Novell Documentation: Novell eDirectory 8.7.3 - Migrating the Sun ONE Schema to Novell eDirectory

Migrating the Sun ONE Schema to Novell eDirectory

To migrate the Sun ONE schema to Novell eDirectory, complete the following steps:

Step 1: Perform the Schema Cache Update operation

Step 2: Rectify the error LDIF file to eliminate the errors

Step 1: Perform the Schema Cache Update operation

You can write the errors encountered while comparing the schema to an error file using the following command:

ice -e LDIF error file name -C -a -SLDAP -s Sun ONE server -p Sun ONE port -DLDAP -s eDirectory server -p eDirectory port

For example:

ice -e err.ldf -C -a -SLDAP -s sun_srv1 -p sun_port1 -DLDAP -s edir_srv2 -p edir_port2

Any errors encountered while comparing the schema is written to the error file (err.ldf in the example). You do not need to login to perform this operation unless one of the servers require authentication in order to read the Root DSE. Microsoft Active Directory requires authentication to read the Root DSE.

Step 2: Rectify the error LDIF file to eliminate the errors

Sun ONE defines some schema definitions publicly that eDirectory does not. This includes attributes like, "objectClasses", "attributeTypes", "ldapSyntaxes" and "subschemSubentry". These definitions exist internally and are very important to the schema, and therefore, they cannot be modified. Operations that try to modify these definitions results in the following error:
LDAP error : 53 (DSA is unwilling to perform)

Any records that contain references to these definitions cause the following error:

LDAP error : 16 : ( No such attribute )

Thus, records that contain any reference to these objects or that try to modify these definitions need to be commented in the LDIF error file (err.ldf in the example).
Some objectClasses definitions in Sun ONE do not have naming attributes. Adding these objectClasses would result in the following error in eDirectory:
LDAP error : 80 (NDS error: ambiguous naming (-651)

This error occurs because Sun ONE does not use the same method for determining naming rules as eDirectory.

To solve this, you can use any one of the three following options:
Option 1:

Go through each of the offending objectClasses and add a valid naming attribute to each of them.

For example:

To add the naming attribute [ cn ] to the objectclass "netscapeMachineData" modify the entry (that is emphasized in the example below) in the err.ldf file to include the X-NDS_NAMING flag as shown below:
```
dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData'  
    DESC 'iPlanet defined objectclass' SUP top STRUCTURAL MAY 'cn'     X-NDS_NAMING 'cn' )-
```
Option 2:

Go through each of the offending objectClasses and make them AUXILIARY or ABSTRACT.

For example:

To modify the objectclass definition of objectclass "netscapeMachineData" from "STRUCTURAL" to "AUXILIARY", modify the err.ldf file entry (that is emphasized in the example below) as shown below:
```
dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData'  
   DESC 'iPlanet defined objectclass' SUP top AUXILIARY )-
```
To modify the objectclass definition of objectclass "netscapeMachineData" from "STRUCTURAL" to "ABSTRACT", modify the err.ldf file entry (that is emphasized in the example below) as shown below:
```
dn: cn=schemachangetype: modifyadd: objectClassesobjectClasses: ( 2.16.840.1.113730.3.2.32 NAME 'netscapeMachineData'  
   DESC 'iPlanet defined objectclass' SUP top ABSTRACT )-
```
Option 3:

Add cn to the definition of Top in eDirectory, which causes a potential naming attribute for all objectClasses.

There are two ways of adding cn to Top:
- Method 1:
  
  Create a file as shown below and name it topsch.ldf.
```
version : 1
```
```
dn:cn=schema
```
```
changetype :modify
```
```
delete : objectclasses
```
```
objectclasses : ( 2.5.6.0 NAME 'top' STRUCTURAL )
```
```
-
```
```
add:objectclasses
```
```
objectclasses : (2.5.6.0 NAME 'top' STRUCTURAL MAY cn)
```
  Use the following Novell Import Conversion Export command line:
```
ice -SLDIF -f LDIF_file_name -DLDAP -s eDirectory_server -p eDirectory_port -d eDirectory_Admin_DN -w eDirectory_password
```
  For example:
```
ice -SLDIF -f topsch.ldf -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=org -w pwd1
```
- Method 2:
  
  1. In Novell iManager, click the Roles and Tasks button .
  
  2. Click Schema > Add Attribute.
  
  3. In the Available Classes list, select Top, then click OK.
  
  4. Double-click CN in the Available Optional Attributes list.
  
  5. Click OK.
Some objectClass definitions contain userPassword as part of their mandatory attributes list. Adding such objectClasses to eDirectory cause the following error:
LDAP error : 16 (No such attribute)

To resolve this error, modify the objectClass definition to inherit the new objectClass from ndsLoginProperties and remove the userPassword attribute from the mandatory attribute list.

For example:

An objectClass containing userPassword in the mandatory attributes list:
```
version : 1 
dn: cn=schemaz 
changetype: modify 
add: objectClasses 
objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC ' 
 Standard LDAP objectClass' SUP top STRUCTURAL MUST userPassword )
```
Needs to be modified as following (notice the change to the last line):
```
version : 1 
dn: cn=schema 
changetype: modify 
add: objectClasses 
objectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC ' 
 Standard LDAP objectClass' SUP (ndsLoginProperties $ top) STRUCTURAL )
```

Step 3: Import the LDIF File

Use the following Novell Import Conversion Export command to import the modified schema compare LDIF file (err.ldf in our example):

ice -e error_file -SLDIF -f modified_LDIF_file -DLDAP -s eDirectory_server -p eDirectory_port -d eDirectory_Admin_DN -w eDirectory_password

For example:

ice -e errors.ldf -SLDIF -f err.ldf -DLDAP -s edir_srv2 -p edir_port2 -d cn=admin,o=org -w pwd1