[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Concerning openldap and netscape/iplanet



Thanks for the valuable advice.

I do have a replication agreement in place from the NS DS.

However, you did not address my issues with the aci attribute inherited from
Netscape, as I was having difficulties with this.

Did you also have to any tweaking to the OpenLDAP schema besides adding the
copiedFrom attribute?

What tree are you replicating?

Julian

Jim Dutton wrote:

> Yes - I have done replication from and to Netscape DS, and I have
> learned about a few "gotchas"!
>
> Do you have a "Replication Agreements/Supplier Initiated/...."
> configuration in place on NS DS with the proper authentication to
> OpenLDAP?
>
> Next, you need to add ONE MORE attribute - "copiedFrom". I put it in
> "legacy.at.schema" since it is not one of MY attributes:
>
> # from NS DS-4.12
> attributetype ( copiedFrom-oid
>         NAME 'copiedFrom'
>         DESC 'NS DS-4.12 replication server identification field'
>         EQUALITY caseIgnoreMatch
>         SUBSTR caseIgnoreSubstringsMatch
>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
>
> Next, you need to "object/create LDIF file", extract the
> "copiedFrom" value from the appropriate subtree, and add this attribute
> and value to the OpenLDAP subtree to be replicated to. The last field is
> the replicaton number. For new replication processing, this should be
> set to zero.
>
> One of the "gotchas" about NS DS replication: you can't suspend it - you
> have to delete the "agreement" if you need/want to stop/suspend
> replication, unless you want to play games with assigning a new daily
> synch schedule.
>
> There are a few things about dealing with replication errors that I have
> run into as well.
>
> On 30 Apr, Julian Gordon wrote:
> > Jim,
> >
> > Excuse my ignorance, but as far as I understand it, it seems that in order
> > to replicate a tree from a master to a slave, you have to have a matching
> > schema defined in the slave.
> >
> > Now, upon trying to implement the Netscape Tree for NsCalUser into OpenLDAP,
> > it barfed, saying that it did not recognise the aci attribute in Top... This
> > came from Netscape directly.
> >
> > So I added the definition of the aci attribute (and a slew of others that
> > were also missing, and managed to get OpenLDAP to accept this Netscape
> > tree...
> >
> > Replication still has not occurred though...
> >
> > Have you managed to replicate a tree from Netscape to OpenLDAP & vice-versa?
> >
> > Thanks,
> > Julian
> >
> > Jim Dutton wrote:
> >
> >> Modify core.schema as follows:
> >> ========== core.schema ======================
> >> # legacy defined attribute; 1 Feb 2001, JED
> >> #attributetype ( 1.3.6.1.4.1.9036.1.1
> >> attributetype ( aci-oid
> >>         NAME 'aci'
> >>         DESC 'Access Control Instruction'
> >>         EQUALITY caseIgnoreMatch
> >>         SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
> >> #
> >> # Standard object classes from RFC2256
> >> # modified 1 Feb 2001 - JED - add aci
> >> objectclass ( 2.5.6.0 NAME 'top' ABSTRACT
> >>         MUST objectClass
> >>         MAY aci )
> >>
> >> Note that OpenLDAP does not "support" ACI so even if the attribute is
> >> defined, OpenLDAP will not use nor update it. Replication from Netscape
> >> to OpenLDAP WILL cause the attribute to be used and the Netscape ACI
> >> data stored. After that, Netscape doesn't care about what happens to the
> >> ACI attribute stored in OpenLDAP.
> >>
> >> On 12 Apr, Julian Gordon wrote:
> >> >
> >> > Is it possible to replicate from netscape to openldap?
> >> >
> >> > I wish to create an alias list in openldap that will be accessed by
> >> > postfix (or some other LDAP aware MTA), but am finding difficulty in
> >> > creating the schema in openldap due to the missing aci attribute
> >> > defined b netscape.

--

Julian M. Gordon
Harvard Business School
Tel : (617) 495-6738
Cell: (508) 561-3907
JGordon@hbs.edu