[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Migrating iPlanet to OpenLDAP

I forgot about NS DS ACI's and OpenLDAP. As far as I can remember, V1
OpenLDAP does not support ACI's. While OpenLDAP V2 does have an aci
attribute, it is experimental at this time, and you need to tweek the
"top" declaration in the core.schema file to get the same affect as NS
DS with respect to allowing an aci attribute in any entry.

NS DS ACI's will have to be converted to OpenLDAP ACL's (again, refer to
online openldap.org Admin Guide). If you have never dealt with OpenLDAP
ACL's before, you will learn that they are placed in an external file,
and not in the LDAP DIT. Complex NS DS ACI's, with multiple
<permission><bind rule> sets, should first be re-written as multiple
ACI's with only one <permission><bind> rule set each. Then they can be
easily converted to OpenLDAP ACL's.

OpenLDAP ACL's are only read once at SLAPD daemon start-up time. They
cannot be modified "on the fly" and work. The SLAPD daemon needs to be
restarted. LDAP-based applications have no access to OpenLDAP ACL's, so
they cannot modify them.

> On 23 Jul, Buro, Nicholas wrote:
>> Hi All,
>> I am currently running Netscape iPlanet, and wish to try to move to OpenLDAP
>> using and exported LDIF from Netscape. Unfortunately I am not able to import
>> (ldapadd) the LDIF from Netscape into OpenLDAP. I setup the config
>> identically, but still get errors such as DSE already exists, and invalid
>> credentials, depending whether or not I cut some information from the LDIF..
>> Does anyone know if this is possible, and where I might be able to find more
>> information.