[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrating iPlanet to OpenLDAP

To: nicholas_buro@merck.com
Subject: Re: Migrating iPlanet to OpenLDAP
From: jimd@siu.edu
Date: Mon, 23 Jul 2001 14:50:49 -0500 (CDT)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <A33B09832F4CD411974400508BCF8F2B013B9359@uswsmx18.merck.com>

Yes - it should be possible to migrate NS DS data to OpenLDAP, with some
caveats, however. Note that "NS DS" ~= "iP DS", depending on version.

1) make sure that your NS DS LDIF export/backup/db dump contains
"user data" only (ie; no "machine" or LDAP host, schema, or
configuration data). If you have multiple "user" LDAP suffixes in NS DS,
you might want to dump them to seperate files.

2) the schema definitions between NS DS and OpenLDAP may not match. If
you are using OpenLDAP V1, then NS DS <= V4 schema format is fairly
similar between the two, but may still need some tweeking. If you are
using OpenLDAP V2 and NS DS <= V4, they are quite different. Refer to
openldap.org's online Administrator's Guide for OpenLDAP V2 schema
format.

3) before you import any NS DS "user data" via LDIF, the objectclasses
and attributes used in the NS DS "data" need to be examined to see if
there are objectclasses and attributes that will need to be added to
OpenLDAP's "schema" files. This will be particularly true for locally
defined OC's and AT's.

4) if the LDAP suffix for the NS DS "user data" does not exist in the
OpenLDAP configuration, then either it will need to be added, or the NS
DS "user data" will need to be modified to match a suffix in OpenLDAP.

5) unfortunately, NS DS has more supported matching rules than OpenLDAP
 does, at this time. You may find that some of the NS DS attributes that
 you wish to import into OpenLDAP will be "unsupported" because there is
 no existing matching rule code, as of yet. If so, you may have to
 either choose other attributes or choose other supported matching rules
 (again, refer to OpenLDAP's online Admin Guide).

6) if you are using iP DS V5, then the schema format is closer to
 OpenLDAP V2, but includes one additional keyword, "X-ORIGIN", plus an 
 <origin source>

7) you may have to add or change any OID's between NS DS and OpenLDAP
 when adding attributes to OpenLDAP. OpenLDAP V2 requires an OID, V1
 does not. You will have to decide what to do with any NS specific
 attributes in your data.

Once all required OC's and AT's are included in OpenLDAP's "schema
files", then you should be able to import the NS DS "user data".

On 23 Jul, Buro, Nicholas wrote:
> Hi All,
> 
> I am currently running Netscape iPlanet, and wish to try to move to OpenLDAP
> using and exported LDIF from Netscape. Unfortunately I am not able to import
> (ldapadd) the LDIF from Netscape into OpenLDAP. I setup the config
> identically, but still get errors such as DSE already exists, and invalid
> credentials, depending whether or not I cut some information from the LDIF..
> 
> Does anyone know if this is possible, and where I might be able to find more
> information.

Follow-Ups:
- Re: Migrating iPlanet to OpenLDAP
  - From: jimd@siu.edu

References:
- Migrating iPlanet to OpenLDAP
  - From: "Buro, Nicholas" <nicholas_buro@merck.com>

Prev by Date: Migrating iPlanet to OpenLDAP - question 2
Next by Date: sync userpassword attr with sasl password
Index(es):
- Chronological
- Thread