On 06/14/2017 07:41 AM, Blaz Kalan wrote:
> Hi again,
>
> Finally it looks like that I'm somehow succeeded whit importing data from openLDAP to 389 DS, but I had to do a few things about which I am not sure if they are OK.
>
> I change 99user.ldif to:
> dn: cn=schema
> objectClass: top
> objectClass: ldapSubentry
> objectClass: subschema
> cn: schema
> aci: (target="ldap:///cn=schema")(targetattr !="aci")(version 3.0;acl "anonymo
> us, no acis"; allow (read, search, compare) userdn = "ldap:///anyone";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrators Group"; a
> llow (all) groupdn="ldap:///cn=Configuration Administrators,ou=Groups,ou=Topo
> logyManagement,o=NetscapeRoot";)
> aci: (targetattr="*")(version 3.0; acl "Configuration Administrator"; allow (a
> ll) userdn="ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=Netsc
> apeRoot";)
> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all) groupdn = "l
> dap:///cn=slapd-blegos,cn=389 Directory Server,cn=Server Group,cn=blegos.csi.
> iskratel.mak,ou=csi.iskratel.mak,o=NetscapeRoot";)
> modifiersName: cn=directory manager
> modifyTimestamp: 20170526075714Z
> numSubordinates: 1
> objectClasses: ( 1.3.6.1.4.1.1332.1000.30.1 NAME 'itPrepaidPinSub' DESC 'IskratelprepaidPinSub' MUST ( itPrepaidPin $ itDirectoryNumber ) )
> objectClasses: ( 1.3.6.1.4.1.1332.1000.30.2 NAME 'itPrepaidCgPNSub' DESC 'IskratelprepaidCgPNSub' MUST ( itCgPN $ itDirectoryNumber ) )
> …
>
> It looks OK. I also see added attributes whit 389-console.
>
> When I am importing the data I received this errors:
>
> The error sent by the server was 'Object class violation. attribute "entryuuid" not allowed
> The error sent by the server was 'Object class violation. attribute "entrycsn" not allowed
> The error sent by the server was 'Object class violation. unknown object class "labeledURIObject"
> The error sent by the server was 'Object class violation. attribute "labeledURI" not allowed
These attributes are not part of 389's standard schema. So that implies
there is still more Openldap schema to migrate to 389 before you should
try the import.
>
> Here I just deleted those rows with commands (I am not sure, what here is the right way):
>
> sed -i "/\b\(entryUUID\)\b/d" data_from_openLDAP.ldif
> sed -i "/\b\(entryCSN\)\b/d" data_from_openLDAP.ldif
> sed -i "/\b\(labeledURIObject\)\b/d" data_from_openLDAP.ldif
> sed -i "/\b\(labeledURI\)\b/d" data_from_openLDAP.ldif
>
> Another error was:
> Error: the SUBSTR matching rule [caseIgnoreSubstringsMatch] is not compatible with the syntax [1.3.6.1.4.1.1466.115.121.1.27] for the attribute [itUserPolicyProfileId]
Syntax 1.3.6.1.4.1.1466.115.121.1.27 is an "integer" syntax. A
caseIgnore matching rule does not apply to a number. So this error
makes sense and is correct.
>
> Here again I just delete all "SUBSTR caseIgnoreSubstringsMatch" from exported data ldif file. (What here?)
Well it should be removed from attributes that use the integer syntax,
but for other syntax's you might need/want it. So you need look through
each attribute and confirm what its syntax is before removing the
matching rule.
>
> Then I must change all user passwords, because I cannot import md5 passwords. Here is probably setting while exporting data that passwords are in plain text?
389 does support MD5 passwords, so the password below should work fine.
Are you getting errors?
Regards,
Mark
> So change was from:
> userPassword:: e01ENX1VSnlnNGJSbmcxRlB1NE43ZFlWYkdnPT0=
> to:
> userPassword: test
>
>
> After that, import succeeded.
>
> Best Regards,
> Blaz
> _______________________________________________
> 389-users mailing list -- 389-users@lists.fedoraproject.org
> To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
_______________________________________________
389-users mailing list -- 389-users@lists.fedoraproject.org
To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
No comments:
Post a Comment