[389-users] Migrate fedora-ds 1.0.4 SSL Enabled

Wed Apr 28 13:09:39 UTC 2010

Rich,

Thanks for the prompt reply.
Ok, I'll not assume that SSL is the problem.

My setup is:
SSL is enabled in its original configuration on the source.
updated autofs and mozilla ldif files.
db2ldif to export the userRoot and NetscapeRoot databases.
Modified just the source /opt/fedora-ds/admin-serv/config/adm.conf and 
local.conf to replace cn=Fedora with cn=389

The migration fails during migration of the Administration Server with:
check_and_add_entry: Entry not found cn=Tasks, cn=admin-serv-punch, 
cn=389 Administration Server, cn=Server Group, 
cn=punch.midwest-tool.com, ou=midwest-tool.com, o=NetscapeRoot error No 
such object

I'll send the debug log directly to you.

Craig Swanson

Craig Swanson wrote:
> I am hoping for guidance in migrating this SSL enabled directory to 
> 389-ds.
>
> From: fedora-ds 1.0.4 on fc6 i386
> To:      389-ds 1.1 on fedora 12 i386.  The fedora 12 is on a new box 
> with the same IP address and hostname.
>
> SSL is enabled on the source directory and source admin server.
>
> I have read the SSL HowTo, so I understand that the certs are stored 
> differently under 1.1.
> Is it possible to import the existing SSL certs and set up the 
> configuration so that the migration will succeed?
migration is supposed to take care of all of that for you
> If not, how do I correctly remove SSL from the source configuration?  
> I could set up SSL on the target after the migration.
>
> Thank you,
>
> Craig Swanson
>
> ----------Supporting information ---------------------
>
> So far I have done this 1.0.4 to 1.1 prep:
>
> I have modified the source schema to use the updated autofs and 
> mozilla ldif files.
> I have run db2ldif to export the userRoot and NetscapeRoot databases.
> I have modified  the source /opt/fedora-ds/admin-serv/config/adm.conf 
> and local.conf to replace cn=Fedora with cn=389
adm.conf - ok
local.conf - not so good - this is just a read-only copy of information 
stored in o=NetscapeRoot in the actual database.
> Bad outcomes:
> I ran the cross platform migration in order to pull from the modified 
> ldif files.
> migrate-ds-admin.pl -d --crossplatform --oldsroot=/opt/fedora-ds.104 
> --actualsroot=/opt/fedora-ds -f /opt/migratePunch.inf
>
> The migration failed because I had not dealt with the SSL. Debug output:
>
> +[27/Apr/2010:12:44:26 -0400] - 389-Directory/1.2.5 B2010.012.2035 
> starting up
> +[27/Apr/2010:12:44:26 -0400] - I'm resizing my cache now...cache was 
> 208736256 and is now 8388608
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap 
> key for cipher AES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES 
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in 
> attrcrypt_init
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap 
> key for cipher 3DES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES 
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in 
> attrcrypt_init
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap 
> key for cipher AES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES 
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in 
> attrcrypt_init
> +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap 
> key for cipher 3DES
> +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES 
> in attrcrypt_cipher_init
> +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in 
> attrcrypt_init
These errors are probably ok if you are not using the attribute 
encryption feature.  You ideally should not have these errors, but this 
doesn't mean SSL won't work.
>
> Disabling SSL in the source:
> I have tried to disable SSL on the source directory and admin server 
> via the console.
Let's try to figure out what happened initially with migration first.