Hi Ralf,
On Thu, Jul 4, 2024 at 11:29 AM Ralf Spenneberg <rspenneb...@gmail.com> wrote: > Hi Viktor, > thanks a lot for the suggestion. > So I did an export of the old tree running on 1.3.11 using db2dif: > db2ldif -s "dc=xxx,dc=net" -a /tmp/userRoot.ldif > And I did an import in the new tree running on 2.4: > Is it a fresh instance or migrated from the old install? dsconf -D "cn=Directory Manager" -W ldap://localhost backend import > dc=...,dc=net /userRoot.ldif > The import task has finished successfully > Do you see any errors in the errors log in /var/log/dirsrv/slapd-your_instance/errors related to import or NSS? Directly afterwards the passwords stopped working again. I had to reset > them again. Is there any additional step required? > It should work, I did a quick test with export/import and SSHA passwords and the migrated users are able to bind with the old password. Please check the documentation: https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/installing_red_hat_directory_server/assembly_migrating-directory-server-10-to-directory-server-12_installing-rhds#proc_migrating-directory-server-10-to-version-12-using-the-replication-method_assembly_migrating-directory-server-10-to-directory-server-12 Thanks. > > Kind regards, > Ralf > > Am Mi., 3. Juli 2024 um 18:26 Uhr schrieb Viktor Ashirov < > vashi...@redhat.com>: > >> >> >> On Wed, Jul 3, 2024 at 3:48 PM Ralf Spenneberg <rspenneb...@gmail.com> >> wrote: >> >>> Actually I just upgrade the system from centos7 to almalinux9 using >>> elevate. Essentially this is similar to a copy of the /etc/dirsrv and >>> /var/lib/dirsrv directories and started the new ldapserver. >>> >> We don't support or test in-place upgrades (leapp/elevate) and recommend >> using export/import or replication methods. >> >> Directly afterwards I was not able to login using the cn=Directory >>> Manager. I checked the hashed password in the dse.ldif file (cn=config) >>> using pwdhash. It was ok. >>> Once I changed the password of the directory manager in the dse.ldif >>> file after stopping the 389ds using PBKDF2-SHA512 hash, the Directory >>> Manager was able to login. Other users required a reset of their password >>> as well for successful login. But since I do not have access to all >>> passwords I would rather reuse the old tree. >>> The nsslapd-allow-hashed-passwords is set to on. >>> Therefore I doubt that I have double hashed passwords. For the case of >>> the Directory Manager I am positive. >>> And yes, dsconf lists SSHA in my case as well. Any ideas why this is not >>> working? >>> >> Do you see any errors regarding NSS in the errors log? >> NSS in EL7 was using an old datbase format, and if you just copied it to >> EL9, it's very likely to fail initialization. >> >> >>> My passwordpolicy is quite open: >>> Global Password Policy: cn=config >>> ------------------------------------ >>> nsslapd-pwpolicy-local: off >>> passwordstoragescheme: SSHA512 >>> passwordchange: on >>> passwordmustchange: off >>> passwordhistory: off >>> passwordinhistory: 6 >>> passwordadmindn: >>> passwordtrackupdatetime: off >>> passwordwarning: 86400 >>> passwordisglobalpolicy: off >>> passwordexp: off >>> passwordmaxage: 8640000 >>> passwordminage: 0 >>> passwordgracelimit: 0 >>> passwordsendexpiringtime: off >>> passwordlockout: off >>> passwordunlock: on >>> passwordlockoutduration: 3600 >>> passwordmaxfailure: 3 >>> passwordresetfailurecount: 600 >>> passwordchecksyntax: off >>> passwordminlength: 8 >>> passwordmindigits: 0 >>> passwordminalphas: 0 >>> passwordminuppers: 0 >>> passwordminlowers: 0 >>> passwordminspecials: 0 >>> passwordmin8bit: 0 >>> passwordmaxrepeats: 0 >>> passwordmincategories: 3 >>> passwordmintokenlength: 3 >>> nsslapd-allow-hashed-passwords: on >>> nsslapd-pwpolicy-inherit-global: off >>> >>> Kind regards, >>> Ralf >>> >>> >>> Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov < >>> vashi...@redhat.com>: >>> >>>> Hi Ralf, >>>> >>>> >>>> On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg <rspenneb...@gmail.com> >>>> wrote: >>>> >>>>> Hi there, >>>>> I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to 2.4.5 >>>>> (almalinux9). After migrating the tree all passwords stop working >>>>> including >>>>> the Directory Manager. The old tree used SSHA. Setting the >>>>> rootpwstoragescheme does not help for the Directory Manager. Only manually >>>>> resetting the passwords using pwdhash in the dse.ldif file and using a >>>>> PBKDF2-SHA512 password works. Is there a way to enable the old SSHA >>>>> scheme? >>>>> >>>> SSHA is still supported in the latest 389-DS: >>>> # dsconf localhost pwpolicy list-schemes | grep SSHA >>>> SSHA >>>> SSHA256 >>>> SSHA384 >>>> SSHA512 >>>> >>>> How did you perform the migration? Via replication or export/import? >>>> What is the value of nsslapd-allow-hashed-passwords in cn=config? >>>> I suspect that your passwords after the migration might be doubly >>>> hashed instead of imported as is. >>>> >>>> >>>>> Kind regards, >>>>> Ralf >>>>> -- >>>>> _______________________________________________ >>>>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>>>> To unsubscribe send an email to >>>>> 389-users-le...@lists.fedoraproject.org >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>>> Do not reply to spam, report it: >>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>> >>>> >>>> >>>> -- >>>> Viktor >>>> -- >>>> _______________________________________________ >>>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> -- >>> _______________________________________________ >>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> >> >> -- >> Viktor >> -- >> _______________________________________________ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > -- > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue > -- Viktor
-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue