[Date Prev][Date Next] [Chronological] [Thread] [Top]

Migration from NS Directory 3.1 to OpenLDAP 1.2.11 (ITS#923)



Full_Name: Dirk Datzert / Rasselstein Hoesch GmbH
Version: 1.2.11
OS: Linux 1.2.16
URL: http://www.datzert.purespace.de/openldap/
Submission from: (NULL) (62.104.216.64)


This is not a question or a problem. 
It is a result of a migration project for use by other OpenLDAP users.
This result attribute to several hints on OpenLDAP-FAQ/ITS in one complete
document.

---------------------------------------

Migration from Netscape Directory Server 3.1 to
OpenLDAP 1.2.11

With permission of and respect to my employer Rasselstein Hoesch GmbH (please
visit our homepage:
http://www.rasselstein-hoesch.de ) I give a little migration-report from our
work.

The environment
===============

Our environment was the following:

Netscape Administration Server 3.5
Netscape Enterprise Server 3.5
Netscape Directory Server 3.1
Netscape Calendar Server 3.5
Netscape Proxy Server x.y
Netscape Message Server 3.5
under IBM AIX 4.2

Our destination (for the LDAP Server in first step) is the following:

OpenLDAP 1.2.11 
under Linux SuSE 7.0 on a Compaq Proliant DL360 platform

Starting at OpenLDAP-FAQ
========================

We found several hints on OpenLDAP-FAQ and the OpenLDAP-ITS but not all of our
problems could be solved.

Analyse with Ethereal
=====================

We analysed the LDAP-Protocol between AIX and Linux via Ethereal and could saw
that Netscape Admin does an
LDAP_MOD_REPLACE action with no values given, which is not conform to RFC 1777.
We patched the
OpenLDAP server to accept this (servers/slapd/modify.c) and do an
LDAP_MOD_DELETE instead. Afterwards we
got an 'No such Attribute' when we administrate the mail-entry of a user who was
not licensed before. The Netscape
Admin server does a LDAP_MOD_REPLACE we pached to LDAP_MOD_DELETE. But if no
attribute is in the
ldbm this is not allowed. So we patched (servers/slapd/back-ldbm/modify.c 2x).

After that main problem we tested the replica-function just to see if it work
from Netscape Directory Server to
OpenLDAP. Everything worked good but we forgot to remove the updatedn in the
slapd.conf which lead as to our
next problem:

Encrypted Password usage
========================

Thru the Netscape Admin Interface on the userview we tried to change public
attributes as every user should be able
to do this. First there was the known problem (we found this on OpenLDAP-ITS)
that the attribute userPassword
should be defined as 'ces' not as 'bin' - if you use encrypted passwords in the
ldbm. 

change to netscape.at.conf as follow:

attribute userPassword ces


After changing to netscape.at.conf and loading the LDBM again, we could
authenticated to the user-interface. We
set defaultaccess to write until our access rules are tested. On a
LDAP_MOD_REQUEST we got a 'No such object'
error by ldapmodify and Netscape Admin. Thing of our replica-test: the updatedn
in slapd.conf forbids an update
from any user !!! After turning off updatedn the user modifcations worked fine.

Netscape Calendar integration
=============================

Next big problem was the Netscape Calendar server (the Version.c modification
were found on OpenLDAP-FAQ
and worked fine - included in the patch below ;-) ). If we try to add our LDIF
data from the old database to the new
one a objectclass violation on nsCalXItemID was recognized. We compared the
netscape.oc.conf schema of
objectclass nsCalAdmin against the schema of our Netscape Directory schema which
we could see like this:
ldap://ourLdapServer/cn=schema. We found that the 'cn'-attribute should be an
allowed attribute and in the
netscape.oc.conf schema from the OpenLDAP-FAQ there was the 'cn'-attribute to be
as required. 

change netscape.oc.conf as follow:

objectclass nsCalAdmin
        requires
                objectClass
        allows
                cn,
                facsimileTelephoneNumber,
                generationQualifier,
                ...

                        

We changed this bug and everything else worked fine.

No problems with web-/proxy- and mail-server :-))))

Turning on access rules
=======================

After all we turned on the access-rules which we got from
ldap://ourLdapServer/o=ourRoot.We use a 'access to
group directive' for the Netscape Administrators with objectClassValue =
'groupOfUniqueNames' and
attrValueName = 'uniqueMember'. We had to go thru the source-code of
servers/slapd/aclparse.c to found the
directive. For documentation: the configure option --enable-aclgroups will
enable the following access directive:

access to ... by group[dn] [ / <objectClassValue> (default: groupOfNames) [ /
<attrValueName> (default: member) ]] 
  = <dnexp>

See the slapd.conf below for an example configuration ;-)

Changes, Hacks & Patches
========================

Netscape Attribute definition:
http://www.datzert.purespace.de/openldap/netscape.at.conf
Netscape Objectclass definition:
http://www.datzert.purespace.de/openldap/netscape.oc.conf
Netscape Index definitions:
http://www.datzert.purespace.de/openldap/netscape.index.conf

OpenLDAP configuration example:
http://www.datzert.purespace.de/openldap/slapd.conf
OpenLDAP patch for Version 1.2.11:
http://www.datzert.purespace.de/openldap/netscape.patch ( new configure option:
--enable-netscape )

everything as whole package:
http://www.datzert.purespace.de/openldap/openldap-1.2.11-netscape.tgz

----------------

Best Regards, 

Dirk Datzert mailto:dirk@datzert.de

Rasselstein Hoesch GmbH
webmaster on the IT-department

Saturday, 9. December 2000 11:50 CET