openldap_to_ds(8)

openldap_to_ds

Section 8 389-ds-base bookworm source

Description

openldap_to_ds

NAME

openldap_to_ds

SYNOPSIS

openldap_to_ds [-h] [-v] [--confirm] [--ignore-overlay [IGNORE_OVERLAY ...]] [--ignore-schema-oid [IGNORE_SCHEMA_OID ...]] [--ignore-attribute [IGNORE_ATTRIBUTE ...]] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-Z] instance slapd_config [slapd_ldif ...]

DESCRIPTION

Migrate from OpenLDAP to 389 Directory Server.

This command automates the process of converting an OpenLDAP server to a 389 Directory Server
instance. This is a "best effort" as OpenLDAP and 389 Directory Server are not identical,
so some features still may require hand migration, or can not be migrated at all. This tool
intends to migrate the majority of major content such as database data, index configuration,
schema and some overlays (plugins).

Content we can migrate:

* Schema
* Database content (from ldif backup)
* Database indexes
* MemberOf Overlay (memberof)
* Referential Integrity Overlay (refint)
* Attribute Unique Overlay (unique)

Some content that can *not* be migrated include some overlays (plugins), access controls
and replication configuration. Examples of plugins that can not be migrated:

* Access/Audit logging (built into 389-ds by default)
* Chaining (Requires manual migration, may not be equivalent)
* Constraints (No equivalent plugin)
* Dynamic Directory Services (Requires manual migration to Class of Service Plugin)
* Dynamic Groups/Lists (Requires manual migration to Roles Plugin)
* Proxy Cache (No equivalent plugin, 389-ds supports read-only replicas)
* Password Policy (Built into 389-ds, requires manual migration)
* Rewrite/Remap (No equivalent plugin)
* Sync Provider (Requires manual migration to Replication OR Content Sync Plugin)
* Value Sorting (No equivalent plugin)

This must be run on the server running the 389 Directory Instance as it requires filesystem
access. You must run this tool as either root or dirsrv users.

The following is required from your openldap instance:

* slapd.d configuration directory in ldif/dynamic format
* (optional) ldif file backup of the database from slapcat

These can be created on the OpenLDAP host and copied to the 389 Directory Server host. No
destructive actions are applied to the OpenLDAP instance.

If you are already using the ldif/dynamic format from /etc/openldap/slapd.d, you should
take a copy of this to use in the migration.

cp -a /etc/openldap/slapd.d /root/slapd.d

If you are using the slapd.conf configuration file, you can convert this to the dynamic
configuration without affecting your running instance with:

slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d

To optionally allow your database content to be migrated you may create an ldif backup of the
content that 389 Directory Server can import. You must run this for each backend (suffix)
of your instance with the command:

# If using slapd.conf config format
slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
# If using slapd.d config format
slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif

You must already have a 389 Directory Server you want to import into. You can create
this with the ‘dscreate‘ tool. Data and configuration in this instance WILL be
modified or removed (ie potentially destructive actions).

It is strongly advised you test this tool on a non-production system first to be
sure the process and changes are understood.

This only needs to be run on the first-instance in a 389 Directory Server topology. All
other replicas should be configured from this instance post migration.

OPTIONS

instance

The name of the 389-ds instance to have openldap data migrated into

slapd_config

The path to the openldap slapd.d configuration that will be migrated

slapd_ldif

The path to exported database ldifs to be imported.

-v, --verbose

Display verbose operation tracing during command execution

--confirm

Confirm that you want to apply these migration actions to the 389-ds instance. By default no actions are taken.

--ignore-overlay [IGNORE_OVERLAY ...]

Ignore the following openldap overlays from having their configuration migrated to equivalent 389-ds plugins. Valid options are memberof, refint, unique.

--ignore-schema-oid [IGNORE_SCHEMA_OID ...]

Ignore the following openldap schema attribute or class OIDS from being migrated to 389-ds. This *may* create inconsistent schema which could cause the migration to fail. Use with caution.

--ignore-attribute [IGNORE_ATTRIBUTE ...]

Ignore the following attributes from entries that are loaded from the ldif. For example, you may not want to import userPassword hashes.

-D BINDDN, --binddn BINDDN

The 389 Directory Server account to bind as for executing migration operations

-w BINDPW, --bindpw BINDPW

Password for binddn

-W, --prompt

Prompt for password for the bind DN

-y PWDFILE, --pwdfile PWDFILE

Specifies a file containing the password for the binddn

-Z, --starttls

Connect to 389 Directory Server with StartTLS

AUTHORS

lib389 was written by Red Hat Inc., and William Brown <389-devel@lists.fedoraproject.org>.

DISTRIBUTION

The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html