1openldap_to_ds(1) General Commands Manual openldap_to_ds(1)
2
3
4
6 openldap_to_ds
7
9 openldap_to_ds [-h] [-v] [--confirm] [--ignore-overlay [IGNORE_OVERLAY
10 ...]] [--ignore-schema-oid [IGNORE_SCHEMA_OID ...]] [--ignore-attribute
11 [IGNORE_ATTRIBUTE ...]] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-Z]
12 instance slapd_config [slapd_ldif ...]
13
15 Migrate from OpenLDAP to 389 Directory Server.
16
17 This command automates the process of converting an OpenLDAP server to
18 a 389 Directory Server instance. This is a "best effort" as OpenLDAP
19 and 389 Directory Server are not identical, so some features still may
20 require hand migration, or can not be migrated at all. This tool
21 intends to migrate the majority of major content such as database data,
22 index configuration, schema and some overlays (plugins).
23
24 Content we can migrate:
25
26 * Schema * Database content (from ldif backup) * Database indexes *
27 MemberOf Overlay (memberof) * Referential Integrity Overlay (refint) *
28 Attribute Unique Overlay (unique)
29
30 Some content that can *not* be migrated include some overlays (plug‐
31 ins), access controls and replication configuration. Examples of plug‐
32 ins that can not be migrated:
33
34 * Access/Audit logging (built into 389-ds by default) * Chaining
35 (Requires manual migration, may not be equivalent) * Constraints (No
36 equivalent plugin) * Dynamic Directory Services (Requires manual migra‐
37 tion to Class of Service Plugin) * Dynamic Groups/Lists (Requires man‐
38 ual migration to Roles Plugin) * Proxy Cache (No equivalent plugin,
39 389-ds supports read-only replicas) * Password Policy (Built into
40 389-ds, requires manual migration) * Rewrite/Remap (No equivalent plug‐
41 in) * Sync Provider (Requires manual migration to Replication OR Con‐
42 tent Sync Plugin) * Value Sorting (No equivalent plugin)
43
44 This must be run on the server running the 389 Directory Instance as it
45 requires filesystem access. You must run this tool as either root or
46 dirsrv users.
47
48 The following is required from your openldap instance:
49
50 * slapd.d configuration directory in ldif/dynamic format
51 * (optional) ldif file backup of the database from slapcat
52
53 These can be created on the OpenLDAP host and copied to the 389 Direc‐
54 tory Server host. No destructive actions are applied to the OpenLDAP
55 instance.
56
57 If you are already using the ldif/dynamic format from /etc/openl‐
58 dap/slapd.d, you should take a copy of this to use in the migration.
59
60 cp -a /etc/openldap/slapd.d /root/slapd.d
61
62 If you are using the slapd.conf configuration file, you can convert
63 this to the dynamic configuration without affecting your running
64 instance with:
65
66 slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d
67
68 To optionally allow your database content to be migrated you may create
69 an ldif backup of the content that 389 Directory Server can import. You
70 must run this for each backend (suffix) of your instance with the com‐
71 mand:
72
73 # If using slapd.conf config format
74 slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
75 # If using slapd.d config format
76 slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif
77
78 You must already have a 389 Directory Server you want to import into.
79 You can create this with the `dscreate` tool. Data and configuration in
80 this instance WILL be modified or removed (ie potentially destructive
81 actions).
82
83 It is strongly advised you test this tool on a non-production system
84 first to be sure the process and changes are understood.
85
86 This only needs to be run on the first-instance in a 389 Directory
87 Server topology. All other replicas should be configured from this
88 instance post migration.
89
91 instance
92 The name of the 389-ds instance to have openldap data migrated
93 into
94
95
96 slapd_config
97 The path to the openldap slapd.d configuration that will be
98 migrated
99
100
101 slapd_ldif
102 The path to exported database ldifs to be imported.
103
104
105 -v, --verbose
106 Display verbose operation tracing during command execution
107
108
109 --confirm
110 Confirm that you want to apply these migration actions to the
111 389-ds instance. By default no actions are taken.
112
113
114 --ignore-overlay [IGNORE_OVERLAY ...]
115 Ignore the following openldap overlays from having their config‐
116 uration migrated to equivalent 389-ds plugins. Valid options are
117 memberof, refint, unique.
118
119
120 --ignore-schema-oid [IGNORE_SCHEMA_OID ...]
121 Ignore the following openldap schema attribute or class OIDS
122 from being migrated to 389-ds. This *may* create inconsistent
123 schema which could cause the migration to fail. Use with cau‐
124 tion.
125
126
127 --ignore-attribute [IGNORE_ATTRIBUTE ...]
128 Ignore the following attributes from entries that are loaded
129 from the ldif. For example, you may not want to import userPass‐
130 word hashes.
131
132
133 -D BINDDN, --binddn BINDDN
134 The 389 Directory Server account to bind as for executing migra‐
135 tion operations
136
137
138 -w BINDPW, --bindpw BINDPW
139 Password for binddn
140
141
142 -W, --prompt
143 Prompt for password for the bind DN
144
145
146 -y PWDFILE, --pwdfile PWDFILE
147 Specifies a file containing the password for the binddn
148
149
150 -Z, --starttls
151 Connect to 389 Directory Server with StartTLS
152
153
155 lib389 was written by Red Hat Inc., and William Brown
156 <389-devel@lists.fedoraproject.org>.
157
159 The latest version of lib389 may be downloaded from
160 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
161
162
163
164 Manual openldap_to_ds(1)