I've just migrated from Fedora 389DS to DSEE7 and stumbled upon some unexpected problems that I can't figure how to get out of.
Before shutting down my 389DS instance I've dumped its user entries. I then installed DSEE7, everything seems to be working properly.
I then did a dsconf create-suffix o=oslods (which was the base DN on 389DS).
Afterwards I did dsconf import -p 389 -e /tmp/389dump.ldif o=oslods. No entries were skipped, everything looked OK. My ldif can be seen at http://jeanfrancoisgratton.net/dsee/389dump.ldif.txt .
Why, as everything (ldapsearch) worked fine with 389DS, doesn't it work properly now with DSEE ? Some gui tools will show me the entries in o=oslods, but not ldapsearch (ex: ldapsearch -b o=isp uid=grattojf won't return anything) ?
Is there something I've forgotten that'd get me red-faced with shame once pointed out to me, or what ? :-) UPDATE
It seems that when I provide the bindDN (-D "xxxxx" -w yyyy) I get results ! This one now, I don't get it ! I want anonymous searches to work, I hadn't touched to anything ACI-wise...
Edited by: J.F.Gratton on Mar 9, 2012 2:40 PM
Edited by: J.F.Gratton on Mar 9, 2012 2:51 PM
I came here this morning to close the thread as I realized that the ACIs were missing from the suffix. Can't figure how / why it's missing from dsconf import.
So, ACIs being missing, looks like the DS is usable (readable) only by the directory manager.
An easy thing to fix !
One reason might be because aci is an operational attribute. If you obtained your import LDIF using an ldapsearch you might have missed operational attributes and ldapSubEntries. One reason this is risky is because of "hidden" attributes and entries that can be missing from your extract.