| OPENLDAP_TO_DS(1) | Generated Python Manual | OPENLDAP_TO_DS(1) |
openldap_to_ds
openldap_to_ds [-h] [-v] [--confirm] [--ignore-overlay [IGNORE_OVERLAY ...]] [--ignore-schema-oid [IGNORE_SCHEMA_OID ...]] [--ignore-attribute [IGNORE_ATTRIBUTE ...]] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-Z] instance slapd_config [slapd_ldif ...]
Migrate from OpenLDAP to 389 Directory Server.
This command automates the process of converting an OpenLDAP server to a 389 Directory Server instance. This is a "best effort" as OpenLDAP and 389 Directory Server are not identical, so some features still may require hand migration, or can not be migrated at all. This tool intends to migrate the majority of major content such as database data, index configuration, schema and some overlays (plugins).
Content we can migrate:
* Schema * Database content (from ldif backup) * Database indexes * MemberOf Overlay (memberof) * Referential Integrity Overlay (refint) * Attribute Unique Overlay (unique)
Some content that can *not* be migrated include some overlays (plugins), access controls and replication configuration. Examples of plugins that can not be migrated:
* Access/Audit logging (built into 389-ds by default) * Chaining (Requires manual migration, may not be equivalent) * Constraints (No equivalent plugin) * Dynamic Directory Services (Requires manual migration to Class of Service Plugin) * Dynamic Groups/Lists (Requires manual migration to Roles Plugin) * Proxy Cache (No equivalent plugin, 389-ds supports read-only replicas) * Password Policy (Built into 389-ds, requires manual migration) * Rewrite/Remap (No equivalent plugin) * Sync Provider (Requires manual migration to Replication OR Content Sync Plugin) * Value Sorting (No equivalent plugin)
This must be run on the server running the 389 Directory Instance as it requires filesystem access. You must run this tool as either root or dirsrv users.
The following is required from your openldap instance:
* slapd.d configuration directory in ldif/dynamic format
* (optional) ldif file backup of the database from slapcat
These can be created on the OpenLDAP host and copied to the 389 Directory Server host. No destructive actions are applied to the OpenLDAP instance.
If you are already using the ldif/dynamic format from /etc/openldap/slapd.d, you should take a copy of this to use in the migration.
cp -a /etc/openldap/slapd.d /root/slapd.d
If you are using the slapd.conf configuration file, you can convert this to the dynamic configuration without affecting your running instance with:
slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d
To optionally allow your database content to be migrated you may create an ldif backup of the content that 389 Directory Server can import. You must run this for each backend (suffix) of your instance with the command:
# If using slapd.conf config format
slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
# If using slapd.d config format
slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif
You must already have a 389 Directory Server you want to import into. You can create this with the `dscreate` tool. Data and configuration in this instance WILL be modified or removed (ie potentially destructive actions).
It is strongly advised you test this tool on a non-production system first to be sure the process and changes are understood.
This only needs to be run on the first-instance in a 389 Directory Server topology. All other replicas should be configured from this instance post migration.
Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>
The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html
| 2024-04-15 | lib389 2.4.5 |