[389-users] Migrate fedora-ds 1.0.4 SSL Enabled
Craig Swanson
craig.swanson at midwest-tool.com
Wed Apr 28 13:09:39 UTC 2010
Rich,
Thanks for the prompt reply.
Ok, I'll not assume that SSL is the problem.
My setup is:
SSL is enabled in its original configuration on the source.
updated autofs and mozilla ldif files.
db2ldif to export the userRoot and NetscapeRoot databases.
Modified just the source /opt/fedora-ds/admin-serv/config/adm.conf and
local.conf to replace cn=Fedora with cn=389
The migration fails during migration of the Administration Server with:
check_and_add_entry: Entry not found cn=Tasks, cn=admin-serv-punch,
cn=389 Administration Server, cn=Server Group,
cn=punch.midwest-tool.com, ou=midwest-tool.com, o=NetscapeRoot error No
such object
I'll send the debug log directly to you.
Craig Swanson
Craig Swanson wrote:
> I am hoping for guidance in migrating this SSL enabled directory to
> 389-ds.
>
> From: fedora-ds 1.0.4 on fc6 i386
> To: 389-ds 1.1 on fedora 12 i386. The fedora 12 is on a new box
> with the same IP address and hostname.
>
> SSL is enabled on the source directory and source admin server.
>
> I have read the SSL HowTo, so I understand that the certs are stored
> differently under 1.1.
> Is it possible to import the existing SSL certs and set up the
> configuration so that the migration will succeed?
migration is supposed to take care of all of that for you
> If not, how do I correctly remove SSL from the source configuration?
> I could set up SSL on the target after the migration.
>
> Thank you,
>
> Craig Swanson
>
> ----------Supporting information ---------------------
>
> So far I have done this 1.0.4 to 1.1 prep:
>
> I have modified the source schema to use the updated autofs and
> mozilla ldif files.
> I have run db2ldif to export the userRoot and NetscapeRoot databases.
> I have modified the source /opt/fedora-ds/admin-serv/config/adm.conf
> and local.conf to replace cn=Fedora with cn=389
adm.conf - ok
local.conf - not so good - this is just a read-only copy of information
stored in o=NetscapeRoot in the actual database.
> Bad outcomes:
> I ran the cross platform migration in order to pull from the modified
> ldif files.
> migrate-ds-admin.pl -d --crossplatform --oldsroot=/opt/fedora-ds.104
> --actualsroot=/opt/fedora-ds -f /opt/migratePunch.inf
>
> The migration failed because I had not dealt with the SSL. Debug output:
>
> +[27/Apr/2010:12:44:26 -0400] - 389-Directory/1.2.5 B2010.012.2035
> starting up
> +[27/Apr/2010:12:44:26 -0400] - I'm resizing my cache now...cache was
> 208736256 and is now 8388608
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
> key for cipher AES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in
> attrcrypt_init
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
> key for cipher 3DES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in
> attrcrypt_init
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
> key for cipher AES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in
> attrcrypt_init
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap
> key for cipher 3DES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in
> attrcrypt_init
These errors are probably ok if you are not using the attribute
encryption feature. You ideally should not have these errors, but this
doesn't mean SSL won't work.
>
> Disabling SSL in the source:
> I have tried to disable SSL on the source directory and admin server
> via the console.
Let's try to figure out what happened initially with migration first.
More information about the 389-users
mailing list