We were hoping to carry over all the operational attributes associated with objects in the LDAP. If I remember correctly, ldapadd will not apply operational attributes.
On Mon, Apr 15, 2019 at 11:31 AM Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, April 15, 2019 9:17 AM -0500 Ezsra McDonald ezsra.mcdonald@gmail.com wrote:
I am in the process of migrating my OpenLdap 2.3 system to a new OpenLdap 2.4 system but something is not working right for the import(slapadd) to the new system. There are 35,895 objects defined in the LDIF generated by slapcat.
I would suggest you start with ldapadd to import, rather than slapadd, as you likely need the additional validation steps initially when doing the migration from 2.3 to 2.4.
I'd also avoid using RH's native packages and use a current release. The LTB project and Symas both provide free alternatives to RH's builds.
https://ltb-project.org/download#openldap https://repo.symas.com/sofl/rhel7/
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, April 15, 2019 1:53 PM -0500 Ezsra McDonald ezsra.mcdonald@gmail.com wrote:
We were hoping to carry over all the operational attributes associated with objects in the LDAP. If I remember correctly, ldapadd will not apply operational attributes.
Hi Ezsra,
Generally when preparing to migrate, one configures a test environment in which to test out the migration process. I.e., I would expect you to test adding the LDIF via ldapadd, minus the operational attributes, as a step in the testing process.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
I figured it out. I had missed a attribute when I built my root object. It needed to look like this:
dn: dc=somewhere,dc=org objectClass: dcObject objectClass: organization o: Somebody cool dc: somewhere structuralObjectClass: organization
Once this was corrected all the other objects came in right.
On Mon, Apr 15, 2019 at 12:53 PM Ezsra McDonald ezsra.mcdonald@gmail.com wrote:
We were hoping to carry over all the operational attributes associated with objects in the LDAP. If I remember correctly, ldapadd will not apply operational attributes.
On Mon, Apr 15, 2019 at 11:31 AM Quanah Gibson-Mount quanah@symas.com wrote:
--On Monday, April 15, 2019 9:17 AM -0500 Ezsra McDonald ezsra.mcdonald@gmail.com wrote:
I am in the process of migrating my OpenLdap 2.3 system to a new
OpenLdap
2.4 system but something is not working right for the import(slapadd) to the new system. There are 35,895 objects defined in the LDIF generated
by
slapcat.
I would suggest you start with ldapadd to import, rather than slapadd, as you likely need the additional validation steps initially when doing the migration from 2.3 to 2.4.
I'd also avoid using RH's native packages and use a current release. The LTB project and Symas both provide free alternatives to RH's builds.
https://ltb-project.org/download#openldap https://repo.symas.com/sofl/rhel7/
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Monday, April 15, 2019 3:44 PM -0500 Ezsra McDonald ezsra.mcdonald@gmail.com wrote:
I figured it out. I had missed a attribute when I built my root object.
Hi Ezsra,
Glad you got it figured out! Hopefully you migrated the configuration over to using the new LMDB based backend (back-mdb) during the process.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 4/15/19 7:53 PM, Ezsra McDonald wrote:
We were hoping to carry over all the operational attributes associated with objects in the LDAP. If I remember correctly, ldapadd will not apply operational attributes.
Provided you're using a bind-DN with manage privilege you can use Relax Rules control [1] for also adding operational attributes via LDAP:
ldapadd -e relax
[1] https://tools.ietf.org/html/draft-zeilenga-ldap-relax
Ciao, Michael.
--On Monday, April 15, 2019 10:47 PM +0200 Michael Ströder michael@stroeder.com wrote:
On 4/15/19 7:53 PM, Ezsra McDonald wrote:
We were hoping to carry over all the operational attributes associated with objects in the LDAP. If I remember correctly, ldapadd will not apply operational attributes.
Provided you're using a bind-DN with manage privilege you can use Relax Rules control [1] for also adding operational attributes via LDAP:
ldapadd -e relax
I would note that while it looks like that would work in this case, it doesn't work for all operational attributes (for example, the ones added by the ppolicy overlay).
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Ezsra McDonald -
Michael Ströder -
Quanah Gibson-Mount