Hi Viktor, I do not see any errors. I attached the log but nothing stands out to me. It was not a fresh instance but the migrated instance.
Then I removed the database: dsconf -D "cn=Directory Manager" -W ldap://localhost backend delete spenneberg_net --do-it Deleting Backend cn=spenneberg_net,cn=ldbm database,cn=plugins,cn=config : Type 'Yes I am sure' to continue: Yes I am sure The database, and any sub-suffixes, were successfully deleted Recreated it: dsconf -D "cn=Directory Manager" -W ldap://localhost backend create --suffix="dc=spenneberg,dc=net" --be-name=spenneberg_net The database was sucessfully created Did the import again: dsconf -D "cn=Directory Manager" -Wi ldap://localhost backend import dc=spenneberg,dc=net /userRoot.ldif The import task has finished successfully If I try to authenticate again, it does not work: ldapsearch -h localhost -x -b dc=spenneberg,dc=net -D "uid=kolab-service,ou=Special Users,dc=spenneberg,dc=net" -W ldap_bind: Invalid credentials (49) The user has a SSHA password: {SSHA}+4ZcRhy2/7h5Du5x/1MO.... If I check the password, pwdhash states OK: pwdhash -c {SSHA}+4ZcRhy2/7h5Du5x/1MO... qcG... pwdhash: password ok. If I reset the password using ldapmodify dn: uid=kolab-service,ou=Special Users,dc=spenneberg,dc=net changetype: modify replace: userPassword userPassword: qcG... Now the user may access the tree again. I do not know, why the SSHA passwords are not honored. Any ideas? KInd regards, Ralf Am Do., 4. Juli 2024 um 12:37 Uhr schrieb Viktor Ashirov < vashi...@redhat.com>: > Hi Ralf, > > > On Thu, Jul 4, 2024 at 11:29 AM Ralf Spenneberg <rspenneb...@gmail.com> > wrote: > >> Hi Viktor, >> thanks a lot for the suggestion. >> So I did an export of the old tree running on 1.3.11 using db2dif: >> db2ldif -s "dc=xxx,dc=net" -a /tmp/userRoot.ldif >> And I did an import in the new tree running on 2.4: >> > Is it a fresh instance or migrated from the old install? > > dsconf -D "cn=Directory Manager" -W ldap://localhost backend import >> dc=...,dc=net /userRoot.ldif >> The import task has finished successfully >> > Do you see any errors in the errors log in > /var/log/dirsrv/slapd-your_instance/errors related to import or NSS? > > Directly afterwards the passwords stopped working again. I had to reset >> them again. Is there any additional step required? >> > It should work, I did a quick test with export/import and SSHA passwords > and the migrated users are able to bind with the old password. > > Please check the documentation: > > https://docs.redhat.com/en/documentation/red_hat_directory_server/12/html/installing_red_hat_directory_server/assembly_migrating-directory-server-10-to-directory-server-12_installing-rhds#proc_migrating-directory-server-10-to-version-12-using-the-replication-method_assembly_migrating-directory-server-10-to-directory-server-12 > > Thanks. > > >> >> Kind regards, >> Ralf >> >> Am Mi., 3. Juli 2024 um 18:26 Uhr schrieb Viktor Ashirov < >> vashi...@redhat.com>: >> >>> >>> >>> On Wed, Jul 3, 2024 at 3:48 PM Ralf Spenneberg <rspenneb...@gmail.com> >>> wrote: >>> >>>> Actually I just upgrade the system from centos7 to almalinux9 using >>>> elevate. Essentially this is similar to a copy of the /etc/dirsrv and >>>> /var/lib/dirsrv directories and started the new ldapserver. >>>> >>> We don't support or test in-place upgrades (leapp/elevate) and recommend >>> using export/import or replication methods. >>> >>> Directly afterwards I was not able to login using the cn=Directory >>>> Manager. I checked the hashed password in the dse.ldif file (cn=config) >>>> using pwdhash. It was ok. >>>> Once I changed the password of the directory manager in the dse.ldif >>>> file after stopping the 389ds using PBKDF2-SHA512 hash, the Directory >>>> Manager was able to login. Other users required a reset of their password >>>> as well for successful login. But since I do not have access to all >>>> passwords I would rather reuse the old tree. >>>> The nsslapd-allow-hashed-passwords is set to on. >>>> Therefore I doubt that I have double hashed passwords. For the case of >>>> the Directory Manager I am positive. >>>> And yes, dsconf lists SSHA in my case as well. Any ideas why this is >>>> not working? >>>> >>> Do you see any errors regarding NSS in the errors log? >>> NSS in EL7 was using an old datbase format, and if you just copied it to >>> EL9, it's very likely to fail initialization. >>> >>> >>>> My passwordpolicy is quite open: >>>> Global Password Policy: cn=config >>>> ------------------------------------ >>>> nsslapd-pwpolicy-local: off >>>> passwordstoragescheme: SSHA512 >>>> passwordchange: on >>>> passwordmustchange: off >>>> passwordhistory: off >>>> passwordinhistory: 6 >>>> passwordadmindn: >>>> passwordtrackupdatetime: off >>>> passwordwarning: 86400 >>>> passwordisglobalpolicy: off >>>> passwordexp: off >>>> passwordmaxage: 8640000 >>>> passwordminage: 0 >>>> passwordgracelimit: 0 >>>> passwordsendexpiringtime: off >>>> passwordlockout: off >>>> passwordunlock: on >>>> passwordlockoutduration: 3600 >>>> passwordmaxfailure: 3 >>>> passwordresetfailurecount: 600 >>>> passwordchecksyntax: off >>>> passwordminlength: 8 >>>> passwordmindigits: 0 >>>> passwordminalphas: 0 >>>> passwordminuppers: 0 >>>> passwordminlowers: 0 >>>> passwordminspecials: 0 >>>> passwordmin8bit: 0 >>>> passwordmaxrepeats: 0 >>>> passwordmincategories: 3 >>>> passwordmintokenlength: 3 >>>> nsslapd-allow-hashed-passwords: on >>>> nsslapd-pwpolicy-inherit-global: off >>>> >>>> Kind regards, >>>> Ralf >>>> >>>> >>>> Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov < >>>> vashi...@redhat.com>: >>>> >>>>> Hi Ralf, >>>>> >>>>> >>>>> On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg <rspenneb...@gmail.com> >>>>> wrote: >>>>> >>>>>> Hi there, >>>>>> I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to >>>>>> 2.4.5 (almalinux9). After migrating the tree all passwords stop working >>>>>> including the Directory Manager. The old tree used SSHA. Setting the >>>>>> rootpwstoragescheme does not help for the Directory Manager. Only >>>>>> manually >>>>>> resetting the passwords using pwdhash in the dse.ldif file and using a >>>>>> PBKDF2-SHA512 password works. Is there a way to enable the old SSHA >>>>>> scheme? >>>>>> >>>>> SSHA is still supported in the latest 389-DS: >>>>> # dsconf localhost pwpolicy list-schemes | grep SSHA >>>>> SSHA >>>>> SSHA256 >>>>> SSHA384 >>>>> SSHA512 >>>>> >>>>> How did you perform the migration? Via replication or export/import? >>>>> What is the value of nsslapd-allow-hashed-passwords in cn=config? >>>>> I suspect that your passwords after the migration might be doubly >>>>> hashed instead of imported as is. >>>>> >>>>> >>>>>> Kind regards, >>>>>> Ralf >>>>>> -- >>>>>> _______________________________________________ >>>>>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>>>>> To unsubscribe send an email to >>>>>> 389-users-le...@lists.fedoraproject.org >>>>>> Fedora Code of Conduct: >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>>> List Guidelines: >>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>>> List Archives: >>>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>>>> Do not reply to spam, report it: >>>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>>> >>>>> >>>>> >>>>> -- >>>>> Viktor >>>>> -- >>>>> _______________________________________________ >>>>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>>>> To unsubscribe send an email to >>>>> 389-users-le...@lists.fedoraproject.org >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: >>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>>> Do not reply to spam, report it: >>>>> https://pagure.io/fedora-infrastructure/new_issue >>>>> >>>> -- >>>> _______________________________________________ >>>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> >>> >>> -- >>> Viktor >>> -- >>> _______________________________________________ >>> 389-users mailing list -- 389-users@lists.fedoraproject.org >>> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> 389-users mailing list -- 389-users@lists.fedoraproject.org >> To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > -- > Viktor > -- > _______________________________________________ > 389-users mailing list -- 389-users@lists.fedoraproject.org > To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/389-users@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue