[389-users] LDAP import

Michael Gettes gettes at gmail.com
Tue Apr 15 17:15:00 UTC 2014 

no, you could get rid of 7.1.  if you read the deployment docs, you should look at it from the perspective of running one 389 server as o=Company configured to chain to another 389 server where the real data is in ou=Company,dc=hq,blah,blah

if all this is too much for you, then you may want to stay away from it or hire a consultant to assist.

/mrg

On Apr 15, 2014, at 1:11 PM, Herb Burnswell <herbert.burnswell at gmail.com> wrote:

> Michael - Thank you for your reply.
> 
> 1. You are correct, I just did the update to version 1.2.11.15.
> 
> 2.  Regarding chaining, I read though a bit about it but wanted to confirm.  Does the original instance (7.1 in my case) need to continue to be up and running for chaining to work?  I ask because I need to decommission the servers that are currently running the 7.1 DS instance.
> 
> I appreciate the help,
> 
> Herb
> 
> 
> Michael R. Gettes:
> 
> I have 2 questions for you…
> 
> 1.  Why are you going to 1.2.6 and not 1.2.11 which is the current maint release?
> 
> 2.  Have you looked into Chaining?  It would appear to me it would be a better fit to have a new
> tree and chain the old tree into the new tree.  The admin guide has all the info and the deployment
> guide also discusses various strategies.
> 
> /mrg
> 
> 
> On Mon, Apr 14, 2014 at 3:32 PM, Herb Burnswell <herbert.burnswell at gmail.com> wrote:
> I just wanted to bump this inquiry.
> 
> Is this a unique issue?  Is there a way to export/import below the:
> 
> o=CompanyA
> ou=CompanyA,dn=hq,dn=example,dn=com
> 
> Level to avoid the inconsistency?
> 
> Please let me know if I'm thinking about this incorrectly...
> 
> TIA,
> 
> Herb
> 
>  
> 
> 
> On Thu, Apr 10, 2014 at 6:06 PM, Herb Burnswell <herbert.burnswell at gmail.com> wrote:
> To add to this:
> 
> I have gone into the DS 7.1 Directory Server Console on the Configuration tab and drilled down to:
> 
> Data -
>      - o=CompanyA
>           -CompanyA = right click, export database
> 
> This creates the ldif file that looks like exactly what I need but the import into the new 389 1.2.6 fails with:
> 
> ldapmodify -a -D "cn=Administrators" -W -f /tmp/companyA.ldif -p 389 -h localhost
> Enter LDAP Password: 
> adding new entry "o=CompanyA"
> ldap_add: No such object (32)
> 
> Which makes sense.
> 
> Again, any assistance is greatly appreciated.
> 
> Herb
> 
> 
> On Thu, Apr 10, 2014 at 5:51 PM, Herb Burnswell <herbert.burnswell at gmail.com> wrote:
> Thanks again for the reply Dustin.  I think I'm a little over my head here.  I have cleared out all the previous data from ou=CompanyA,dn=hq,dn=example,dn=com by going into the Directory Server console, selecting the 'Directory' tab and deleting and re-adding CompanyA under hq folder.  I can connect to it via LDAPadmin, but as you can imagine, no data.
> 
> 
> 
> 
> Here's my confusion, the old LDAP implementation from which I need to import the data is Fedora DS 7.1 and the new LDAP implementation is 389 1.2.6.  So, the old one is much older and is has a different 'structure'.  
> 
> 
> 
> 
> In 7.1 in the Directory server console, Configuration tab, I have:
> Data -
>      - o=NetscapeRoot
>           - NetscapRoot
>      - o=CompanyA
>           - o=CompanyA
> In the 389 1.2.6 Directory server console, Configuration tab, I have:
> Data -
> 
> 
> 
> 
>      - dc=hq,dc=example,dc=com
>           - userRoot
>      - o=netscaproot
>           - NetscapRoot
> So, in DS 7.1 the top level is o=CompanyA
> In 389 1.2.6 the top level is ou=CompanyA,dn=hq,dn=example,dn=com
> The new 'top level' is what I'd like it to be but I need everything underneath these 'top levels' to be identical.  My question is how can I import the DS 7.1 o=CompanyA into the 389 1.2.6 ou=CompanyA,dn=hq,dn=example,dn=com?
> 
> 
> 
> 
> 
> Hopefully I have not completely confused the situation here.  I greatly appreciate any suggestions on how to get this working properly.
> 
> 
> 
> 
> TIA,
> Herb
> 
> 
> 
> Dustin Rice:
> The better way would be using a tool on the OS that's like db2ldif 
> (pretty sure most netscape LDAP deriviatives come with these).
> 
> When you do a ldapsearch like that the server won't send along some 
> fields (password being one of them). If you run the db2ldif it'll spit 
> out an ldif file then you should be able to import it with something 
> like ldif2db or just an ldapadd.
> 
> Herb:
> 
> 
> 
> Dustin thanks for the reply.
> I would need everything in:
> o=companyA dc=hq,dc=example,dc=com
> 
> Everything appears to be imported as needed except the password issue.  If I reset the passwords in the new implementation it's fine but that won't work with 100's of users.
> 
> 
> 
> 
> Is this:
> ldapsearch -b "o=companyA" -D "dc=hq,dc=example,dc=com" -h original_system > output.ldif
> 
> 
> 
> 
> 
> an acceptable way of exporting everything including passwords for users or is there a better way?
> Thanks again,
> 
> 
> 
> 
> 
> Herb 
> 
> Dustin Rice:
> Well, schema would be like, the list of fields whereas it looks like you 
> might be doing a dump/load of users/groups?
> 
> On 04/10/2014 01:17 PM, Herb Burnswell wrote:
> > All,
> >
> > I'm attempting to import an LDAP schema (is that the correct term?) 
> > from one LDAP implementation to another and it appears that I may be 
> > doing it incorrectly.  I created a ldif file for import as:
> >
> > ldapsearch -b "o=companyA" -D "dc=hq,dc=example,dc=com" -h 
> > original_system > output.ldif
> >
> > I then used the GUI in the new LDAP implementation to import the ldif 
> > file.  Everything seemed to work find as I have the entire tree but 
> > there appears to be a problem with passwords.
> >
> > Am I missing the passwords for users with this export to ldif file? 
> >  What is the proper procedure to import all information from a schema 
> > (is that the correct term?) to import into a new LDAP implementation?
> >
> > Thanks in advance for any assistance,
> >
> > Herb
> >
> >
> > --
> > 389 users mailing list
> > 389-users at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/389-users
> 
> 
> 
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20140415/9e43f239/attachment.html>

More information about the 389-users mailing list