oracular (8) openldap_to_ds.8.gz

NAME

       openldap_to_ds

SYNOPSIS

       openldap_to_ds   [-h]  [-v]  [--confirm]  [--ignore-overlay  [IGNORE_OVERLAY  ...]]  [--ignore-schema-oid
       [IGNORE_SCHEMA_OID ...]] [--ignore-attribute [IGNORE_ATTRIBUTE ...]] [-D BINDDN]  [-w  BINDPW]  [-W]  [-y
       PWDFILE] [-Z] instance slapd_config [slapd_ldif ...]

DESCRIPTION

       Migrate from OpenLDAP to 389 Directory Server.

       This  command  automates the process of converting an OpenLDAP server to a 389 Directory Server instance.
       This is a "best effort" as OpenLDAP and 389 Directory Server are not identical, so  some  features  still
       may  require  hand migration, or can not be migrated at all. This tool intends to migrate the majority of
       major content such as database data, index configuration, schema and some overlays (plugins).

       Content we can migrate:

       * Schema * Database content (from ldif backup)  *  Database  indexes  *  MemberOf  Overlay  (memberof)  *
       Referential Integrity Overlay (refint) * Attribute Unique Overlay (unique)

       Some  content that can *not* be migrated include some overlays (plugins), access controls and replication
       configuration. Examples of plugins that can not be migrated:

       * Access/Audit logging (built into 389-ds by default) * Chaining (Requires manual migration, may  not  be
       equivalent)  * Constraints (No equivalent plugin) * Dynamic Directory Services (Requires manual migration
       to Class of Service Plugin) * Dynamic Groups/Lists (Requires manual migration to Roles  Plugin)  *  Proxy
       Cache  (No  equivalent  plugin, 389-ds supports read-only replicas) * Password Policy (Built into 389-ds,
       requires manual migration) * Rewrite/Remap (No  equivalent  plugin)  *  Sync  Provider  (Requires  manual
       migration to Replication OR Content Sync Plugin) * Value Sorting (No equivalent plugin)

       This  must  be run on the server running the 389 Directory Instance as it requires filesystem access. You
       must run this tool as either root or dirsrv users.

       The following is required from your openldap instance:

         * slapd.d configuration directory in ldif/dynamic format
         * (optional) ldif file backup of the database from slapcat

       These can be created on the OpenLDAP host and copied to the 389 Directory  Server  host.  No  destructive
       actions are applied to the OpenLDAP instance.

       If  you  are  already using the ldif/dynamic format from /etc/openldap/slapd.d, you should take a copy of
       this to use in the migration.

           cp -a /etc/openldap/slapd.d /root/slapd.d

       If you are using the slapd.conf configuration file, you can convert this  to  the  dynamic  configuration
       without affecting your running instance with:

           slaptest -f /etc/openldap/slapd.conf -F /root/slapd.d

       To  optionally  allow  your  database content to be migrated you may create an ldif backup of the content
       that 389 Directory Server can import. You must run this for each backend (suffix) of your  instance  with
       the command:

           # If using slapd.conf config format
           slapcat -f /etc/openldap/slapd.conf -b SUFFIX -l /root/suffix.ldif
           # If using slapd.d config format
           slapcat -F /etc/openldap/slapd.d -b SUFFIX -l /root/suffix.ldif

       You  must  already  have  a  389  Directory  Server you want to import into. You can create this with the
       `dscreate` tool. Data and configuration in this instance WILL be  modified  or  removed  (ie  potentially
       destructive actions).

       It  is  strongly  advised  you test this tool on a non-production system first to be sure the process and
       changes are understood.

       This only needs to be run on the first-instance in a 389 Directory Server topology.  All  other  replicas
       should be configured from this instance post migration.

       instance
              The name of the 389-ds instance to have openldap data migrated into

       slapd_config
              The path to the openldap slapd.d configuration that will be migrated

       slapd_ldif
              The path to exported database ldifs to be imported.

OPTIONS

       -v, --verbose
              Display verbose operation tracing during command execution

       --confirm
              Confirm  that  you  want  to  apply  these migration actions to the 389-ds instance. By default no
              actions are taken.

       --ignore-overlay [IGNORE_OVERLAY ...]
              Ignore the following openldap overlays from having  their  configuration  migrated  to  equivalent
              389-ds plugins. Valid options are memberof, refint, unique.

       --ignore-schema-oid [IGNORE_SCHEMA_OID ...]
              Ignore  the  following openldap schema attribute or class OIDS from being migrated to 389-ds. This
              *may* create inconsistent schema which could cause the migration to fail. Use with caution.

       --ignore-attribute [IGNORE_ATTRIBUTE ...]
              Ignore the following attributes from entries that are loaded from the ldif. For example,  you  may
              not want to import userPassword hashes.

       -D BINDDN, --binddn BINDDN
              The 389 Directory Server account to bind as for executing migration operations

       -w BINDPW, --bindpw BINDPW
              Password for binddn

       -W, --prompt
              Prompt for password for the bind DN

       -y PWDFILE, --pwdfile PWDFILE
              Specifies a file containing the password for the binddn

       -Z, --starttls
              Connect to 389 Directory Server with StartTLS

AUTHOR

       Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>

DISTRIBUTION

       The        latest        version        of        lib389        may        be       downloaded       from
       ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩