1OPENLDAP_TO_DS(1)           Generated Python Manual          OPENLDAP_TO_DS(1)
2
3
4

NAME

6       openldap_to_ds
7

SYNOPSIS

9       openldap_to_ds  [-h] [-v] [--confirm] [--ignore-overlay [IGNORE_OVERLAY
10       ...]] [--ignore-schema-oid [IGNORE_SCHEMA_OID ...]] [--ignore-attribute
11       [IGNORE_ATTRIBUTE  ...]] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-Z]
12       instance slapd_config [slapd_ldif ...]
13

DESCRIPTION

15       Migrate from OpenLDAP to 389 Directory Server.
16
17       This command automates the process of converting an OpenLDAP server  to
18       a  389  Directory  Server instance. This is a "best effort" as OpenLDAP
19       and 389 Directory Server are not identical, so some features still  may
20       require  hand  migration,  or can not be migrated at all. This tool in‐
21       tends to migrate the majority of major content such as  database  data,
22       index configuration, schema and some overlays (plugins).
23
24       Content we can migrate:
25
26       *  Schema  *  Database  content (from ldif backup) * Database indexes *
27       MemberOf Overlay (memberof) * Referential Integrity Overlay (refint)  *
28       Attribute Unique Overlay (unique)
29
30       Some  content  that  can *not* be migrated include some overlays (plug‐
31       ins), access controls and replication configuration. Examples of  plug‐
32       ins that can not be migrated:
33
34       *  Access/Audit  logging (built into 389-ds by default) * Chaining (Re‐
35       quires manual migration, may  not  be  equivalent)  *  Constraints  (No
36       equivalent plugin) * Dynamic Directory Services (Requires manual migra‐
37       tion to Class of Service Plugin) * Dynamic Groups/Lists (Requires  man‐
38       ual  migration  to  Roles  Plugin) * Proxy Cache (No equivalent plugin,
39       389-ds supports read-only  replicas)  *  Password  Policy  (Built  into
40       389-ds,  requires  manual  migration)  *  Rewrite/Remap  (No equivalent
41       plugin) * Sync Provider (Requires manual migration  to  Replication  OR
42       Content Sync Plugin) * Value Sorting (No equivalent plugin)
43
44       This must be run on the server running the 389 Directory Instance as it
45       requires filesystem access. You must run this tool as  either  root  or
46       dirsrv users.
47
48       The following is required from your openldap instance:
49
50         * slapd.d configuration directory in ldif/dynamic format
51         * (optional) ldif file backup of the database from slapcat
52
53       These  can be created on the OpenLDAP host and copied to the 389 Direc‐
54       tory Server host. No destructive actions are applied  to  the  OpenLDAP
55       instance.
56
57       If  you  are  already  using  the  ldif/dynamic format from /etc/openl‐
58       dap/slapd.d, you should take a copy of this to use in the migration.
59
60           cp -a /etc/openldap/slapd.d /root/slapd.d
61
62       If you are using the slapd.conf configuration  file,  you  can  convert
63       this  to  the  dynamic configuration without affecting your running in‐
64       stance with:
65
66           slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d
67
68       To optionally allow your database content to be migrated you may create
69       an ldif backup of the content that 389 Directory Server can import. You
70       must run this for each backend (suffix) of your instance with the  com‐
71       mand:
72
73           # If using slapd.conf config format
74           slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
75           # If using slapd.d config format
76           slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif
77
78       You  must  already have a 389 Directory Server you want to import into.
79       You can create this with the `dscreate` tool. Data and configuration in
80       this  instance  WILL be modified or removed (ie potentially destructive
81       actions).
82
83       It is strongly advised you test this tool on  a  non-production  system
84       first to be sure the process and changes are understood.
85
86       This  only  needs  to  be  run on the first-instance in a 389 Directory
87       Server topology. All other replicas should be configured from this  in‐
88       stance post migration.
89
90
91       instance
92              The  name  of the 389-ds instance to have openldap data migrated
93              into
94
95
96       slapd_config
97              The path to the openldap slapd.d configuration that will be  mi‐
98              grated
99
100
101       slapd_ldif
102              The path to exported database ldifs to be imported.
103
104

OPTIONS

106       -v, --verbose
107              Display verbose operation tracing during command execution
108
109
110       --confirm
111              Confirm  that  you  want to apply these migration actions to the
112              389-ds instance. By default no actions are taken.
113
114
115       --ignore-overlay [IGNORE_OVERLAY ...]
116              Ignore the following openldap overlays from having their config‐
117              uration migrated to equivalent 389-ds plugins. Valid options are
118              memberof, refint, unique.
119
120
121       --ignore-schema-oid [IGNORE_SCHEMA_OID ...]
122              Ignore the following openldap schema  attribute  or  class  OIDS
123              from  being  migrated  to 389-ds. This *may* create inconsistent
124              schema which could cause the migration to fail.  Use  with  cau‐
125              tion.
126
127
128       --ignore-attribute [IGNORE_ATTRIBUTE ...]
129              Ignore  the  following  attributes  from entries that are loaded
130              from the ldif. For example, you may not want to import userPass‐
131              word hashes.
132
133
134       -D BINDDN, --binddn BINDDN
135              The 389 Directory Server account to bind as for executing migra‐
136              tion operations
137
138
139       -w BINDPW, --bindpw BINDPW
140              Password for binddn
141
142
143       -W, --prompt
144              Prompt for password for the bind DN
145
146
147       -y PWDFILE, --pwdfile PWDFILE
148              Specifies a file containing the password for the binddn
149
150
151       -Z, --starttls
152              Connect to 389 Directory Server with StartTLS
153
154

AUTHOR

156       Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>
157
158

DISTRIBUTION

160       The   latest   version   of   lib389    may    be    downloaded    from
161http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html
162
163
164
165lib389 1.4.0.1                    2023-10-07                 OPENLDAP_TO_DS(1)
Impressum