AD/LDAP Migration Error
Share KeePass Passwords with your Team of multiple users
This page applies to migrations when upgrading from versions before 7.4.
For Server Migration steps: see Migrate Pleasant Password Server
In older migrations from previous versions, the identification of some directory users may require additional details and give an error:
- "Active Directory/LDAP directories have not been fully migrated. Please click here to finish the migration before proceeding."
Starting in version 7.4, Password Server tracks imported users and groups using unique identifiers provided by the directory, rather than by distinguished name ("DN"). Unlike DN's, these unique identifiers never change over the life of a user or group (even if moved or renamed), which lets Password Server stayed synced up with your directory more reliably.
However, during the migration process Password Server may not have enough information to determine an existing user's unique identifier from its DN (which it already knows).
Common causes include:
- The user has been deleted from the directory but remains in Password Server - even if the user has been disabled.
- The user has moved, and is still in the directory, but is outside of the configured search scope for Password Server with the provided: Base DN and User Relative DN.
- The LDAP server implementation uses a non-standard attribute to store the unique identifier and that attribute's name has not been provided to Password Server (using the Unique Directory Id Attribute field).
Note: Remember to restart the Password Server service after addressing these scenarios
and attempting to complete the process with the migration link.
If none of these situations apply, the following steps can be used to manually insert the data required by Password Server and complete the migration.
- Click the link in the error message.
- On the page that appears (once for each Password Server directory that needs attention), enter the credentials of an account with read access to your AD/LDAP directory (ask your directory administrator if you're not sure which account to use), then click Save.
-
If you do not receive another error message, you are done!
- Open your database in SQLiteManager ("SLM")
- Open the SQL tab and run the following command (leave this tab open):
SELECT "Name"
FROM "UserDirectory"
WHERE "ConnectionType" <> 'ActiveDirectory'
AND "Schema" LIKE '%"UserName":"samaccountname"%';If this returns any rows at all, contact us (include the phrase "wrong schema") immediately; if not, go to the next step.
- Query for unmatched users and roles:
- From the SQL tab, run the following command (leave this tab open):
SELECT 'Role' as "UserOrRole", "Name" as "Name"
FROM "Role"
WHERE "DirectoryId" IS NOT NULL
AND (
"UniqueDirectoryId" IS NULL
OR "UniqueDirectoryId" LIKE '%=%'
OR LTRIM(RTRIM("UniqueDirectoryId")) = ''
)
UNION ALL
SELECT 'User' as "UserOrRole", "UserName" as "Name"
FROM "User"
WHERE "DirectoryId" IS NOT NULL
AND (
"UniqueDirectoryId" IS NULL
OR "UniqueDirectoryId" LIKE '%=%'
OR LTRIM(RTRIM("UniqueDirectoryId")) = ''
)
ORDER BY "UserOrRole";For each row in this list of "Unmatchables" (roles/users that were not found), find the distinguished name ("DN") and enter it into Password Server:
- From the SQL tab, run the following command (leave this tab open):
-
Option 1 (AD only):
-
Open ADUC (Active Directory Users and Computers)
-
In the View menu, turn on Advanced Features
-
For each user/role in Unmatchables that hasn't been deleted from your AD:
-
Find the user/role in the directory tree and open it (double-click)
-
Switch to the Attribute Editor tab, select the distinguishedName attribute, then click View
-
Copy the contents of the Value field onto the clipboard
-
Switch back to SLM's SQL tab (leave ADUC open) and run either
UPDATE "User"
SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
WHERE "UserName" = 'CORRESPONDING_USER_NAME_FROM_UNMATCHABLES';
UPDATE "Role"
SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
WHERE "Name" = 'CORRESPONDING_ROLE_NAME_FROM_UNMATCHABLES';
-
-
- Option 2 - Using Softerra LDAP Browser (any LDAP browser can be used, but instructions will differ):
- Open the Password Server web client
- Click Users and Roles > Manage Directories > NAME_OF_DIRECTORY_CONTAINING_UNMATCHABLES
- Leave this page open
- Open Softerra LDAP Browser
- Click File > New > New Profile...
- Server Profile Name: enter anything you want as a Profile Name, then click Next.
- Profile General Information: copy Host, Port, and Use secure connection (SSL) from the web client, then click Next.
- User Authentication Information: ask your AD/LDAP administrator. If there's no admin nearby, try one of the following:
- (AD only) Select Currently logged on user -> click Next.
- Select Other credentials -> copy Mechanism (web: Basic=Simple, Microsoft Negotiate=GSS Negotiate), Principal (web: User Name) and Password from the web client -> click Next.
- Select Anonymous user -> click Next.
- LDAP Settings: click Finish. If no directory tree appears in the left pane, retry from Step 9.4 using different authentication information in Step 9.7.
- For each user/role in Unmatchables that hasn't been deleted from your AD/LDAP:
- In the directory tree, right-click the user/role -> click Properties.
- Copy the distinguished name onto the clipboard:
- Switch back to SLM's SQL tab (leave LDAP Browser open) and run either
UPDATE "User"
SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
WHERE "UserName" = 'CORRESPONDING_USER_NAME_FROM_UNMATCHABLES';
UPDATE "Role"
SET "UniqueDirectoryId" = 'CONTENTS_OF_CLIPBOARD'
WHERE "Name" = 'CORRESPONDING_ROLE_NAME_FROM_UNMATCHABLES';
-
From the web client's login page, click the link in the migration error message.
-
On the page that appears (once for each Password Server directory that needs attention), enter the credentials of an account with read access to your AD/LDAP directory (ask your directory administrator if you're not sure which account to use), then click Save.
-
Log in, then delete any user or role you know has been deleted from your AD/LDAP directory.
-
Verify that migration error messages no longer appear in the web client (if they do, contact us)
-
Close SLM.