I.6 Migrating to NetIQ eDirectory

Migrating the Sun ONE Schema to NetIQ eDirectory

To migrate the Sun ONE schema to NetIQ eDirectory, complete the following steps:

Step 1: Perform the Schema Cache Update Operation

You can write the errors encountered while comparing the schema to an error file using the following command:

ice -e LDIF error file name -C -a -SLDAP -s Sun ONE server -p Sun ONE port -DLDAP -s eDirectory server -p eDirectory port

For example:

ice -e err.ldf -C -a -SLDAP -s sun_srv1 -p sun_port1 -DLDAP -s edir_srv2 -p edir_port2

Any errors encountered while comparing the schema is written to the error file (err.ldf in the example). You do not need to login to perform this operation unless one of the servers require authentication in order to read the Root DSE. Microsoft Active Directory requires authentication to read the Root DSE.

Step 2: Rectify the Error LDIF File to Eliminate the Errors

  • Sun ONE defines some schema definitions publicly that eDirectory does not. This includes attributes like objectClasses, attributeTypes, ldapSyntaxes, and subschemSubentry. These definitions exist internally and are very important to the schema, and therefore, they cannot be modified. Operations that try to modify these definitions results in the following error:

    LDAP error : 53 (DSA is unwilling to perform)

    Any records that contain references to these definitions cause the following error:

    LDAP error : 16 : ( No such attribute )

    Thus, records that contain any reference to these objects or that try to modify these definitions need to be commented in the LDIF error file (err.ldf in the example).

  • Some objectClasses definitions in Sun ONE do not have naming attributes. Adding these objectClasses would result in the following error in eDirectory:

    LDAP error : 80 (NDS error: ambiguous naming (-651)

    This error occurs because Sun ONE does not use the same method for determining naming rules as eDirectory.

    To solve this, you can use any one of the three following options:

    Option 1:

    Go through each of the offending objectClasses and add a valid naming attribute to each of them.

    For example:

    To add the naming attribute [ cn ] to the objectClass netscapeMachineData modify the entry (that is emphasized in the example below) in the err.ldf file to include the X-NDS_NAMING flag as shown below:

    dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData' 
        DESC 'iPlanet defined objectclass' SUP top STRUCTURAL MAY c'n '    X-NDS_NAMING 'cn' )-

    Option 2:

    Go through each of the offending objectClasses and make them AUXILIARY or ABSTRACT.

    For example:

    To modify the definition of objectClass netscapeMachineData from STRUCTURAL to AUXILIARY, modify the err.ldf file entry (that is emphasized in the example below) as shown below:

    dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData' 
       DESC 'iPlanet defined objectclass' SUP top AUXILIARY )-

    To modify the definition of objectClass netscapeMachineData from STRUCTURAL to ABSTRACT, modify the err.ldf file entry (that is emphasized in the example below) as shown below:

    dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData' 
       DESC 'iPlanet defined objectclass' SUP top ABSTRACT )-

    Option 3:

    Add cn to the definition of Top in eDirectory, which causes a potential naming attribute for all objectClasses.

    There are two ways of adding cn to Top:

    • Method 1:

      Create a file as shown below and name it topsch.ldf.

      version : 1
      dn:cn=schema
      changetype :modify
      delete : objectclasses
      objectclasses : ( 2.5.6.0 NAME 'top' STRUCTURAL )
      -
      add:objectclasses
      objectclasses : (2.5.6.0 NAME 'top' STRUCTURAL MAY cn)

      Use the following NetIQ Import Conversion Export command line:

      ice -SLDIF -f LDIF_file_name -DLDAP -s eDirectory_server -p eDirectory_port -d eDirectory_Admin_DN -w eDirectory_password

      For example:

      ice -SLDIF -f topsch.ldf -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=org -w pwd1
    • Method 2:

      1. In NetIQ iManager, click the Roles and Tasks button Roles and Tasks button.

      2. Click Schema > Add Attribute.

      3. In the Available Classes list, select Top, then click OK.

      4. Double-click CN in the Available Optional Attributes list.

      5. Click OK.

  • Some objectClass definitions contain userPassword as part of their mandatory attributes list. Adding such objectClasses to eDirectory cause the following error:

    LDAP error : 16 (No such attribute)

    To resolve this error, modify the objectClass definition to inherit the new objectClass from ndsLoginProperties and remove the userPassword attribute from the mandatory attribute list.

    For example:

    An objectClass containing userPassword in the mandatory attributes list:

    version : 1
    dn: cn=schemaz
    changetype: modify
    add: objectClasses
    objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC '
     Standard LDAP objectClass' SUP top STRUCTURAL MUST userPassword )

    Needs to be modified as following (notice the change to the last line):

    version : 1
    dn: cn=schema
    changetype: modify
    add: objectClasses
    objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC '
     Standard LDAP objectClass' SUP (ndsLoginProperties $ top) STRUCTURAL)

Step 3: Import the LDIF File

Use the following NetIQ Import Conversion Export command to import the modified schema compare LDIF file (err.ldf in our example):

ice -e error_file -SLDIF -f modified_LDIF_file -DLDAP -s eDirectory_server -p eDirectory_port -d eDirectory_Admin_DN -w eDirectory_password

For example:

ice -e errors.ldf -SLDIF -f err.ldf -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=org -w pwd1

Migrating the Active Directory Schema to NetIQ eDirectory Using ICE

While migrating schema from Active Directory to NetIQ eDirectory using ICE, schema migration for the Computer objectClass fails with an ambiguous naming error (-651) error.

To resolve this, complete the following steps:

Step 1: Perform the Schema Cache Update Operation

While migrating schema from Active Directory to NetIQ eDirectory using ICE, ensure that you have provided the error log option (-e) of ICE as follows:

ice -e error_file -S ldap -s Active_Directory_server -p Active_Directory_port -d Active_Directory_full_admin_context -w Active_Directory_password -D ldap -s eDirectory_server -p eDirectory_port -d eDirectory_full_admin_context -w eDirectory_password

For example:

ice -e err.ldf -S ldap -s activesrv1 -p activeport1 -d cn=admin,o=company -w activepwd -D ldap -s edirsrv2 -p edirport2 -d cn=admin,o=company -w edirpwd

Step 2: Rectify the Error LDIF File to Eliminate the Errors

The failed entry would be present in the err.ldf file as shown below:

dn: cn=schema
changetype: modify
delete: objectclasses
objectclasses: ( 2.16.840.1.113719.1.1.6.1.4 NAME 'computer' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113719.1.1.6.1.4 NAME 'computer' SUP (device $
 user ) STRUCTURAL MAY (operator $ server $ status $ cn $ networkAddress $
 local PolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $
 netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $
 operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $
 operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName
 $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $
 netbootSIFFile $ netboot MirrorDataFile ) X-NDS_NOT_CONTAINER '1' X
 -NDS_NONREMOVABLE '1' X-NDS_NAME 'Computer' )
-

Modify this entry in the error file (err.ldf in the example) to remove the user objectClass from the list of superior objectClasses in the definition of the Computer objectClass, as shown below:

dn: cn=schema
changetype: modify
delete: objectclasses
objectclasses: ( 2.16.840.1.113719.1.1.6.1.4 NAME 'computer' )
-
add: objectclasses
objectclasses: ( 2.16.840.1.113719.1.1.6.1.4 NAME 'computer' SUP device
 STRUCTURAL MAY (operator $ server $ status $ cn $ networkAddress $ local
 PolicyFlags $ defaultLocalPolicyObject $ machineRole $ location $ 
 netbootInitialization $ netbootGUID $ netbootMachineFilePath $ siteGUID $
 operatingSystem $ operatingSystemVersion $ operatingSystemServicePack $
 operatingSystemHotfix $ volumeCount $ physicalLocationObject $ dNSHostName
 $ policyReplicationFlags $ managedBy $ rIDSetReferences $ catalogs $
 netbootSIFFile $ netbootMirrorDataFile ) X-NDS_NOT_CONTAINER '1' X
 -NDS_NONREMOVABLE '1' X-NDS_NAME 'Computer' )

Step 3: Import the LDIF File

Now, import the modified entry using the following ICE command:

ice -S ldif -f LDIF_file -D ldap -s Novell_eDirectory_server -p port_number -d full_admin_context -w password

For example:

ice -S ldif -f err.ldf -D ldap -s edirsrv1 -p edirport1 -d cn=admin,o=company -w pwd1

Migrating from OpenLDAP to NetIQ eDirectory

The data that is migrated from an OpenLDAP server can have MD5 passwords, which may cause the applications to break if the appropriate NetIQ Modular Authentication Service (NMAS) methods are not installed. The NMAS method, SimplePassword, needs to be installed for the NetIQ eDirectory using the command as below:

nmasinst -addmethod admin_context treename configfile -h Hostname:port-w password

For example: nmasinst -addmethod admin.novell eDir-Tree /Linux/eDirectory/nmas/NmasMethods/Novell/SimplePassword/config.txt -h eDir_srv:524 -w secret

Migrating the OpenLDAP Schema to eDirectory

To migrate the OpenLDAP schema to eDirectory, complete the following steps:

Step 1: Perform the Schema Cache Update Operation

You can write the errors encountered while comparing the schema to an error file using the following command:

ice -e error_file -C -a -S ldap -s OpenLDAP_server -p Open_LDAP_port - D ldap -s eDirectory_server -p eDirectory_port -d eDirectory_full_admin_context -w eDirectory_password

For example:

ice -e err.ldf -C -a -SLDAP -s open_srv1 -p open_port1 -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=novell -w secret

Any errors encountered while comparing the schema is written to the error file (err.ldf in the example).

Step 2: Rectify the Error LDIF File to Eliminate the Errors

Open LDAP defines some schema definitions publicly, which include attributes like objectClasses, attributeTypes, ldapSyntaxes, and subschemSubentry. These definitions exist internally and are very important to the schema, and therefore, they cannot be modified. Operations that try to modify these definitions results in the following error:

LDAP error : 53 (DSA is unwilling to perform)

Any records that contain references to these definitions cause the following error:

LDAP error : 16 ( No such attribute )

Thus, records that contain any reference to these objects or that try to modify these definitions need to be commented in the LDIF error file (err.ldf in the example).

Migrating the Open LDAP Data to NetIQ eDirectory

Execute the following command to migrate the data:

ice -e error_data.ldif -SLDAP -s OpenLDAP_server -p OpenLDAP_port  -d admin_context  -w password -t -b dc=blr,dc=novell,dc=com -F objectclass=* -DLDAP -d  admin_context -w password  -l  -F

For example:

ice -e err_data.ldif -SLDAP -s open_srv1 -p open_port1  -d cn=administrator,dc=blr,dc=novell,dc=com -w secret1 -t -b dc=blr,dc=novell,dc=com -F objectclass=* -DLDAP -d cn=admin,o=novell -w secret2 -l -F

Some objects also may fail due to forward referencing and internal dependencies on the objects, which may not break any applications.

Making PAM Work with NetIQ eDirectory After Migration

After migrating from OpenLDAP to eDirectory, you need to make some changes for PAM to work with eDirectory.

Changes in /etc/ldap.conf File

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
  binddn cn=admin,o=acme
  ...
# The credentials to bind with.
# Optional: default is no credential.
  bindpw secret
  ...
# The search scope.
  scope sub
  ...
# Filter to AND with uid=%s
  pam_filter objectclass=inetorgperson
  ...
# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
  pam_password nds
  ...
  ssl off
  ...

Changes to the Data in the Directory

This change is only specific to the scenario where the users objects in OpenLDAP have CRYPT as the password hash algorithm.

Using iManager, add the following attribute with the specified value to the container having all the user objects:

Attribute: sasDefaultLoginSequence

Value: Simple Password