Discussion:
[389-users] Migration from OpenLDAP to 389 DS
b***@iskratel.si
2017-06-07 08:25:08 UTC
Permalink
Hi,

I'm completely new in LDAP and I have one task to do. Task is migration from OpenLDAP to 389 DS.
I have installed 389 and now I try to import schema from OpenLDAP. First I create export of schema from OpenLDAP.

config.ldif is done with command: slapcat -F /opt/ldap/mn/slapd.d/ -b "cn=config" > conf.ldif
itnetmanager.ldif is done via java LDAP Browser.

Then I try to convert this ldif files with scripts at http://www.port389.org/docs/389ds/scripts.html, but I did not succeed.
Can someone help me, how can I convert ldif files from OpenLDAP, that be useful for import to 389 DS?

Here are few rows from both file:

itnetmanager_schema_export.ldif
dn: cn={12}itnetmanager, cn=schema, cn=config
olcObjectClasses: {0} ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: {3} ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
...
olcAttributeTypes: {262} ( 1.3.6.1.4.1.1332.1000.10.266 NAME ('itDefaultPolic
yProfile') DESC 'Is User Policy Default' EQUALITY booleanMatch SUBSTR caseIg
noreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {263} ( 1.3.6.1.4.1.1332.1000.10.267 NAME ('itPasswordHist
ory') DESC 'User Password History' EQUALITY caseIgnoreMatch SUBSTR caseIgnor
eSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
objectClass: olcSchemaConfig
cn: {12}itnetmanager



config.ldif
dn: cn=config
olcLogLevel: 0
olcConnMaxPending: 100
olcConcurrency: 0
olcWriteTimeout: 0
olcArgsFile: /var/run/openldap/slapd_mn.args
olcIndexSubstrAnyStep: 2
olcSockbufMaxIncoming: 262143
olcTLSCertificateKeyFile: /opt/ldap/mn/certs/password
objectClass: olcGlobal
olcIndexIntLen: 4
olcConnMaxPendingAuth: 1000
olcTLSCertificateFile: "OpenLDAP Server"
cn: config
olcIndexSubstrIfMinLen: 2
olcAttributeOptions: lang-
olcPidFile: /var/run/openldap/slapd_mn.pid
olcConfigDir: /opt/ldap/mn/slapd.d/
olcReverseLookup: FALSE
olcGentleHUP: FALSE
olcTLSCACertificatePath: /opt/ldap/mn/certs
olcReadOnly: FALSE
olcTLSVerifyClient: never
olcThreads: 16
olcIndexSubstrAnyLen: 4
olcToolThreads: 1
olcSockbufMaxIncomingAuth: 16777215
olcIdleTimeout: 0
olcSaslSecProps: noplain,noanonymous
olcConfigFile: /opt/ldap/mn/slapd.conf
olcAuthzPolicy: none
olcIndexSubstrIfMaxLen: 4
olcAllows: bind_v2
olcLocalSSF: 71

dn: cn=schema, cn=config
olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABS
TRACT MUST objectClass )
olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC
'RFC4512: extensible object' SUP top AUXILIARY )
olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STR
UCTURAL MUST aliasedObjectName )
...
olcAccess: {2}to attrs=itPasswordFtp by group/groupOfUniqueNames/uniqueMembe
r.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcAccess: {3}to attrs=itPasswordDb by group/groupOfUniqueNames/uniqueMember
.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcDbConfig: {0}# Set location for txn log files
olcDbConfig: {1}set_lg_dir /opt/ldap/mn/ldapDB
olcDbConfig: {2}# Set cache size 20MB
olcDbConfig: {3}set_cachesize 0 20971520 0
olcDbConfig: {4}set_lg_regionmax 262144
olcDbConfig: {5}set_lg_bsize 2097152
olcDbConfig: {6}# Automatically remove log files that are no longer needed.
olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {8}# Just use these settings when doing slapadd...
olcDbConfig: {9}# set_flags DB_TXN_NOSYNC
olcDbIDLcacheSize: 0
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDbShmKey: 0
olcMaxDerefDepth: 10
olcLastMod: TRUE
olcDbCacheFree: 5
olcDbCacheSize: 150000
olcDbDirtyRead: FALSE
olcReadOnly: FALSE
olcDbSearchStack: 16
olcDatabase: {2}bdb
olcDbDNcacheSize: 0
olcRootPW: {MD5}tGVcx24Qek2C4rq4tk32Wg==
olcDbCheckpoint: 10 1
olcRootDN: cn=ldapadmin,l=Kranj,c=SI
olcDbDirectory: /opt/ldap/mn/ldapDB
olcSizeLimit: 150000

Thank you!
br,rtmktl
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-user
Ludwig Krispenz
2017-06-07 10:31:39 UTC
Permalink
openldap heavily uses the "orderd value or entry prefix", so youhave
numbers {nnn} in the dns and attributes like:

cn={12}itnetmanager

or

olcAttributeTypes: {262} ...

I would first try to remove these {nnn} stuff and retry
Post by b***@iskratel.si
Hi,
I'm completely new in LDAP and I have one task to do. Task is migration from OpenLDAP to 389 DS.
I have installed 389 and now I try to import schema from OpenLDAP. First I create export of schema from OpenLDAP.
config.ldif is done with command: slapcat -F /opt/ldap/mn/slapd.d/ -b "cn=config" > conf.ldif
itnetmanager.ldif is done via java LDAP Browser.
Then I try to convert this ldif files with scripts at http://www.port389.org/docs/389ds/scripts.html, but I did not succeed.
Can someone help me, how can I convert ldif files from OpenLDAP, that be useful for import to 389 DS?
itnetmanager_schema_export.ldif
dn: cn={12}itnetmanager, cn=schema, cn=config
olcObjectClasses: {0} ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: {1} ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: {2} ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: {3} ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
...
olcAttributeTypes: {262} ( 1.3.6.1.4.1.1332.1000.10.266 NAME ('itDefaultPolic
yProfile') DESC 'Is User Policy Default' EQUALITY booleanMatch SUBSTR caseIg
noreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcAttributeTypes: {263} ( 1.3.6.1.4.1.1332.1000.10.267 NAME ('itPasswordHist
ory') DESC 'User Password History' EQUALITY caseIgnoreMatch SUBSTR caseIgnor
eSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
objectClass: olcSchemaConfig
cn: {12}itnetmanager
config.ldif
dn: cn=config
olcLogLevel: 0
olcConnMaxPending: 100
olcConcurrency: 0
olcWriteTimeout: 0
olcArgsFile: /var/run/openldap/slapd_mn.args
olcIndexSubstrAnyStep: 2
olcSockbufMaxIncoming: 262143
olcTLSCertificateKeyFile: /opt/ldap/mn/certs/password
objectClass: olcGlobal
olcIndexIntLen: 4
olcConnMaxPendingAuth: 1000
olcTLSCertificateFile: "OpenLDAP Server"
cn: config
olcIndexSubstrIfMinLen: 2
olcAttributeOptions: lang-
olcPidFile: /var/run/openldap/slapd_mn.pid
olcConfigDir: /opt/ldap/mn/slapd.d/
olcReverseLookup: FALSE
olcGentleHUP: FALSE
olcTLSCACertificatePath: /opt/ldap/mn/certs
olcReadOnly: FALSE
olcTLSVerifyClient: never
olcThreads: 16
olcIndexSubstrAnyLen: 4
olcToolThreads: 1
olcSockbufMaxIncomingAuth: 16777215
olcIdleTimeout: 0
olcSaslSecProps: noplain,noanonymous
olcConfigFile: /opt/ldap/mn/slapd.conf
olcAuthzPolicy: none
olcIndexSubstrIfMaxLen: 4
olcAllows: bind_v2
olcLocalSSF: 71
dn: cn=schema, cn=config
olcObjectClasses: ( 2.5.6.0 NAME 'top' DESC 'top of the superclass chain' ABS
TRACT MUST objectClass )
olcObjectClasses: ( 1.3.6.1.4.1.1466.101.120.111 NAME 'extensibleObject' DESC
'RFC4512: extensible object' SUP top AUXILIARY )
olcObjectClasses: ( 2.5.6.1 NAME 'alias' DESC 'RFC4512: an alias' SUP top STR
UCTURAL MUST aliasedObjectName )
...
olcAccess: {2}to attrs=itPasswordFtp by group/groupOfUniqueNames/uniqueMembe
r.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcAccess: {3}to attrs=itPasswordDb by group/groupOfUniqueNames/uniqueMember
.exact="cn=adminrole,ou=group,l=Kranj,c=SI" write by * none
olcDbConfig: {0}# Set location for txn log files
olcDbConfig: {1}set_lg_dir /opt/ldap/mn/ldapDB
olcDbConfig: {2}# Set cache size 20MB
olcDbConfig: {3}set_cachesize 0 20971520 0
olcDbConfig: {4}set_lg_regionmax 262144
olcDbConfig: {5}set_lg_bsize 2097152
olcDbConfig: {6}# Automatically remove log files that are no longer needed.
olcDbConfig: {7}set_flags DB_LOG_AUTOREMOVE
olcDbConfig: {8}# Just use these settings when doing slapadd...
olcDbConfig: {9}# set_flags DB_TXN_NOSYNC
olcDbIDLcacheSize: 0
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDbShmKey: 0
olcMaxDerefDepth: 10
olcLastMod: TRUE
olcDbCacheFree: 5
olcDbCacheSize: 150000
olcDbDirtyRead: FALSE
olcReadOnly: FALSE
olcDbSearchStack: 16
olcDatabase: {2}bdb
olcDbDNcacheSize: 0
olcRootPW: {MD5}tGVcx24Qek2C4rq4tk32Wg==
olcDbCheckpoint: 10 1
olcRootDN: cn=ldapadmin,l=Kranj,c=SI
olcDbDirectory: /opt/ldap/mn/ldapDB
olcSizeLimit: 150000
Thank you!
br,rtmktl
_______________________________________________
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists
William Brown
2017-06-07 23:09:20 UTC
Permalink
Post by b***@iskratel.si
I'm completely new in LDAP and I have one task to do. Task is
migration from OpenLDAP to 389 DS.
I have installed 389 and now I try to import schema from OpenLDAP.
First I create export of schema from OpenLDAP.
The schema format between openldap and 389 is pretty different.

I would be approaching this to see if 389 already supports what you need
(we probably do)!

Then from there, you need to identify custom schema on a case by case
basis. It'll be a bit time consuming, but it's the best method here I
think.

Hope that helps, if you need more advice, let me know.
--
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane
b***@iskratel.si
2017-06-08 07:05:30 UTC
Permalink
Hi, yes, I would need a little more help. Now I delete most of records from exported ldif file, that I have simple file for editing and testing. I also deleted {xx}.

My ldif file is now:

dn: cn=itnetmanager, cn=schema, cn=config
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.5 NAME 'itPrepaidCoupon' DES
C 'IskratelprepaidCoupon' MUST ( itPrepaidCin $ itCouponSerialNr $ itCouponS
tatus $ itAmountChargeUnit $ itDateOfValidity) MAY ( itValidityExtension )
)
objectClass: olcSchemaConfig
cn: itnetmanager


If I try to import this ldif, I get error:
Entry "cn=itnetmanager,cn=schema,cn=config" has unknown object class "olcSchemaConfig"

I know that 389 DS doesn't have olcSchemaConfig, but I don't know what to set for ofobjectClass.
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-l
Mark Reynolds
2017-06-08 14:08:23 UTC
Permalink
Post by b***@iskratel.si
Hi, yes, I would need a little more help. Now I delete most of records from exported ldif file, that I have simple file for editing and testing. I also deleted {xx}.
dn: cn=itnetmanager, cn=schema, cn=config
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DES
C 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DE
SC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.3 NAME 'itPrepaidSubAccount'
DESC 'IskratelprepaidSubAccount' MUST ( itDirectoryNumber $ itAccountStatus
$ itAccountBalance $ itDateOfLastUsed $ itDateOfExpiry $ itLanguageCode $ i
tUnsucRechargeAtt $ itStatGroupId $ itPrepaidSetId))
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.4 NAME 'itPrepaidSet' DESC '
IskratelprepaidSet' MUST ( itPrepaidSetId $ itPrepaidSetName $ itWelcomeMsgM
ode $ itLanguageMode $ itCbMode $ itRechargeAuth $ itLockAuth $ itRrReqMode
$ itMaxCallAtt $ itMaxRechargeAtt $ itSimultCallsAuth $ itLowBalanceWarn $ i
tNearExpiryWarn $ itNegAccBalance $ itMaxAccBalance $ itSuspensionDur $ itMi
nCallDur $ itLowBalanceValue1 $ itLowBalanceValue2 $ itCnPNDisplayMode $ itP
repaidSubsType $ itAvailDurMsgAuth $ itAccBalMsgAuth $ itOrgChargeCode $ itV
alidityTime ))
olcObjectClasses: ( 1.3.6.1.4.1.1332.1000.30.5 NAME 'itPrepaidCoupon' DES
C 'IskratelprepaidCoupon' MUST ( itPrepaidCin $ itCouponSerialNr $ itCouponS
tatus $ itAmountChargeUnit $ itDateOfValidity) MAY ( itValidityExtension )
)
objectClass: olcSchemaConfig
cn: itnetmanager
You need to remove the "olc" from the attribute name. For 389 it must
be "objectclasses", and "attributetypes"
Post by b***@iskratel.si
Entry "cn=itnetmanager,cn=schema,cn=config" has unknown object class "olcSchemaConfig"
I know that 389 DS doesn't have olcSchemaConfig, but I don't know what to set for ofobjectClass.
You would typically use:

objectclass: top
objectclass: ldapSubentry
objectclass: subschema
Post by b***@iskratel.si
_______________________________________________
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 38
Blaz Kalan
2017-06-09 07:32:50 UTC
Permalink
Hi, thank you all. Now I am a little further.

My current tmp ldif file is as follows:

dn: cn=schema, cn=config
objectclass: top
objectclass: ldapSubentry
objectclass: subschema

dn: cn=itnetmanager, cn=schema, cn=config
objectclass: top
objectclass: ldapSubentry
objectclass: subschema

objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin ) )
attributeTypes: ( 1.3.6.1.4.1.1332.1000.10.1 NAME ('itPrepaidPin' 'ppin') DESC 'IskratelprepaidPIN' EQUALITY numericStringMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE )

When I try to import this file, I do not get any errors, and I can see schema and itnetmanager "folders" with ldap browser. But, I cannot see any entries (objectClasses or attributeTypes). What am I doing still wrong?

Thank you!
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-lea
Mark Reynolds
2017-06-12 15:12:28 UTC
Permalink
Post by Blaz Kalan
Hi, thank you all. Now I am a little further.
dn: cn=schema, cn=config
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
dn: cn=itnetmanager, cn=schema, cn=config
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin ) )
attributeTypes: ( 1.3.6.1.4.1.1332.1000.10.1 NAME ('itPrepaidPin' 'ppin') DESC 'IskratelprepaidPIN' EQUALITY numericStringMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36 SINGLE-VALUE )
When I try to import this file, I do not get any errors, and I can see schema and itnetmanager "folders" with ldap browser. But, I cannot see any entries (objectClasses or attributeTypes). What am I doing still wrong?
This is the expected behavior as "attributeTypes" and "objectClasses"
are operational attributes. The client needs to explicitly ask for
them. Here is an example with ldapsearch:

ldapsearch -D "cn=directory manager" -w password -b "cn=schema"
objectclass=top attributetypes objectclasses

But... I want to point something else out that will cause issues for
you next...

You are adding schema under "cn=config" - that is incorrect. It should
be added under "cn=schema", otherwise it will not be picked up by the
server. So just strip off cn=config from the DN's in your ldif. Then
you add it via ldapmodify, or just drop the ldif file (naming it to
99user.ldif first) into server's schema dir and restarting the server:
/etc/dirsrv/slapd-INSTANCE/schema


https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/extending_the_directory_schema#extending-the-schema

Regards,
Mark
Post by Blaz Kalan
Thank you!
_______________________________________________
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe s
Blaz Kalan
2017-06-13 11:36:26 UTC
Permalink
Hi, thank you very much for your help, but I still have problems :(
I add schema to 99user.ldif:

dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo
logyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc
apeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi.
iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";)
modifiersName: cn=directory manager
modifyTimestamp: 20170526075714Z
numSubordinates: 1

dn: cn=itnetmanager,cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: itnetmanager
creatorsName: cn=directory manager
modifiersName: cn=directory manager
createTimestamp: 20170613072328Z
modifyTimestamp: 20170613072328Z

dn: cn=itnetmanager, cn=schema
objectclass: top
objectclass: ldapSubentry
objectclass: subschema
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
...

and I do not have any errors when I resrart dirsrv:
[13/Jun/2017:12:42:45.703352975 +0200] slapd shutting down - signaling operation threads - op stack size 0 max work q size 0 max work q stack size 0
[13/Jun/2017:12:42:45.725145416 +0200] slapd shutting down - closing down internal subsystems and plugins
[13/Jun/2017:12:42:45.760637613 +0200] Waiting for 4 database threads to stop
[13/Jun/2017:12:42:46.080192896 +0200] All database threads now stopped
[13/Jun/2017:12:42:46.107869191 +0200] slapd shutting down - freed 0 work q stack objects - freed 0 op stack objects
[13/Jun/2017:12:42:46.173323031 +0200] slapd stopped.
[13/Jun/2017:12:42:46.397936154 +0200] 389-Directory/1.3.5.10 B2017.102.203 starting up
[13/Jun/2017:12:42:46.552160523 +0200] slapd started. Listening on All Interfaces port 389 for LDAP requests

But when I try to import exported data (from openldap) to 389 DS with 389-console, I get these errors:

Error adding object 'dn: itSnmpProfileId=SNMP_V2C,ou=SnmpProfile,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "itSnmpProfileOC"
Error adding object 'dn: itProductId=ES_KONTRON,ou=Product,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "itProductOC"
...

So it looks like that shema is not picked up (because all this classes I have in 99user.ldif

Second most common error in reject file is:
Error adding object 'dn: itContainerId=1048870,ou=Container,l=Kranj,c=SI'. The error sent by the server was 'Object class violation. unknown object class "labeledURIObject"

Data is:
dn: itContainerId=1048870,ou=Container,l=Kranj,c=SI
itSerialNumber: 10
itParentContainerId: 1048860
itContainerName: 16/10
itRegType: 1
objectClass: itContainerOC
objectClass: labeledURIObject
itConfigurationNeeded: FALSE
itContainerStatus: 0
itContainerType: 2
itContainerId: 1048870
structuralObjectClass: itContainerOC
creatorsName: uid=mnadmin,ou=User,l=Kranj,c=SI
createTimestamp: 20160610065455Z
modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI
modifyTimestamp: 20160610065455Z

Could you please help me also at this two problems?

Thanks!

Best regards,
Blaz

_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@li
Blaz Kalan
2017-06-14 11:41:35 UTC
Permalink
Hi again,

Finally it looks like that I’m somehow succeeded whit importing data from openLDAP to 389 DS, but I had to do a few things about which I am not sure if they are OK.

I change 99user.ldif to:
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo
logyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc
apeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi.
iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";)
modifiersName: cn=directory manager
modifyTimestamp: 20170526075714Z
numSubordinates: 1
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )


It looks OK. I also see added attributes whit 389-console.

When I am importing the data I received this errors:

The error sent by the server was 'Object class violation. attribute "entryuuid" not allowed
The error sent by the server was 'Object class violation. attribute "entrycsn" not allowed
The error sent by the server was 'Object class violation. unknown object class "labeledURIObject"
The error sent by the server was 'Object class violation. attribute "labeledURI" not allowed

Here I just deleted those rows with commands (I am not sure, what here is the right way):

sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif
sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif
sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif
sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif

Another error was:
Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute [itUserPolicyProfileId]

Here again I just delete all “SUBSTR caseIgnoreSubstringsMatch” from exported data ldif file. (What here?)

Then I must change all user passwords, because I cannot import md5 passwords. Here is probably setting while exporting data that passwords are in plain text?
So change was from:
userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
to:
userPassword: test


After that, import succeeded.

Best Regards,
Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-l
Mark Reynolds
2017-06-14 13:42:53 UTC
Permalink
Post by Blaz Kalan
Hi again,
Finally it looks like that I’m somehow succeeded whit importing data from openLDAP to 389 DS, but I had to do a few things about which I am not sure if they are OK.
dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
cn: schema
aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo
logyManagement,o=NetscapeRoot";)
aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc
apeRoot";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi.
iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";)
modifiersName: cn=directory manager
modifyTimestamp: 20170526075714Z
numSubordinates: 1
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )

It looks OK. I also see added attributes whit 389-console.
The error sent by the server was 'Object class violation. attribute "entryuuid" not allowed
The error sent by the server was 'Object class violation. attribute "entrycsn" not allowed
The error sent by the server was 'Object class violation. unknown object class "labeledURIObject"
The error sent by the server was 'Object class violation. attribute "labeledURI" not allowed
These attributes are not part of 389's standard schema. So that implies
there is still more Openldap schema to migrate to 389 before you should
try the import.
Post by Blaz Kalan
sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif
sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif
sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif
sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif
Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute [itUserPolicyProfileId]
Syntax 1.3.6.1.4.1.1466.115.121.1.27 is an "integer" syntax. A
caseIgnore matching rule does not apply to a number. So this error
makes sense and is correct.
Post by Blaz Kalan
Here again I just delete all “SUBSTR caseIgnoreSubstringsMatch” from exported data ldif file. (What here?)
Well it should be removed from attributes that use the integer syntax,
but for other syntax's you might need/want it. So you need look through
each attribute and confirm what its syntax is before removing the
matching rule.
Post by Blaz Kalan
Then I must change all user passwords, because I cannot import md5 passwords. Here is probably setting while exporting data that passwords are in plain text?
389 does support MD5 passwords, so the password below should work fine.
Are you getting errors?

Regards,
Mark
Post by Blaz Kalan
userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
userPassword: test
After that, import succeeded.
Best Regards,
Blaz
_______________________________________________
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leav
Blaz Kalan
2017-06-15 11:48:36 UTC
Permalink
Hi,

Sorry, I checked again and we use base64 coded passwords:
userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=

what do you suggest in this case?

But even if I try with md5, I get an error.

ldif:
dn: uid=mnadmin,ou=User,l=Kranj,c=SI
uid: mnadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: itUserOC
description: Administrator
sn: mnadmin
cn: mnadmin
userPassword: {MD5}CY9rzUYh03PK3k6DJie09g==
structuralObjectClass: inetOrgPerson
nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6
creatorsName: cn=ldapadmin,l=Kranj,c=SI
createTimestamp: 20151105074714Z
itUserLocked: FALSE
itSuperUser: TRUE
itPasswordExpire: 200504101330Z
itLastLogin: 200504101330Z
modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI
modifyTimestamp: 20151105074859Z


error:
Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent by the server was 'Constraint violation. invalid password syntax - passwords with storage scheme are not allowed'. The object is: LDAPEntry: uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute {type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin', values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'} LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='} LDAPAttribute {type='objectclass', values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute {type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked', values='FALSE'} LDAPAttribute {type='modifytimestamp', values='20151105074859Z'} LDAPAttribute {type='modifiersname', values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid', values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute {type='createtimestamp', values='20151105074714Z'} LDAPAttribute {
type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute {type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire', values='200504101330Z'} LDAPAttribute {type='description', values='Administrator'} LDAPAttribute {type='structuralobjectclass', values='inetOrgPerson'}.

Thank you very much.
BR,
Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fedoraproj
Mark Reynolds
2017-06-15 13:33:23 UTC
Permalink
Post by Blaz Kalan
Hi,
userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
The server always base64 ecodes passwords - that is fine and expected
Post by Blaz Kalan
what do you suggest in this case?
But even if I try with md5, I get an error.
dn: uid=mnadmin,ou=User,l=Kranj,c=SI
uid: mnadmin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: itUserOC
description: Administrator
sn: mnadmin
cn: mnadmin
userPassword: {MD5}CY9rzUYh03PK3k6DJie09g==
structuralObjectClass: inetOrgPerson
nsuniqueid: 2cec3dde-17dd-1035-945a-f5630028a5a6
creatorsName: cn=ldapadmin,l=Kranj,c=SI
createTimestamp: 20151105074714Z
itUserLocked: FALSE
itSuperUser: TRUE
itPasswordExpire: 200504101330Z
itLastLogin: 200504101330Z
modifiersName: uid=mnadmin,ou=User,l=Kranj,c=SI
modifyTimestamp: 20151105074859Z
Error adding object 'dn: uid=mnadmin,ou=User,l=Kranj,c=SI'. The error sent by the server was 'Constraint violation. invalid password syntax - passwords with storage scheme are not allowed'. The object is: LDAPEntry: uid=mnadmin,ou=User,l=Kranj,c=SI; LDAPAttributeSet: LDAPAttribute {type='itsuperuser', values='TRUE'} LDAPAttribute {type='itlastlogin', values='200504101330Z'} LDAPAttribute {type='sn', values='mnadmin'} LDAPAttribute {type='userpassword', values='{MD5}CY9rzUYh03PK3k6DJie09g=='} LDAPAttribute {type='objectclass', values='inetOrgPerson,organizationalPerson,person,itUserOC'} LDAPAttribute {type='uid', values='mnadmin'} LDAPAttribute {type='ituserlocked', values='FALSE'} LDAPAttribute {type='modifytimestamp', values='20151105074859Z'} LDAPAttribute {type='modifiersname', values='uid=mnadmin,ou=User,l=Kranj,c=SI'} LDAPAttribute {type='nsuniqueid', values='2cec3dde-17dd-1035-945a-f5630028a5a6'} LDAPAttribute {type='createtimestamp', values='20151105074714Z'} LDAPAttribute {
type='creatorsname', values='cn=ldapadmin,l=Kranj,c=SI'} LDAPAttribute {type='cn', values='mnadmin'} LDAPAttribute {type='itpasswordexpire', values='200504101330Z'} LDAPAttribute {type='description', values='Administrator'} LDAPAttribute {type='structuralobjectclass', values='inetOrgPerson'}.
Okay this is expected if you try and add a prehashed password as a
regular user. So how are you adding these entries exactly?

If you are using ldapmodify, then you need to bind as the directory
manager to bypass these constraints. Or, import the entire user ldif
using ldif2db which also bypasses these checks.

Regards,
Mark
Post by Blaz Kalan
Thank you very much.
BR,
Blaz
_______________________________________________
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an ema
Blaz Kalan
2017-06-16 06:58:46 UTC
Permalink
Hi Mark, thank you very much.
I actually always imported data with java LDAP browser/editor. Now I try with ldapmodify and I am succeded with user passwords.

Now I have only few unresolved things.

For atribute entryUUID in exported data I use nsuniqueid for 389 import.

But I do not know, which atributes represent this tree atributes from opdanLDAP:
'Object class violation. unknown object class "labeledURIObject"
'Object class violation. attribute "labeledURI" not allowed
'Object class violation. attribute "entryCSN" not allowed

Which object and atributes I should used instead of them.

Best regards,
Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.fed
Mark Reynolds
2017-06-16 12:17:57 UTC
Permalink
Post by Blaz Kalan
Hi Mark, thank you very much.
I actually always imported data with java LDAP browser/editor. Now I try with ldapmodify and I am succeded with user passwords.
Now I have only few unresolved things.
For atribute entryUUID in exported data I use nsuniqueid for 389 import.
'Object class violation. unknown object class "labeledURIObject"
'Object class violation. attribute "labeledURI" not allowed
'Object class violation. attribute "entryCSN" not allowed
Which object and atributes I should used instead of them.
The server itself does not use these attributes, so this is really what
your clients would need. Only you can answer that :) Anyway somewhere
in your openldap environment this schema is defined, and it has not been
migrated to 389 yet. Sorry I don't know Openldap so I can not tell you
where to find it, but it should be there somewhere.
Post by Blaz Kalan
Best regards,
Blaz
_______________________________________________
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe se
Blaz Kalan
2017-06-19 06:36:17 UTC
Permalink
Hi,
yes I find all these attributes and class in openLDAP schema files, there is:

olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1{64} SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )

olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI

olcAttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

Br, Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-
Blaz Kalan
2017-06-19 07:14:47 UTC
Permalink
I added these two lines to 99user.ldif:

ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI )
AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

And looks fine.

But for
AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )

I get an error:
(Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID "1.3.6.1.4.1.4203.666.11.2.1"

BR,
Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.f
Mark Reynolds
2017-06-19 13:56:27 UTC
Permalink
Post by Blaz Kalan
ObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' SUP top AUXILIARY MAY labeledURI )
AttributeTypes: ( 1.3.6.1.4.1.250.1.57 NAME 'labeledURI' DESC 'RFC2079: Uniform Resource Identifier with optional label' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
And looks fine.
But for
AttributeTypes: ( 1.3.6.1.4.1.4203.666.1.7 NAME 'entryCSN' DESC 'change sequence number of the entry content' EQUALITY CSNMatch ORDERING CSNOrderingMatch SYNTAX 1.3.6.1.4.1.4203.666.11.2.1 SINGLE-VALUE NO-USER-MODIFICATION USAGE directoryOperation )
(Invalid syntax) - attribute type entryCSN: Unknown attribute syntax OID "1.3.6.1.4.1.4203.666.11.2.1"
Well, you can change the syntax to 1.3.6.1.4.1.1466.115.121.1.15, or
remove entryCSN from the user ldif. entryCSN is only used by Openldap's
replication protocol, it serves no purpose in 389 and can be removed if
you want to.

Regards,
Mark
Post by Blaz Kalan
BR,
Blaz
_______________________________________________
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send an email to 389-users-***@lists.f
Blaz Kalan
2017-06-22 10:53:06 UTC
Permalink
Hi Mark,

Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two “super users” which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my “super users” are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch:

ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 108

ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 1

So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does?

Best regards,
Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe send
Blaz Kalan
2017-06-23 07:11:07 UTC
Permalink
Hi I am succeeded and I write here just for case if someone else needs it. I had to add rights to these two users. My ldif file:

dn: l=Kranj,c=si
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0; acl "give sysadmin full rights"; allow(all) (userdn = "ldap:///uid=mnadmin,ou=User,l=Kranj,c=SI" or userdn = "ldap:///uid=sysadmin,ou=User,l=Kranj,c=SI" or userdn = "ldap:///uid=openmnadmin,ou=User,l=Kranj,c=SI");)

BR, Blaz
_______________________________________________
389-users mailing list -- 389-***@lists.fedoraproject.org
To unsubscribe se

Kalan Blaz
2017-06-22 10:31:40 UTC
Permalink
Hi Mark,

Thank you very much for your help. Now I hit to another problem and maybe you can help me. At OpenLDAP we have two "super users" which has read/write/delete access for whole tree. Now in 389 DS I can do changes or view the data only if I am login as cn=directory manager. All my "super users" are already in 389 DS database, but I do not know how to set them proper rights. Here is an example with ldapsearch:

ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 108

ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b "l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 1

So my question here is, what I must do, that user mnadmin have r/w/d permissions and will see the same tree as directory manager does?

Best regards,
Blaz
Ludwig Krispenz
2017-06-22 11:45:12 UTC
Permalink
Hi,

389-ds has an access control mechanism which allows fine grained access
to entries, attributes for different types of operation and based on
various criteria like d,n group membership, role,.... and you should get
familiar with the basics before just adding specific acis:

https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control

for your specific request you could do something like:

dn: l=kranj,c=si
aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all )
userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";)

not that in 389-ds acis have to be placed at the top of the subtree they
should apply

Ludwig
Post by Blaz Kalan
Hi Mark,
Thank you very much for your help. Now I hit to another problem and
maybe you can help me. At OpenLDAP we have two “super users” which has
read/write/delete access for whole tree. Now in 389 DS I can do
changes or view the data only if I am login as cn=directory manager.
All my “super users” are already in 389 DS database, but I do not know
ldapsearch -D "cn=directory manager" -w iskratel -b "l=kranj,c=si" -p
1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 108
ldapsearch -D "uid=mnadmin,ou=user,l=Kranj,c=si" -w mzPLlgQ3 -b
"l=kranj,c=si" -p 1317 -h kalanvm1.csi.iskratel.mak | grep numResponses
# numResponses: 1
So my question here is, what I must do, that user mnadmin have r/w/d
permissions and will see the same tree as directory manager does?
Best regards,
Blaz
_______________________________________________
--
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander
William Brown
2017-06-22 23:41:48 UTC
Permalink
Post by Ludwig Krispenz
Hi,
389-ds has an access control mechanism which allows fine grained access
to entries, attributes for different types of operation and based on
various criteria like d,n group membership, role,.... and you should get
https://access.redhat.com/documentation/en-us/red_hat_directory_server/10/html/administration_guide/managing_access_control
dn: l=kranj,c=si
aci: (targetattr = "*")(version 3.0; acl "Admin rights"; allow( all )
userdn = "ldap:///uid=mnadmin,ou=user,l=Kranj,c=si";)
not that in 389-ds acis have to be placed at the top of the subtree they
should apply
Another tip is to always use targetattr = "attr ...." rather than
targetattr !=. != causes lots of problems, it's better to be explicit in
what is allowed.
--
Sincerely,

William Brown
Software Engineer
Red Hat, Australia/Brisbane
Loading...