OS Installation and Configuration of SLAPD for OpenLDAP (Part 2)

posted June 5, 2014, 8:16 AM by

Joe Grant, Principal Architect

For this second part of the series, we will walk through the process of exporting the LDAP entries from the Oracle OID directory and importing them into the OpenLDAP directory. The general process here is to export the data, modify the export files and then to import the data.

To give you some information on scale and time, I had a directory that had ~12,000 objects that needed to be exported. Overall the export process took less than 20 minutes. To modify the export files took less than 5 minutes once the scripts had been created, and the import process took less than 15 minutes.

Data export

At this point, the DIT is ready for at least some objects to be imported. Before this can happen, the user and group information has to be pulled. For this log onto the OID server and run the following commands. Once the export files have been created they will need to be copied to the OpenLDAP server.

$ ldapsearch –H localhost –p 3060 –D “cn=orcladmin” –w  -

b “cn=users,dc=example,dc=com” “(objectClass=*)” > users.ldif

 
$ ldapsearch –H localhost –p 3060 –D “cn=orcladmin” –w  -

b “cn=groups,dc=example,dc=com” “(objectClass=*)” > groups.ldif

Data convert

The files generated by the export cannot be directly imported. The format is not completely ldif compliant and there are many objectClasses and attributes that are Oracle OID specific and cannot be imported into OpenLDAP. Before the export files can be imported into OpenLDAP they will have to be modified a good bit. I was able to use the following sed scripts to modify the entries and they can be a good starting point for you, although you will likely have to modify a few things. Below are example sed scripts for both the users and groups export files as well as examples of the entries that were modified. This should help you determine how you need to modify these scripts. The comments in the script should help explain the desired output.

users.sed:

# delete several OID specific object classes and attributes.

/orcluserv2/d

/authpassword\;oid/d

/authpassword\;orclcommonpwd/d

/orcldefaultprofilegroup/d

/orclpassword/d

/objectclass=orcluser/d

/orclactivestartdate/d

/orclisenabled/d

/orclaci/d

/orclentrylevelaci/d

/orcltimezone/d


# change uid=,ou=... to dn=uid=...  later in the script dn=

#    will be changed to dn:

s|(^uid.*,)|dn= \1|

s|(^cn.*,)|dn= \1|


 
# remove dos end of line – My source OID host was Windows

s/.$//
 

# change attribute middlename to initials

s/^middlename/initials/
 

# change the DIT path – For my project the DIT path was changed

s/dc=some,dc=example,dc=com/dc=example,dc=com/
 

# create ldif compliant stuff.  attribute: 

# replaces first instance of = with : on every line.

s/=/: /1
 


groups.sed

# delete several OID specific object classes and attributes.

/orclGroup/d

/orclContainer/d

/orclisvisible/d

/orclaci/d

 
# remove dos end of line – still exporting from Windows

s/.$//

 
# uniquemember=uid to uniquemember=cn

s/^uniquemember=uid/uniquemember=cn/

 
# change the DIT path

s/dc=some,dc=example,dc=com/dc=example,dc=com/

 
# create ldif compliant stuff.  attribute: 

# replaces first instance of = with : on every line.

s/=/: /1

 

The scripts can be run with the following commands.

$ sed –r –f users.sed users.ldif > users_imp.ldif 

$ sed –r –f groups.sed groups.ldif > groups_imp.ldif

 

An example user entry before and after the sed script.
Before:

uid=12002,cn=users,dc=some,dc=example,dc=com

objectclass=top

objectclass=person

objectclass=organizationalPerson

objectclass=inetOrgPerson

objectclass=orcluser

objectclass=orcluserv2

uid=12002

cn=12002

displayname=John Doe

givenname=John

sn=Doe

telephonenumber=4155551212

mail=jdoe@example.com

orcldefaultprofilegroup=cn=APP,cn=groups,dc=some,dc=example,dc=com

userpassword={SSHA}wdA8C3IaDkPdyxtZtUs4vVvFS0gnlRpri5FAWQ==

authpassword;oid={SASL/MD5}MUJAVcYiuTTsWJSxgyDxsA==

authpassword;oid={SASL/MD5-DN}qR8M7NDr1PGIVeHc14T7Cw==

authpassword;oid={SASL/MD5-U}LOyzAuld3nMaar016qzREw==

authpassword;orclcommonpwd={X-ORCLIFSMD5}dyzi5AJ5ugL1UstTBkDKtw==

authpassword;orclcommonpwd={X-ORCLWEBDAV}XwsN8J/UkXwP3oTtoBDDA==

authpassword;orclcommonpwd={MD5}QMXeVu0fZ8wft5+NTys1Q==

authpassword;orclcommonpwd={X-ORCLLMV}C36602112332E40E660017F652A112D

authpassword;orclcommonpwd={X- ORCLNTV}3D2A43E46674D7DE8D1BD98D5B0F235

orclpassword={x- orcldbpwd}1.0:3414A473697C08DE

 

After:

dn:  cn=12002,cn=users,dc=example,dc=com

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

uid: 12002

cn: 12002

displayname: John Doe

givenname: John

sn: Doe

telephonenumber: 4155551212

mail: jdoe@example.com

userpassword: {SSHA}wdA8C3IDkPdyxtZtUs4vVvFS0gnlRpri5FAWQ==

pwdAttribute: userPassword

 

Even with the sed scripts there were a few objects that would not import. During the import, you will need to wait for the failure, find the entry and then correct it. In my case, there were 3-4 entries that had extra attributes that were not dealt with in the sed script, but that still had to be touched.

Data import

This part is where you have to experiment a little. I was making several changes to the tree as a whole in order to simplify things a good bit, but it did make the import significantly more complicated for me. The basic rule here is that an entry has to exist before another entry references it. For example, a user cannot be a part of a group until that group exists. Another example is that dn: dc=com has to exist before dn: dc=example,dc=com can be created. Review your import files in order to figure out the order. Trial and error works well here. I was able to get my order of events figured out in an afternoon. The imports are done with the command ldapadd. Start with ldapadd –f <import_file> then add the necessary switches to connect to the OpenLDAP tree.

In this post you learned more about the process of exporting the LDAP entries from the Oracle OID directory and importing them into the OpenLDAP directory. The third and final post will be an overview of the WLS installation and the configuration of the security provider.

Share with your networkTweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Facebook
Facebook
Digg this
Digg
Email this to someone
email

Leave a Reply

Your email address will not be published. Required fields are marked *

Icon URL Target
1

This site uses Akismet to reduce spam. Learn how your comment data is processed.

WANT TO LEARN MORE?