1OPENLDAP_TO_DS(1) Generated Python Manual OPENLDAP_TO_DS(1)
2
6 openldap_to_ds
7
9 openldap_to_ds [-h] [-v] [--confirm] [--ignore-overlay [IGNORE_OVERLAY
10 ...]] [--ignore-schema-oid [IGNORE_SCHEMA_OID ...]] [--ignore-attribute
11 [IGNORE_ATTRIBUTE ...]] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-Z]
12 instance slapd_config [slapd_ldif ...]
13
15 Migrate from OpenLDAP to 389 Directory Server.
16 This command automates the process of converting an OpenLDAP server to
18 a 389 Directory Server instance. This is a "best effort" as OpenLDAP
19 and 389 Directory Server are not identical, so some features still may
20 require hand migration, or can not be migrated at all. This tool in‐
21 tends to migrate the majority of major content such as database data,
22 index configuration, schema and some overlays (plugins).
23 Content we can migrate:
25 * Schema * Database content (from ldif backup) * Database indexes *
27 MemberOf Overlay (memberof) * Referential Integrity Overlay (refint) *
28 Attribute Unique Overlay (unique)
29 Some content that can *not* be migrated include some overlays (plug‐
31 ins), access controls and replication configuration. Examples of plug‐
32 ins that can not be migrated:
33 * Access/Audit logging (built into 389-ds by default) * Chaining (Re‐
35 quires manual migration, may not be equivalent) * Constraints (No
36 equivalent plugin) * Dynamic Directory Services (Requires manual migra‐
37 tion to Class of Service Plugin) * Dynamic Groups/Lists (Requires man‐
38 ual migration to Roles Plugin) * Proxy Cache (No equivalent plugin,
39 389-ds supports read-only replicas) * Password Policy (Built into
40 389-ds, requires manual migration) * Rewrite/Remap (No equivalent
41 plugin) * Sync Provider (Requires manual migration to Replication OR
42 Content Sync Plugin) * Value Sorting (No equivalent plugin)
43 This must be run on the server running the 389 Directory Instance as it
45 requires filesystem access. You must run this tool as either root or
46 dirsrv users.
47 The following is required from your openldap instance:
49 * slapd.d configuration directory in ldif/dynamic format
51 * (optional) ldif file backup of the database from slapcat
52 These can be created on the OpenLDAP host and copied to the 389 Direc‐
54 tory Server host. No destructive actions are applied to the OpenLDAP
55 instance.
56 If you are already using the ldif/dynamic format from /etc/openl‐
58 dap/slapd.d, you should take a copy of this to use in the migration.
59 cp -a /etc/openldap/slapd.d /root/slapd.d
61 If you are using the slapd.conf configuration file, you can convert
63 this to the dynamic configuration without affecting your running in‐
64 stance with:
65 slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d
67 To optionally allow your database content to be migrated you may create
69 an ldif backup of the content that 389 Directory Server can import. You
70 must run this for each backend (suffix) of your instance with the com‐
71 mand:
72 # If using slapd.conf config format
74 slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
75 # If using slapd.d config format
76 slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif
77 You must already have a 389 Directory Server you want to import into.
79 You can create this with the `dscreate` tool. Data and configuration in
80 this instance WILL be modified or removed (ie potentially destructive
81 actions).
82 It is strongly advised you test this tool on a non-production system
84 first to be sure the process and changes are understood.
85 This only needs to be run on the first-instance in a 389 Directory
87 Server topology. All other replicas should be configured from this in‐
88 stance post migration.
89 instance
92 The name of the 389-ds instance to have openldap data migrated
93 into
94 slapd_config
97 The path to the openldap slapd.d configuration that will be mi‐
98 grated
99 slapd_ldif
102 The path to exported database ldifs to be imported.
103
106 -v, --verbose
107 Display verbose operation tracing during command execution
108 --confirm
111 Confirm that you want to apply these migration actions to the
112 389-ds instance. By default no actions are taken.
113 --ignore-overlay [IGNORE_OVERLAY ...]
116 Ignore the following openldap overlays from having their config‐
117 uration migrated to equivalent 389-ds plugins. Valid options are
118 memberof, refint, unique.
119 --ignore-schema-oid [IGNORE_SCHEMA_OID ...]
122 Ignore the following openldap schema attribute or class OIDS
123 from being migrated to 389-ds. This *may* create inconsistent
124 schema which could cause the migration to fail. Use with cau‐
125 tion.
126 --ignore-attribute [IGNORE_ATTRIBUTE ...]
129 Ignore the following attributes from entries that are loaded
130 from the ldif. For example, you may not want to import userPass‐
131 word hashes.
132 -D BINDDN, --binddn BINDDN
135 The 389 Directory Server account to bind as for executing migra‐
136 tion operations
137 -w BINDPW, --bindpw BINDPW
140 Password for binddn
141 -W, --prompt
144 Prompt for password for the bind DN
145 -y PWDFILE, --pwdfile PWDFILE
148 Specifies a file containing the password for the binddn
149 -Z, --starttls
152 Connect to 389 Directory Server with StartTLS
153
156 Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>
157
160 The latest version of lib389 may be downloaded from
161 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
162lib389 1.4.0.1 2023-10-07 OPENLDAP_TO_DS(1)