1openldap_to_ds(1)           General Commands Manual          openldap_to_ds(1)
2
3
4

NAME

6       openldap_to_ds
7

SYNOPSIS

9       openldap_to_ds  [-h] [-v] [--confirm] [--ignore-overlay [IGNORE_OVERLAY
10       ...]] [--ignore-schema-oid [IGNORE_SCHEMA_OID ...]] [--ignore-attribute
11       [IGNORE_ATTRIBUTE  ...]] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-Z]
12       instance slapd_config [slapd_ldif ...]
13

DESCRIPTION

15       Migrate from OpenLDAP to 389 Directory Server.
16
17       This command automates the process of converting an OpenLDAP server  to
18       a  389  Directory  Server instance. This is a "best effort" as OpenLDAP
19       and 389 Directory Server are not identical, so some features still  may
20       require  hand  migration,  or  can  not  be  migrated at all. This tool
21       intends to migrate the majority of major content such as database data,
22       index configuration, schema and some overlays (plugins).
23
24       Content we can migrate:
25
26       *  Schema  *  Database  content (from ldif backup) * Database indexes *
27       MemberOf Overlay (memberof) * Referential Integrity Overlay (refint)  *
28       Attribute Unique Overlay (unique)
29
30       Some  content  that  can *not* be migrated include some overlays (plug‐
31       ins), access controls and replication configuration. Examples of  plug‐
32       ins that can not be migrated:
33
34       *  Access/Audit  logging  (built  into  389-ds  by  default) * Chaining
35       (Requires manual migration, may not be equivalent)  *  Constraints  (No
36       equivalent plugin) * Dynamic Directory Services (Requires manual migra‐
37       tion to Class of Service Plugin) * Dynamic Groups/Lists (Requires  man‐
38       ual  migration  to  Roles  Plugin) * Proxy Cache (No equivalent plugin,
39       389-ds supports read-only  replicas)  *  Password  Policy  (Built  into
40       389-ds, requires manual migration) * Rewrite/Remap (No equivalent plug‐
41       in) * Sync Provider (Requires manual migration to Replication  OR  Con‐
42       tent Sync Plugin) * Value Sorting (No equivalent plugin)
43
44       This must be run on the server running the 389 Directory Instance as it
45       requires filesystem access. You must run this tool as  either  root  or
46       dirsrv users.
47
48       The following is required from your openldap instance:
49
50         * slapd.d configuration directory in ldif/dynamic format
51         * (optional) ldif file backup of the database from slapcat
52
53       These  can be created on the OpenLDAP host and copied to the 389 Direc‐
54       tory Server host. No destructive actions are applied  to  the  OpenLDAP
55       instance.
56
57       If  you  are  already  using  the  ldif/dynamic format from /etc/openl‐
58       dap/slapd.d, you should take a copy of this to use in the migration.
59
60           cp -a /etc/openldap/slapd.d /root/slapd.d
61
62       If you are using the slapd.conf configuration  file,  you  can  convert
63       this  to  the  dynamic  configuration  without  affecting  your running
64       instance with:
65
66           slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d
67
68       To optionally allow your database content to be migrated you may create
69       an ldif backup of the content that 389 Directory Server can import. You
70       must run this for each backend (suffix) of your instance with the  com‐
71       mand:
72
73           # If using slapd.conf config format
74           slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
75           # If using slapd.d config format
76           slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif
77
78       You  must  already have a 389 Directory Server you want to import into.
79       You can create this with the `dscreate` tool. Data and configuration in
80       this  instance  WILL be modified or removed (ie potentially destructive
81       actions).
82
83       It is strongly advised you test this tool on  a  non-production  system
84       first to be sure the process and changes are understood.
85
86       This  only  needs  to  be  run on the first-instance in a 389 Directory
87       Server topology. All other replicas  should  be  configured  from  this
88       instance post migration.
89

OPTIONS

91       instance
92              The  name  of the 389-ds instance to have openldap data migrated
93              into
94
95
96       slapd_config
97              The path to the openldap  slapd.d  configuration  that  will  be
98              migrated
99
100
101       slapd_ldif
102              The path to exported database ldifs to be imported.
103
104
105       -v, --verbose
106              Display verbose operation tracing during command execution
107
108
109       --confirm
110              Confirm  that  you  want to apply these migration actions to the
111              389-ds instance. By default no actions are taken.
112
113
114       --ignore-overlay [IGNORE_OVERLAY ...]
115              Ignore the following openldap overlays from having their config‐
116              uration migrated to equivalent 389-ds plugins. Valid options are
117              memberof, refint, unique.
118
119
120       --ignore-schema-oid [IGNORE_SCHEMA_OID ...]
121              Ignore the following openldap schema  attribute  or  class  OIDS
122              from  being  migrated  to 389-ds. This *may* create inconsistent
123              schema which could cause the migration to fail.  Use  with  cau‐
124              tion.
125
126
127       --ignore-attribute [IGNORE_ATTRIBUTE ...]
128              Ignore  the  following  attributes  from entries that are loaded
129              from the ldif. For example, you may not want to import userPass‐
130              word hashes.
131
132
133       -D BINDDN, --binddn BINDDN
134              The 389 Directory Server account to bind as for executing migra‐
135              tion operations
136
137
138       -w BINDPW, --bindpw BINDPW
139              Password for binddn
140
141
142       -W, --prompt
143              Prompt for password for the bind DN
144
145
146       -y PWDFILE, --pwdfile PWDFILE
147              Specifies a file containing the password for the binddn
148
149
150       -Z, --starttls
151              Connect to 389 Directory Server with StartTLS
152
153

AUTHORS

155       lib389   was   written   by   Red   Hat   Inc.,   and   William   Brown
156       <389-devel@lists.fedoraproject.org>.
157

DISTRIBUTION

159       The    latest    version    of    lib389   may   be   downloaded   from
160http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html
161
162
163
164                                    Manual                   openldap_to_ds(1)
Impressum