The data that is migrated from an OpenLDAP server can have MD5 passwords, which may cause the applications to break if the appropriate NetIQ Modular Authentication Service (NMAS) methods are not installed. The NMAS method, SimplePassword, needs to be installed for the NetIQ eDirectory using the command as below:
nmasinst -addmethod admin_context treename configfile -h Hostname:port-w password
For example: nmasinst -addmethod admin.novell eDir-Tree /Linux/eDirectory/nmas/NmasMethods/Novell/SimplePassword/config.txt -h eDir_srv:524 -w secret
To migrate the OpenLDAP schema to eDirectory, complete the following steps:
You can write the errors encountered while comparing the schema to an error file using the following command:
ice -e error_file -C -a -S ldap -s OpenLDAP_server -p Open_LDAP_port - D ldap -s eDirectory_server -p eDirectory_port -d eDirectory_full_admin_context -w eDirectory_password
For example:
ice -e err.ldf -C -a -SLDAP -s open_srv1 -p open_port1 -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=novell -w secret
Any errors encountered while comparing the schema is written to the error file (err.ldf in the example).
Open LDAP defines some schema definitions publicly, which include attributes like objectClasses, attributeTypes, ldapSyntaxes, and subschemSubentry. These definitions exist internally and are very important to the schema, and therefore, they cannot be modified. Operations that try to modify these definitions results in the following error:
LDAP error : 53 (DSA is unwilling to perform)
Any records that contain references to these definitions cause the following error:
LDAP error : 16 ( No such attribute )
Thus, records that contain any reference to these objects or that try to modify these definitions need to be commented in the LDIF error file (err.ldf in the example).
Execute the following command to migrate the data:
ice -e error_data.ldif -SLDAP -s OpenLDAP_server -p OpenLDAP_port -d admin_context -w password -t -b dc=blr,dc=novell,dc=com -F objectclass=* -DLDAP -d admin_context -w password -l -F
For example:
ice -e err_data.ldif -SLDAP -s open_srv1 -p open_port1 -d cn=administrator,dc=blr,dc=novell,dc=com -w secret1 -t -b dc=blr,dc=novell,dc=com -F objectclass=* -DLDAP -d cn=admin,o=novell -w secret2 -l -F
Some objects also may fail due to forward referencing and internal dependencies on the objects, which may not break any applications.
After migrating from OpenLDAP to eDirectory, you need to make some changes for PAM to work with eDirectory.
# The distinguished name to bind to the server with. # Optional: default is to bind anonymously. binddn cn=admin,o=acme ... # The credentials to bind with. # Optional: default is no credential. bindpw secret ... # The search scope. scope sub ... # Filter to AND with uid=%s pam_filter objectclass=inetorgperson ... # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) pam_password nds ... ssl off ...
This change is only specific to the scenario where the users objects in OpenLDAP have CRYPT as the password hash algorithm.
Using iManager, add the following attribute with the specified value to the container having all the user objects:
Attribute: sasDefaultLoginSequence
Value: Simple Password