Sitemap

AD/LDAP Migration Error

Share KeePass Passwords with your Team of multiple users

This page applies to migrations when upgrading from versions before 7.4.

For Server Migration steps: see Migrate Pleasant Password Server

In older migrations from previous versions, the identification of some directory users may require additional details and give an error:

  • "Active Directory/LDAP directories have not been fully migrated. Please click here to finish the migration before proceeding."

Not Fully Migrated Error

Starting in version 7.4, Password Server tracks imported users and groups using unique identifiers provided by the directory, rather than by distinguished name ("DN"). Unlike DN's, these unique identifiers never change over the life of a user or group (even if moved or renamed), which lets Password Server stayed synced up with your directory more reliably.

However, during the migration process Password Server may not have enough information to determine an existing user's unique identifier from its DN (which it already knows).
Common causes include:

  • The user has been deleted from the directory but remains in Password Server - even if the user has been disabled.
  • The user has moved, and is still in the directory, but is outside of the configured search scope for Password Server with the provided: Base DN and User Relative DN.
  • The LDAP server implementation uses a non-standard attribute to store the unique identifier and that attribute's name has not been provided to Password Server (using the Unique Directory Id Attribute field).

Note: Remember to restart the Password Server service after addressing these scenarios
and attempting to complete the process with the migration link.

If none of these situations apply, the following steps can be used to manually insert the data required by Password Server and complete the migration.

  1. Click the link in the error message.
  2. On the page that appears (once for each Password Server directory that needs attention), enter the credentials of an account with read access to your AD/LDAP directory (ask your directory administrator if you're not sure which account to use), then click Save.
  3. Restart the Password Server service.

  4. If you do not receive another error message, you are done!

  5. Open your database in SQLiteManager ("SLM")
  6. Open the SQL tab and run the following command (leave this tab open):

    SELECT "Name"
    FROM "UserDirectory"
    WHERE "ConnectionType" <> 'ActiveDirectory'
    AND "Schema" LIKE '%"UserName":"samaccountname"%';

    If this returns any rows at all, contact us (include the phrase "wrong schema") immediately; if not, go to the next step.

  7. Query for unmatched users and roles:
    • From the SQL tab, run the following command (leave this tab open):

      SELECT 'Role' as "UserOrRole", "Name" as "Name"
      FROM "Role"
      WHERE "DirectoryId" IS NOT NULL
      AND (
        "UniqueDirectoryId" IS NULL
        OR "UniqueDirectoryId" LIKE '%=%'
        OR LTRIM(RTRIM("UniqueDirectoryId")) = ''
      )
      UNION ALL
      SELECT 'User' as "UserOrRole", "UserName" as "Name"
      FROM "User"
      WHERE "DirectoryId" IS NOT NULL
      AND (
        "UniqueDirectoryId" IS NULL
        OR "UniqueDirectoryId" LIKE '%=%'
        OR LTRIM(RTRIM("UniqueDirectoryId")) = ''
      )
      ORDER BY "UserOrRole";

      For each row in this list of "Unmatchables" (roles/users that were not found), find the distinguished name ("DN") and enter it into Password Server:

  8. Option 1 (AD only):

    1. Open ADUC (Active Directory Users and Computers)

    2. In the View menu, turn on Advanced Features

    3. For each user/role in Unmatchables that hasn't been deleted from your AD:

      • Find the user/role in the directory tree and open it (double-click)

      • Switch to the Attribute Editor tab, select the distinguishedName attribute, then click View

      • Copy the contents of the Value field onto the clipboard

      • Switch back to SLM's SQL tab (leave ADUC open) and run either

        UPDATE "User"
        SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
        WHERE "UserName" = 'CORRESPONDING_USER_NAME_FROM_UNMATCHABLES';

        or

        UPDATE "Role"
        SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
        WHERE "Name" = 'CORRESPONDING_ROLE_NAME_FROM_UNMATCHABLES';

        as appropriate.
  9. Option 2 - Using Softerra LDAP Browser (any LDAP browser can be used, but instructions will differ):
    1. Open the Password Server web client
    2. Click Users and Roles > Manage Directories > NAME_OF_DIRECTORY_CONTAINING_UNMATCHABLES
      • Leave this page open
    3. Open Softerra LDAP Browser
    4. Click File > New > New Profile...
    5. Server Profile Name: enter anything you want as a Profile Name, then click Next.
    6. Profile General Information: copy Host, Port, and Use secure connection (SSL) from the web client, then click Next.
    7. User Authentication Information: ask your AD/LDAP administrator. If there's no admin nearby, try one of the following:
      • (AD only) Select Currently logged on user -> click Next.
      • Select Other credentials -> copy Mechanism (web: Basic=Simple, Microsoft Negotiate=GSS Negotiate), Principal (web: User Name) and Password from the web client -> click Next.
      • Select Anonymous user -> click Next.
    8. LDAP Settings: click Finish. If no directory tree appears in the left pane, retry from Step 9.4 using different authentication information in Step 9.7.
    9. For each user/role in Unmatchables that hasn't been deleted from your AD/LDAP:
      • In the directory tree, right-click the user/role -> click Properties.
      • Copy the distinguished name onto the clipboard:
        ldap Browser Copy DN
      • Switch back to SLM's SQL tab (leave LDAP Browser open) and run either

        UPDATE "User"
        SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
        WHERE "UserName" = 'CORRESPONDING_USER_NAME_FROM_UNMATCHABLES';

        or

        UPDATE "Role"
        SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
        WHERE "Name" = 'CORRESPONDING_ROLE_NAME_FROM_UNMATCHABLES';

        as appropriate.
         
  10. Start the Password Server service

  11. From the web client's login page, click the link in the migration error message.

  12. On the page that appears (once for each Password Server directory that needs attention), enter the credentials of an account with read access to your AD/LDAP directory (ask your directory administrator if you're not sure which account to use), then click Save.

  13. Log in, then delete any user or role you know has been deleted from your AD/LDAP directory.

  14. Restart the Password Server service

  15. Verify that migration error messages no longer appear in the web client (if they do, contact us)

  16. Close SLM.