-serv/config/adm.conf and local.conf to replace cn=Fedora with cn=389
adm.conf - ok local.conf - not so good - this is just a read-only copy of information stored in o=NetscapeRoot in the actual database.
Bad outcomes: I ran the cross platform migration in order to pull from the modified ldif files. migrate-ds-admin.pl -d --crossplatform --oldsroot=/opt/fedora-ds.104 --actualsroot=/opt/fedora-ds -f /opt/migratePunch.inf
The migration failed because I had not dealt with the SSL. Debug output:
+[27/Apr/2010:12:44:26 -0400] - 389-Directory/1.2.5 B2010.012.2035 starting up +[27/Apr/2010:12:44:26 -0400] - I'm resizing my cache now...cache was 208736256 and is now 8388608 +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in attrcrypt_init +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES in attrcrypt_cipher_init +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in attrcrypt_init +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher AES +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES in attrcrypt_cipher_init +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in attrcrypt_init +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap key for cipher 3DES +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES in attrcrypt_cipher_init +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in attrcrypt_init
These errors are probably ok if you are not using the attribute encryption feature. You ideally should not have these errors, but this doesn't mean SSL won't work.
Disabling SSL in the source: I have tried to disable SSL on the source directory and admin server via the console.
Let's try to figure out what happened initially with migration first.
389-users@lists.fedoraproject.org