Joe Grant, Principal Architect
For this second part of the series, we will walk through the process of exporting the LDAP entries from the Oracle OID directory and importing them into the OpenLDAP directory. The general process here is to export the data, modify the export files and then to import the data.
To give you some information on scale and time, I had a directory that had ~12,000 objects that needed to be exported. Overall the export process took less than 20 minutes. To modify the export files took less than 5 minutes once the scripts had been created, and the import process took less than 15 minutes.
Data export
At this point, the DIT is ready for at least some objects to be imported. Before this can happen, the user and group information has to be pulled. For this log onto the OID server and run the following commands. Once the export files have been created they will need to be copied to the OpenLDAP server.
$ ldapsearch –H localhost –p 3060 –D “cn=orcladmin” –w - b “cn=users,dc=example,dc=com” “(objectClass=*)” > users.ldif $ ldapsearch –H localhost –p 3060 –D “cn=orcladmin” –w - b “cn=groups,dc=example,dc=com” “(objectClass=*)” > groups.ldif
Data convert
The files generated by the export cannot be directly imported. The format is not completely ldif compliant and there are many objectClasses and attributes that are Oracle OID specific and cannot be imported into OpenLDAP. Before the export files can be imported into OpenLDAP they will have to be modified a good bit. I was able to use the following sed scripts to modify the entries and they can be a good starting point for you, although you will likely have to modify a few things. Below are example sed scripts for both the users and groups export files as well as examples of the entries that were modified. This should help you determine how you need to modify these scripts. The comments in the script should help explain the desired output.
users.sed:
# delete several OID specific object classes and attributes. /orcluserv2/d /authpassword\;oid/d /authpassword\;orclcommonpwd/d /orcldefaultprofilegroup/d /orclpassword/d /objectclass=orcluser/d /orclactivestartdate/d /orclisenabled/d /orclaci/d /orclentrylevelaci/d /orcltimezone/d # change uid=,ou=... to dn=uid=... later in the script dn= # will be changed to dn: s|(^uid.*,)|dn= \1| s|(^cn.*,)|dn= \1| # remove dos end of line – My source OID host was Windows s/.$// # change attribute middlename to initials s/^middlename/initials/ # change the DIT path – For my project the DIT path was changed s/dc=some,dc=example,dc=com/dc=example,dc=com/ # create ldif compliant stuff. attribute: # replaces first instance of = with : on every line. s/=/: /1 groups.sed # delete several OID specific object classes and attributes. /orclGroup/d /orclContainer/d /orclisvisible/d /orclaci/d # remove dos end of line – still exporting from Windows s/.$// # uniquemember=uid to uniquemember=cn s/^uniquemember=uid/uniquemember=cn/ # change the DIT path s/dc=some,dc=example,dc=com/dc=example,dc=com/ # create ldif compliant stuff. attribute: # replaces first instance of = with : on every line. s/=/: /1
The scripts can be run with the following commands.
$ sed –r –f users.sed users.ldif > users_imp.ldif $ sed –r –f groups.sed groups.ldif > groups_imp.ldif
An example user entry before and after the sed script.
Before:
uid=12002,cn=users,dc=some,dc=example,dc=com
objectclass=top
objectclass=person
objectclass=organizationalPerson
objectclass=inetOrgPerson
objectclass=orcluser
objectclass=orcluserv2
uid=12002
cn=12002
displayname=John Doe
givenname=John
sn=Doe
telephonenumber=4155551212
mail=jdoe@example.com
orcldefaultprofilegroup=cn=APP,cn=groups,dc=some,dc=example,dc=com
userpassword={SSHA}wdA8C3IaDkPdyxtZtUs4vVvFS0gnlRpri5FAWQ==
authpassword;oid={SASL/MD5}MUJAVcYiuTTsWJSxgyDxsA==
authpassword;oid={SASL/MD5-DN}qR8M7NDr1PGIVeHc14T7Cw==
authpassword;oid={SASL/MD5-U}LOyzAuld3nMaar016qzREw==
authpassword;orclcommonpwd={X-ORCLIFSMD5}dyzi5AJ5ugL1UstTBkDKtw==
authpassword;orclcommonpwd={X-ORCLWEBDAV}XwsN8J/UkXwP3oTtoBDDA==
authpassword;orclcommonpwd={MD5}QMXeVu0fZ8wft5+NTys1Q==
authpassword;orclcommonpwd={X-ORCLLMV}C36602112332E40E660017F652A112D
authpassword;orclcommonpwd={X- ORCLNTV}3D2A43E46674D7DE8D1BD98D5B0F235
orclpassword={x- orcldbpwd}1.0:3414A473697C08DE
After:
dn: cn=12002,cn=users,dc=example,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
uid: 12002
cn: 12002
displayname: John Doe
givenname: John
sn: Doe
telephonenumber: 4155551212
mail: jdoe@example.com
userpassword: {SSHA}wdA8C3IDkPdyxtZtUs4vVvFS0gnlRpri5FAWQ==
pwdAttribute: userPassword
Even with the sed scripts there were a few objects that would not import. During the import, you will need to wait for the failure, find the entry and then correct it. In my case, there were 3-4 entries that had extra attributes that were not dealt with in the sed script, but that still had to be touched.
Data import
This part is where you have to experiment a little. I was making several changes to the tree as a whole in order to simplify things a good bit, but it did make the import significantly more complicated for me. The basic rule here is that an entry has to exist before another entry references it. For example, a user cannot be a part of a group until that group exists. Another example is that dn: dc=com has to exist before dn: dc=example,dc=com can be created. Review your import files in order to figure out the order. Trial and error works well here. I was able to get my order of events figured out in an afternoon. The imports are done with the command ldapadd. Start with ldapadd –f <import_file> then add the necessary switches to connect to the OpenLDAP tree.
In this post you learned more about the process of exporting the LDAP entries from the Oracle OID directory and importing them into the OpenLDAP directory. The third and final post will be an overview of the WLS installation and the configuration of the security provider.
