kresnasatya/migrate-openldap-to-389-ds-failed

This repo contains steps to reproduce migration from OpenLDAP to 389 Directory Server. Current result is failed.

Migrate from OpenLDAP to 389 Directory Server Failed

This repo contains steps to reproduce migration from OpenLDAP to 389 Directory Server. Current result is failed.

Environment

• Ubuntu 22.04 in WSL 2.
• OpenLDAP version 2.5.13 (run slapd -VV)
• 389 Directory Server version 2.0.15-1 (https://packages.ubuntu.com/jammy/389-ds)

Initial setup

1. Download distro Ubuntu 22.04 with command wsl --install -d Ubuntu-22.04.

2. Set username and password in distro.

3. Open distro in terminal.

4. Create wsl.conf file in /etc directory distro Ubuntu 22.04.

   # file /etc/wsl.conf
   [boot]
   systemd=true

5. Close terminal.

6. Turn off wsl in power shell with command wsl --shutdown.

7. Open terminal and find distro Ubuntu 22.04.

Steps to reproduce

1. Run sudo apt update -y
2. Run sudo apt install net-tools -y to know the IP Address from this distro server in WSL2.
3. Run sudo apt install slapd ldap-utils. Setup admin password for LDAP.
4. Run sudo dpkg-reconfigure slapd to reconfigure LDAP.

   Administrator password: 1234567890
   Confirm administrator password: 1234567890
   Domain name: example.org
   Organization name: example.org

5. Run ldapwhoami -H ldap://localhost -x to check if result is anonymous. If not then check if slapd is run or not with command sudo service slapd status. If doesn’t start then run sudo service slapd start.
6. Run ifconfig to get IP Address from distro.
7. Open Apache Directory Studio and add hostname with IP Address from distro with default port 389 for LDAP authentication use dn=admin,dc=example,dc=org with password setup from LDAP. Here's the image result after connected.
8. Add some sample data and store them as a backup. Please see the backup in folder in this repo.

   # backup command
   sudo slapcat -n 0 -l config.ldif
   sudo slapcat -n 1 -l data.ldif
   # see how to restore them in this guide: https://tylersguides.com/articles/backup-restore-openldap/

9. Install 389 Directory Server (389 DS) with command sudo apt install 389-ds -y.
10. Stop slapd service with sudo service slapd stop.
11. Create instance template in /root directory with name instance.inf.

    # /root/instance.inf
    [general]
    config_version = 2
    
    [slapd]
    instance_name = localhost
    root_dn = cn=admin,dc=example,dc=org
    root_password = 1234567890

12. Make instance with command sudo dscreate from-file /root/instance.inf.
13. Check if instance already running with command sudo systemctl status dirsrv@localhost.
14. Make folder backup-openldap and move to that directory. Copy slapd.d directory with command sudo cp -a /etc/ldap/slapd.d /root/backup-openldap/slapd.d. Copy data from LDAP already in step 8 with command sudo slapcat -n 1 -f data.ldif.
15. Run sudo openldap_to_ds --confirm localhost slapd.d data.ldif from backup-openldap directory.
16. Migration done and check if config and data from OpenLDAP already move to 389 DS with Apache Directory Studio. The result is empty like the image below.

17. As I follow from YouTube tutorial Migrating to 389-ds from openldap2 (https://www.youtube.com/watch?v=qrbtWOXOhtA) it says that data already imported but we cannot see that because it was like that if we run migration with openldap_to_ds command.

18. So, I try with make .dsrc file in root directory with command sudo dsctl localhost dsrc create --uri ldapi://%%2fvar%%2frun%%2fslapd-localhost.socket --binddn cn=admin,dc=example,dc=org --basedn dc=example,dc=org. Here's the result I get.

    [localhost]
    uri = ldapi://%2fvar%2frun%2fslapd-localhost.socket
    basedn = dc=example,dc=org
    binddn = cn=admin,dc=example,dc=org
    saslmech = EXTERNAL

19. Run command sudo dsidm localhost client_config ldap.conf and here's the result I get.

    #
    # OpenLDAP client configuration
    # Generated by 389 Directory Server - dsidm
    #
    
    # See ldap.conf(5) for details
    # This file should be world readable but not world writable.
    
    BASE    dc=example,dc=org
    # Remember to check this: you can have multiple uris on this line. You may have
    # multiple servers or load balancers in your environment.
    URI     ldapi://%2fvar%2frun%2fslapd-localhost.socket
    # If you have DNS SRV records you can use:
    # URI   ldaps:///dc%3Dexample%2Cdc%3Dorg
    
    DEREF   never
    # To use cacert dir, place *.crt files in this path then run:
    # /usr/bin/openssl rehash /etc/openldap/certs
    # or (for older versions of openssl)
    # /usr/bin/c_rehash /etc/openldap/certs
    TLS_CACERTDIR /etc/openldap/certs
    # TLS_CACERT /etc/openldap/certs/ca.crt

20. Add Access Control to root dn by enable it with command sudo dsconf -D 'cn=admin,dc=example,dc=org' ldap://localhost:389 plugin root-dn enable and get result Enabled plugin 'RootDN Access Control'.

21. I create file aci.ldif with content file like below.

    dn: dc=example,dc=org
    changetype: modify
    add: aci
    aci: (targetattr="dc || description || objectClass")(targetfilter="(objectClass=domain)")(version 3.0; acl "Enable anyone domain read"; allow (read, search, compare)(userdn="ldap:///anyone");)
    aci: (targetattr="ou || objectClass")(targetfilter="(objectClass=organizationalUnit)")(version 3.0; acl "Enable anyone ou read"; allow (read, search, compare)(userdn="ldap:///anyone");)
    
    -

22. Add ACI to root dn with command sudo ldapmodify -f aci.ldif -x -D 'cn=admin,dc=example,dc=org' -w 1234567890 and I get the result modifying entry "dc=example,dc=org" ldap_modify: No such object (32).

Note: I rollback to OpenLDAP with command below.

sudo dsctl localhost remove --do-it
sudo service slapd start