Hi Viktor, thanks a lot for the suggestion. So I did an export of the old tree running on 1.3.11 using db2dif: db2ldif -s "dc=xxx,dc=net" -a /tmp/userRoot.ldif And I did an import in the new tree running on 2.4: dsconf -D "cn=Directory Manager" -W ldap://localhost backend import dc=...,dc=net /userRoot.ldif The import task has finished successfully Directly afterwards the passwords stopped working again. I had to reset them again. Is there any additional step required?
Kind regards, Ralf Am Mi., 3. Juli 2024 um 18:26 Uhr schrieb Viktor Ashirov < [email protected]>: > > > On Wed, Jul 3, 2024 at 3:48 PM Ralf Spenneberg <[email protected]> > wrote: > >> Actually I just upgrade the system from centos7 to almalinux9 using >> elevate. Essentially this is similar to a copy of the /etc/dirsrv and >> /var/lib/dirsrv directories and started the new ldapserver. >> > We don't support or test in-place upgrades (leapp/elevate) and recommend > using export/import or replication methods. > > Directly afterwards I was not able to login using the cn=Directory >> Manager. I checked the hashed password in the dse.ldif file (cn=config) >> using pwdhash. It was ok. >> Once I changed the password of the directory manager in the dse.ldif file >> after stopping the 389ds using PBKDF2-SHA512 hash, the Directory Manager >> was able to login. Other users required a reset of their password as >> well for successful login. But since I do not have access to all passwords >> I would rather reuse the old tree. >> The nsslapd-allow-hashed-passwords is set to on. >> Therefore I doubt that I have double hashed passwords. For the case of >> the Directory Manager I am positive. >> And yes, dsconf lists SSHA in my case as well. Any ideas why this is not >> working? >> > Do you see any errors regarding NSS in the errors log? > NSS in EL7 was using an old datbase format, and if you just copied it to > EL9, it's very likely to fail initialization. > > >> My passwordpolicy is quite open: >> Global Password Policy: cn=config >> ------------------------------------ >> nsslapd-pwpolicy-local: off >> passwordstoragescheme: SSHA512 >> passwordchange: on >> passwordmustchange: off >> passwordhistory: off >> passwordinhistory: 6 >> passwordadmindn: >> passwordtrackupdatetime: off >> passwordwarning: 86400 >> passwordisglobalpolicy: off >> passwordexp: off >> passwordmaxage: 8640000 >> passwordminage: 0 >> passwordgracelimit: 0 >> passwordsendexpiringtime: off >> passwordlockout: off >> passwordunlock: on >> passwordlockoutduration: 3600 >> passwordmaxfailure: 3 >> passwordresetfailurecount: 600 >> passwordchecksyntax: off >> passwordminlength: 8 >> passwordmindigits: 0 >> passwordminalphas: 0 >> passwordminuppers: 0 >> passwordminlowers: 0 >> passwordminspecials: 0 >> passwordmin8bit: 0 >> passwordmaxrepeats: 0 >> passwordmincategories: 3 >> passwordmintokenlength: 3 >> nsslapd-allow-hashed-passwords: on >> nsslapd-pwpolicy-inherit-global: off >> >> Kind regards, >> Ralf >> >> >> Am Mi., 3. Juli 2024 um 10:42 Uhr schrieb Viktor Ashirov < >> [email protected]>: >> >>> Hi Ralf, >>> >>> >>> On Tue, Jul 2, 2024 at 2:29 PM Ralf Spenneberg <[email protected]> >>> wrote: >>> >>>> Hi there, >>>> I am trying to update a ldap tree from 389ds 1.3.11 (centos7) to 2.4.5 >>>> (almalinux9). After migrating the tree all passwords stop working including >>>> the Directory Manager. The old tree used SSHA. Setting the >>>> rootpwstoragescheme does not help for the Directory Manager. Only manually >>>> resetting the passwords using pwdhash in the dse.ldif file and using a >>>> PBKDF2-SHA512 password works. Is there a way to enable the old SSHA scheme? >>>> >>> SSHA is still supported in the latest 389-DS: >>> # dsconf localhost pwpolicy list-schemes | grep SSHA >>> SSHA >>> SSHA256 >>> SSHA384 >>> SSHA512 >>> >>> How did you perform the migration? Via replication or export/import? >>> What is the value of nsslapd-allow-hashed-passwords in cn=config? >>> I suspect that your passwords after the migration might be doubly hashed >>> instead of imported as is. >>> >>> >>>> Kind regards, >>>> Ralf >>>> -- >>>> _______________________________________________ >>>> 389-users mailing list -- [email protected] >>>> To unsubscribe send an email to [email protected] >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedoraproject.org/archives/list/[email protected] >>>> Do not reply to spam, report it: >>>> https://pagure.io/fedora-infrastructure/new_issue >>>> >>> >>> >>> -- >>> Viktor >>> -- >>> _______________________________________________ >>> 389-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedoraproject.org/archives/list/[email protected] >>> Do not reply to spam, report it: >>> https://pagure.io/fedora-infrastructure/new_issue >>> >> -- >> _______________________________________________ >> 389-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedoraproject.org/archives/list/[email protected] >> Do not reply to spam, report it: >> https://pagure.io/fedora-infrastructure/new_issue >> > > > -- > Viktor > -- > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
