Hello,
in our company we're working on project of migration multiple master-slave synchronized OpenLDAP servers to multi-master 389 DS servers configuration.
We've been using OpenLDAP to store data of multiple applications such as DNS servers (PowerDNS), DHCP servers, Mail servers (Postfix, Amavis) etc..for at least 9 years.
We need to use custom LDAP schemas to store the data of these applications in LDAP. These need to be converted from OpenLDAP format to RFC strict 389 DS convenient format which actually works great for most of them.
Unfortunately I didn't manage to use PowerDNS LDAP schema ( https://doc.powerdns.com/authoritative/backends/ldap.html) with 389 DS. As I tried to google more information why this schema doesn't work with 389 DS I found out it uses 'dnsdomain' schema which comes with OpenLDAP ( https://lists.fedoraproject.org/pipermail/389-users/2011-January/012721.html) and was removed from 389 DS many years ago.
*Could you please give me some advice what can I do to make PowerDNS backend work with 389 DS ?*
We're mid-sized company with many services using LDAP as their storage backend and to migrate all of them to new LDAP servers is priority number one. If there is no way to migrate PowerDNS LDAP data from OpenLDAP to 389 DS the whole project of migration to 389 DS would need to be reconsidered. Nevertheless I don't understand why such a worldwide popular DNS server which PowerDNS surely is couldn't be used with 389 DS LDAP implementation which is also quite popular.
Thank you
Tomas Brandysky
Tomas,
It’s been a while since I’ve done it but I seem to remember it being relatively straightforward to convert between OpenLDAP's and 389’s schema formats. Have you made an attempt to convert the PowerDNS schema?
-morgan
On Sep 22, 2017, at 6:13 AM, Tomáš Brandýský tomas.brandysky@gmail.com wrote:
Hello,
in our company we're working on project of migration multiple master-slave synchronized OpenLDAP servers to multi-master 389 DS servers configuration.
We've been using OpenLDAP to store data of multiple applications such as DNS servers (PowerDNS), DHCP servers, Mail servers (Postfix, Amavis) etc..for at least 9 years.
We need to use custom LDAP schemas to store the data of these applications in LDAP. These need to be converted from OpenLDAP format to RFC strict 389 DS convenient format which actually works great for most of them.
Unfortunately I didn't manage to use PowerDNS LDAP schema (https://doc.powerdns.com/authoritative/backends/ldap.html) with 389 DS. As I tried to google more information why this schema doesn't work with 389 DS I found out it uses 'dnsdomain' schema which comes with OpenLDAP (https://lists.fedoraproject.org/pipermail/389-users/2011-January/012721.html) and was removed from 389 DS many years ago.
Could you please give me some advice what can I do to make PowerDNS backend work with 389 DS ?
We're mid-sized company with many services using LDAP as their storage backend and to migrate all of them to new LDAP servers is priority number one. If there is no way to migrate PowerDNS LDAP data from OpenLDAP to 389 DS the whole project of migration to 389 DS would need to be reconsidered. Nevertheless I don't understand why such a worldwide popular DNS server which PowerDNS surely is couldn't be used with 389 DS LDAP implementation which is also quite popular.
Thank you
Tomas Brandysky _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Morgan,
there is no problem with converting the schema. Like I wrote I managed to convert the PowerDNS schema but this schema is just extending 'dnsdomain' schema which is actually part of OpenLDAP and was part of 389 DS in the past. As dnsdomain schema is not part of 389 DS anymore all other schemas trying to use it can't be loaded either.
This is how PowerDNS extends dnsdomain schema which doesn't exist in 389 DS:
objectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' SUP 'dNSDomain' STRUCTURAL MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $ DHCIDRecord $ SPFRecord ) )
Tomas
On 24 September 2017 at 04:12, Morgan Jones morgan@morganjones.org wrote:
Tomas,
It’s been a while since I’ve done it but I seem to remember it being relatively straightforward to convert between OpenLDAP's and 389’s schema formats. Have you made an attempt to convert the PowerDNS schema?
-morgan
On Sep 22, 2017, at 6:13 AM, Tomáš Brandýský tomas.brandysky@gmail.com
wrote:
Hello,
in our company we're working on project of migration multiple
master-slave synchronized OpenLDAP servers to multi-master 389 DS servers configuration.
We've been using OpenLDAP to store data of multiple applications such as
DNS servers (PowerDNS), DHCP servers, Mail servers (Postfix, Amavis) etc..for at least 9 years.
We need to use custom LDAP schemas to store the data of these
applications in LDAP. These need to be converted from OpenLDAP format to RFC strict 389 DS convenient format which actually works great for most of them.
Unfortunately I didn't manage to use PowerDNS LDAP schema (
https://doc.powerdns.com/authoritative/backends/ldap.html) with 389 DS. As I tried to google more information why this schema doesn't work with 389 DS I found out it uses 'dnsdomain' schema which comes with OpenLDAP ( https://lists.fedoraproject.org/pipermail/389-users/2011- January/012721.html) and was removed from 389 DS many years ago.
Could you please give me some advice what can I do to make PowerDNS
backend work with 389 DS ?
We're mid-sized company with many services using LDAP as their storage
backend and to migrate all of them to new LDAP servers is priority number one. If there is no way to migrate PowerDNS LDAP data from OpenLDAP to 389 DS the whole project of migration to 389 DS would need to be reconsidered. Nevertheless I don't understand why such a worldwide popular DNS server which PowerDNS surely is couldn't be used with 389 DS LDAP implementation which is also quite popular.
Thank you
Tomas Brandysky _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Tomas,
Can you convert the dnsdomain schema from OpenLDAP? I recognize it’s a potential rabbit hole as there may be schemas that depend on that that you have to convert and so on but it could be worth the effort rather than abandoning your 389 project.
-morgan
On Sep 25, 2017, at 4:13 AM, Tomáš Brandýský tomas.brandysky@gmail.com wrote:
Morgan,
there is no problem with converting the schema. Like I wrote I managed to convert the PowerDNS schema but this schema is just extending 'dnsdomain' schema which is actually part of OpenLDAP and was part of 389 DS in the past. As dnsdomain schema is not part of 389 DS anymore all other schemas trying to use it can't be loaded either.
This is how PowerDNS extends dnsdomain schema which doesn't exist in 389 DS:
objectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' SUP 'dNSDomain' STRUCTURAL MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ HINFORecord $ MINFORecord $ TXTRecord $ RPRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $ DHCIDRecord $ SPFRecord ) )
Tomas
On 24 September 2017 at 04:12, Morgan Jones morgan@morganjones.org wrote: Tomas,
It’s been a while since I’ve done it but I seem to remember it being relatively straightforward to convert between OpenLDAP's and 389’s schema formats. Have you made an attempt to convert the PowerDNS schema?
-morgan
On Sep 22, 2017, at 6:13 AM, Tomáš Brandýský tomas.brandysky@gmail.com wrote:
Hello,
in our company we're working on project of migration multiple master-slave synchronized OpenLDAP servers to multi-master 389 DS servers configuration.
We've been using OpenLDAP to store data of multiple applications such as DNS servers (PowerDNS), DHCP servers, Mail servers (Postfix, Amavis) etc..for at least 9 years.
We need to use custom LDAP schemas to store the data of these applications in LDAP. These need to be converted from OpenLDAP format to RFC strict 389 DS convenient format which actually works great for most of them.
Unfortunately I didn't manage to use PowerDNS LDAP schema (https://doc.powerdns.com/authoritative/backends/ldap.html) with 389 DS. As I tried to google more information why this schema doesn't work with 389 DS I found out it uses 'dnsdomain' schema which comes with OpenLDAP (https://lists.fedoraproject.org/pipermail/389-users/2011-January/012721.html) and was removed from 389 DS many years ago.
Could you please give me some advice what can I do to make PowerDNS backend work with 389 DS ?
We're mid-sized company with many services using LDAP as their storage backend and to migrate all of them to new LDAP servers is priority number one. If there is no way to migrate PowerDNS LDAP data from OpenLDAP to 389 DS the whole project of migration to 389 DS would need to be reconsidered. Nevertheless I don't understand why such a worldwide popular DNS server which PowerDNS surely is couldn't be used with 389 DS LDAP implementation which is also quite popular.
Thank you
Tomas Brandysky _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.fedoraproject.org
Morgan,
this actually doesn't work because there is only this part in cosine.schema definition in OpenLDAP:
objectclass ( 0.9.2342.19200300.100.4.15 NAME 'dNSDomain' SUP domain STRUCTURAL MAY ( ARecord $ MDRecord $ MXRecord $ NSRecord $ SOARecord $ CNAMERecord ) )
although I can convert this part of cosine.schema for 389 DS there are still its attributes missing in DS389:
*ERR - dse_read_one_file - The entry cn=schema in file /etc/dirsrv/slapd-tbrandysky/schema/02cosine.ldif (lineno: 1) is invalid, error code 21 (Invalid syntax) - object class dNSDomain: Unknown allowed attribute type "ARecord"*
These attributes used in dnsdomain schemma seem to be part of OpenLDAP out of the box as I couldn't find them in any schema file. That seems to be the dead end for me as to migration from OpenLDAP.
Any ideas?
Thank you
Tomas
On 25 September 2017 at 18:21, Morgan Jones morgan@morganjones.org wrote:
Tomas,
Can you convert the dnsdomain schema from OpenLDAP? I recognize it’s a potential rabbit hole as there may be schemas that depend on that that you have to convert and so on but it could be worth the effort rather than abandoning your 389 project.
-morgan
On Sep 25, 2017, at 4:13 AM, Tomáš Brandýský tomas.brandysky@gmail.com
wrote:
Morgan,
there is no problem with converting the schema. Like I wrote I managed to convert the PowerDNS schema but this schema is
just extending 'dnsdomain' schema which is actually part of OpenLDAP and was part of 389 DS in the past. As dnsdomain schema is not part of 389 DS anymore all other schemas trying to use it can't be loaded either.
This is how PowerDNS extends dnsdomain schema which doesn't exist in 389
DS:
objectClasses: ( 1.3.6.1.4.1.2428.20.2 NAME 'dNSDomain2' SUP 'dNSDomain' STRUCTURAL MAY ( DNSTTL $ DNSClass $ WKSRecord $ PTRRecord $ HINFORecord $
MINFORecord $ TXTRecord $ RPRecord $ AFSDBRecord $ SIGRecord $ KEYRecord $ GPOSRecord $ AAAARecord $ LOCRecord $ NXTRecord $ SRVRecord $ NAPTRRecord $ KXRecord $ CERTRecord $ A6Record $ DNAMERecord $ APLRecord $ DSRecord $ SSHFPRecord $ IPSECKEYRecord $ RRSIGRecord $ NSECRecord $ DNSKEYRecord $ DHCIDRecord $ SPFRecord )
)
Tomas
On 24 September 2017 at 04:12, Morgan Jones morgan@morganjones.org
wrote:
Tomas,
It’s been a while since I’ve done it but I seem to remember it being
relatively straightforward to convert between OpenLDAP's and 389’s schema formats. Have you made an attempt to convert the PowerDNS schema?
-morgan
On Sep 22, 2017, at 6:13 AM, Tomáš Brandýský <
tomas.brandysky@gmail.com> wrote:
Hello,
in our company we're working on project of migration multiple
master-slave synchronized OpenLDAP servers to multi-master 389 DS servers configuration.
We've been using OpenLDAP to store data of multiple applications such
as DNS servers (PowerDNS), DHCP servers, Mail servers (Postfix, Amavis) etc..for at least 9 years.
We need to use custom LDAP schemas to store the data of these
applications in LDAP. These need to be converted from OpenLDAP format to RFC strict 389 DS convenient format which actually works great for most of them.
Unfortunately I didn't manage to use PowerDNS LDAP schema (
https://doc.powerdns.com/authoritative/backends/ldap.html) with 389 DS. As I tried to google more information why this schema doesn't work with 389 DS I found out it uses 'dnsdomain' schema which comes with OpenLDAP ( https://lists.fedoraproject.org/pipermail/389-users/2011- January/012721.html) and was removed from 389 DS many years ago.
Could you please give me some advice what can I do to make PowerDNS
backend work with 389 DS ?
We're mid-sized company with many services using LDAP as their storage
backend and to migrate all of them to new LDAP servers is priority number one. If there is no way to migrate PowerDNS LDAP data from OpenLDAP to 389 DS the whole project of migration to 389 DS would need to be reconsidered. Nevertheless I don't understand why such a worldwide popular DNS server which PowerDNS surely is couldn't be used with 389 DS LDAP implementation which is also quite popular.
Thank you
Tomas Brandysky _______________________________________________ 389-users mailing list -- 389-users@lists.fedoraproject.org To unsubscribe send an email to 389-users-leave@lists.
fedoraproject.org
389-users@lists.fedoraproject.org