Migrate from OpenDJ to 389DS

Prereq:

  • 389DS running on Ubuntu 16
  • export.ldif from OpenDJ-2.5.0-Xpress1
  • user schema files

Update schema, add attributes

$ ldapmodify -h 127.0.0.1 -p 1389 -D "cn=Directory Manager" \ 
-W -x -v -f ./user-at.ldif

Update schema, add object classes

$ ldapmodify -h 127.0.0.1 -p 1389 -D "cn=Directory Manager" \
-W -x -v -f ./user-oc.ldif

Prepare import file

  • Remove objects where objectclass =*subentry* from export.ldif
  • Remove attributes from export.ldif. entryUUID,aci:,createTimestamp,creatorsName,modifyTimestamp,modifiersName,ds-rlim,ds-privilege-name,pwdfailuretime,pwdChangedTime
$ sed '/entryUUID\|aci:\|createTimestamp\|creatorsName\|modifyTimestamp\|modifiersName\|ds-rlim\|ds-privilege-name\|pwdfailuretime\|pwdChangedTime/d' export.ldif > import.ldif

Add base object

$ ldapadd -h 127.0.0.1 -p 1389 -D "cn=Directory Manager" \ 
-W -x -v -c -f ./baseobject.ldif -S ./reject.ldif

Import data

$ ldapadd -h 127.0.0.1 -p 1389 -D "cn=Directory Manager" \ 
-W -x -v -c -f ./import.ldif -S ./reject.ldif

OpenDJ – reset Directory Manager’s password

Stop OpenDJ service

bin/stop-ds

Generate an encoded password for Directory Manager

bin/encode-password -s SSHA512 -c MyN3wPa88w0rd
Encoded Password:  "{SSHA512}BmU5JuOZW6c0ngGetV1J8EG5UgWqyS5k/2JoJEEnx/V/c6EbnXvFwyLFG7ZWZm3oAwCmlht28OYnwQK+X8yLMV+dZJ3cBvOd"

Edif the config/config.ldif file and replace userpassword.

dn: cn=Directory Manager,cn=Root DNs,cn=config
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
objectClass: ds-cfg-root-dn-user
userpassword: {SSHA512}BmU5JuOZW6c0ngGetV1J8EG5UgWqyS5k/2JoJEEnx/V/c6EbnXvFwyLFG7ZWZm3oAwCmlht28OYnwQK+X8yLMV+dZJ3cBvOd

Start OpenDJ service

bin/start-ds

Tribute to Ludovic Poitou https://ludopoitou.com/2011/06/30/newbie-help-how-to-reset-the-directory-managers-password/

Install cn=monitor on Ubuntu 14.04 LTS

Here are some notes how I install cn=monitor v3.2.1 on Ubuntu 14.04 LTS
Tribut to Andreas Andersson for a great job http://cnmonitor.sourceforge.net/
Please refer to ”CN=Monitor 3.2.1.pdf” for more information.

Prereq is a ”vanilla” Ubuntu 14.04 LTS server

Install LDAP client

$ sudo apt-get install ldap-utils

$ dpkg --get-selections | grep ldap
ldap-utils		install
libldap-2.4-2:amd64	install

Avoid common name validation in certificates for LDAPS

$ vi /etc/ldap/ldap.conf
TLS_REQCERT  never

Install Apache2

$ sudo apt-get install apache2

Install PHP:

$ sudo apt-get install php5 php5-cli php5-ldap

$ dpkg --get-selections | grep php
libapache2-mod-php5     install
php5                    install
php5-cli                install
php5-common             install
php5-json               install
php5-ldap               install
php5-readline           install

Install MySQL:

$ sudo apt-get install mysql-server mysql-client php5-mysql

$ dpkg --get-selections | grep php
libapache2-mod-php5     install
php5                    install
php5-cli                install
php5-common             install
php5-json               install
php5-ldap               install
php5-mysql              install
php5-readline           install

key_buffer_size-depricated

Unzip cnmonitor-3.2.1-1.zip in /usr/share

$ sudo unzip cnmonitor-3.2.1-1.zip -d /usr/share

Install database schema

$ mysql -u root -p < /usr/share/cnmonitor/sql/mysql.sql

Restart Apache Web server

$ sudo service apache2 restart

Move config directory to /etc, create symbolic link and set file permissions:

$ sudo mv /usr/share/cnmonitor/config /etc/cnmonitor
$ sudo ln -s /etc/cnmonitor /usr/share/cnmonitor/config 
$ sudo chown -R root:www-data /etc/cnmonitor
$ sudo chmod -R 650 /etc/cnmonitor
$ sudo chmod -R +x /usr/share/cnmonitor/bin

Copy cnmonitor.conf to conf-available directory

$ sudo cp /usr/share/cnmonitor/conf/httpd/cnmonitor.conf /etc/apache2/conf-available/.

Enable cnmonitor configuration in Apache Web server

$ sudo a2enconf cnmonitor

Activate the new configuration

$ sudo service apache2 reload

Configure cn=monitor

Please refer to section ”5. Configuration” in CN=Monitor 3.2.1.pdf

OpenDJ – replication

Create admin user in odj-1

./dsframework create-admin-user -X \
-h odj-1 -p 4444 -D "cn=Directory Manager" -w password \
--userID admin --set password:adminpassword

Create admin user in odj-2

./dsframework create-admin-user -X \
-h odj-2 -p 4444 -D "cn=Directory Manager" -w password \
--userID admin --set password:adminpassword

List admin user

$ ./dsframework list-admin-user -X \
Password for user 'cn=Directory Manager':
id: admin

Enable replication

./dsreplication enable --host1 odj-1 --port1 4444 \
 --bindDN1 "cn=directory manager" --bindPassword1 password \
 --replicationPort1 8989 --host2 odj-2 --port2 4444 \
 --bindDN2 "cn=directory manager" --bindPassword2 password \
 --replicationPort2 8989 --adminUID admin --adminPassword password \
 --baseDN "dc=example,dc=com" -X -n

Initialise replication

$ ./dsreplication initialize \
  --baseDN "dc=example,dc=com" \
  --adminUID admin --adminPassword password \
  --hostSource odj-1 --portSource 4444 \
  --hostDestination odj-2 --portDestination 4444 -X -n

Administer replication

$ ./dsreplication -X

OpenDJ-2.5.0-Xpress1 prerequisites

Install java 1.6

Add group opendj

$ groupadd opendj

Add user opendj

$ useradd -g opendj -d /home/opendj -m -s /bin/bash opendj

Download and unzip OpenDJ zip file

$ unzip -v [opendj-zip-file] -d /opt/.

Change owner

$ chown -R opendj:opendj /opt/opendj

OpenDJ – setup

Prereq is OpenDJ installed in /opt/opendj

$ sudo su - opendj
$ /opt/opendj/setup \
--cli \
--no-prompt \
--doNotStart \
--baseDN "dc=example,dc=com" \
--addBaseEntry \
--ldapPort 1389 \
--adminConnectorPort 4444 \
--enableStartTLS \
--ldapsPort 1636 \
--generateSelfSignedCertificate \
--acceptLicense \
--rootUserDN "cn=Directory Manager" \
--rootUserPassword [password] \
--hostname [hostname]

Start OpenDJ at boot

$ sudo /opt/opendj/bin/create-rc-script \
 --outputFile /etc/init.d/opendj \
 --userName opendj
$ sudo update-rc.d opendj defaults

OpenDJ – import ldif offline

$ /opt/opendj/bin/stop-ds
$ /opt/opendj/bin/import-ldif \
--append \
--includeBranch "dc=example,dc=com" \
--excludeBranch "cn=log,dc=example,dc=com" \
--ldifFile /tmp/export.ldif \
--rejectFile /tmp/rejectimport.ldif \
--skipFile /tmp/skipimport.ldif

OpenDJ – export ldif

Export ldif without operational attributes (switch -O)

$ /opt/opendj/bin/export-ldif \
--excludeOperational \
--includeBranch "dc=example,dc=com" \
--excludeBranch "o=Test,dc=example,dc=com" \
--backendID userRoot \
--ldifFile /tmp/export.ldif

OpenDJ

OpenDJ

Remove OpenDJ at startup

$ sudo update-rc.d opendj remove

Set index-entry-limit

/opt/opendj/bin/dsconfig set-backend-prop \
 --backend-name userRoot \
 --set index-entry-limit:100000

Remove subtree

/opt/opendj/bin/ldapdelete \
 --port 1636 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll \
 --useSSL --noPropertiesFile \
 -J 1.2.840.113556.1.4.805 \
 --verbose \
 o=Test,dc=example,dc=com

Get password policy prop

$ /opt/opendj/bin/dsconfig get-password-policy-prop \
  --policy-name "Default Password Policy" \
  --advanced -p 4444

Set allow-pre-encoded-passwords

$ ./dsconfig set-password-policy-prop \
  --set allow-pre-encoded-passwords:true \
  --policy-name "Default Password Policy" \
  --advanced -p 4444

Get system name

$ /opt/opendj/bin/ldapsearch -D "cn=Directory Manager" \
  -p 1389 \
  -b "cn=System Information,cn=monitor" \
  -s "base" "objectclass=*" \
  systemName

dn: cn=System Information,cn=monitor
systemName: odj-2

Get multimaster synchronization info

$ /opt/opendj/bin/ldapsearch -D "cn=Directory Manager" -p 1389 \
 -b "cn=Multimaster Synchronization,cn=Synchronization Providers,cn=config" \
 "objectclass=ds-cfg-replication-domain" ds-cfg-replication-server ds-cfg-base-dn \

dn: cn=cn=admin data,cn=domains,cn=Multimaster Synchronization,cn=Synchronizatio
 n Providers,cn=config
ds-cfg-base-dn: cn=admin data
ds-cfg-replication-server: odj-1:8989
ds-cfg-replication-server: odj-2:8989

dn: cn=cn=schema,cn=domains,cn=Multimaster Synchronization,cn=Synchronization Pr
 oviders,cn=config
ds-cfg-base-dn: cn=schema
ds-cfg-replication-server: odj-1:8989
ds-cfg-replication-server: odj-2:8989

dn: cn=dc=example\,dc=com,cn=domains,cn=Multimaster Synchronization,cn=Synchroniz
 ation Providers,cn=config
ds-cfg-base-dn: dc=example,dc=com
ds-cfg-replication-server: odj-1:8989
ds-cfg-replication-server: odj-2:8989

Check replication status

./ldapsearch -D "cn=Directory Manager" -p 1389 -b "cn=replication, cn=monitor" "(&(Replication-Server=odj-1:8989)(domain-name=dc=example,dc=com))" received-updates server-state
dn: cn=Connected Replication Server odj-1:8989 19125,cn=Replication Server 8989 
 odj-2 7724,cn=dc_example_dc_com,cn=replication,cn=monitor
server-state: 0000013e17ab073228db0000880c Wed Apr 17 13:04:44 CEST 2013 1366196
 684594
server-state: 0000013e1898f744515000005fe2 Wed Apr 17 17:24:38 CEST 2013 1366212
 278084
received-updates: 23570

Create a New SMTP Alert Handler

$ ./dsconfig create-alert-handler \
  --handler-name "my SMTP Handler" \
  --type smtp \
  --set enabled:true \
  --set message-body:"Alert Type: %%alert-type%%\n\nAlert ID: \
    %%alert-id%%\n\nAlert Message: %%alert-message%%" \
  --set message-subject:"Alert Message" \
  --set recipient-address:directorymanager@example.com \
  --set sender-address:OpenDS-Alerts@directory.example.com \
  --hostname odj-1 --port 4444 \
  --bindDN "cn=Directory Manager" --bindPassword password --no-prompt

List alert handlers

$ ./dsconfig list-alert-handlers \
  --hostname odj-1 --port 4444 \
  --bindDN "cn=Directory Manager" --bindPassword password --no-prompt