Craig Swanson wrote: > I am hoping for guidance in migrating this SSL enabled directory to 389-ds. > > From: fedora-ds 1.0.4 on fc6 i386 > To: 389-ds 1.1 on fedora 12 i386. The fedora 12 is on a new box > with the same IP address and hostname. > > SSL is enabled on the source directory and source admin server. > > I have read the SSL HowTo, so I understand that the certs are stored > differently under 1.1. > Is it possible to import the existing SSL certs and set up the > configuration so that the migration will succeed? > migration is supposed to take care of all of that for you > If not, how do I correctly remove SSL from the source configuration? I > could set up SSL on the target after the migration. > > Thank you, > > Craig Swanson > > ----------Supporting information --------------------- > > So far I have done this 1.0.4 to 1.1 prep: > > I have modified the source schema to use the updated autofs and mozilla > ldif files. > I have run db2ldif to export the userRoot and NetscapeRoot databases. > I have modified the source /opt/fedora-ds/admin-serv/config/adm.conf > and local.conf to replace cn=Fedora with cn=389 > adm.conf - ok local.conf - not so good - this is just a read-only copy of information stored in o=NetscapeRoot in the actual database. > Bad outcomes: > I ran the cross platform migration in order to pull from the modified > ldif files. > migrate-ds-admin.pl -d --crossplatform --oldsroot=/opt/fedora-ds.104 > --actualsroot=/opt/fedora-ds -f /opt/migratePunch.inf > > The migration failed because I had not dealt with the SSL. Debug output: > > +[27/Apr/2010:12:44:26 -0400] - 389-Directory/1.2.5 B2010.012.2035 > starting up > +[27/Apr/2010:12:44:26 -0400] - I'm resizing my cache now...cache was > 208736256 and is now 8388608 > +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in > attrcrypt_init > +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap > key for cipher 3DES > +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES > in attrcrypt_cipher_init > +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in > attrcrypt_init > +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap > key for cipher AES > +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher AES in > attrcrypt_cipher_init > +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher AES in > attrcrypt_init > +[27/Apr/2010:12:44:27 -0400] - attrcrypt_unwrap_key: failed to unwrap > key for cipher 3DES > +[27/Apr/2010:12:44:27 -0400] - Failed to retrieve key for cipher 3DES > in attrcrypt_cipher_init > +[27/Apr/2010:12:44:27 -0400] - Failed to initialize cipher 3DES in > attrcrypt_init > These errors are probably ok if you are not using the attribute encryption feature. You ideally should not have these errors, but this doesn't mean SSL won't work. > > Disabling SSL in the source: > I have tried to disable SSL on the source directory and admin server via > the console. > Let's try to figure out what happened initially with migration first. > Next, I had attempted a migration. The migration completed, but, the > console failed authentication on the resulting 1.1 server. > http://myserver:64000 > > I went back to the source server. launching the console > http://myserver:64000 also failed authentication. > > > > > > -- > 389 users mailing list > 389-users@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/389-users > -- 389 users mailing list 389-users@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/389-users
