Environment
eDirectory 9
eDirectory 8.8 SP8
Situation
A new eDir 9 server has been added to an 8.8 SP8 tree. A new group object will be created for the new 9.x servers.
There are custom attribute mappings that exist on the 8.8 SP8 servers' group object that need to be copied to the 9.x ldap group object.
Resolution
There is no easy way to copy mappings from one server to another. However, there is a way to do this via LDAP.
To dump out the mapping list you would run something like the following example on the server with all the correct mappings (changing the information to your environment and group object name):
LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapsearch -H ldaps://10.1.10.101:636 -D cn=admin,o=emg -w novell -b o=emg 'cn=LDAP Group - 90svr1' ldapAttributeList
Sample returns:
ldapAttributeList: NDSName=C$LDAPNames=c\24countryName
ldapAttributeList: NDSName=CN$LDAPNames=cn\24commonName
ldapAttributeList: NDSName=uniqueID$LDAPNames=uid\24userId
ldapAttributeList: NDSName=GID$LDAPNames=groupID
ldapAttributeList: NDSName=Printer$LDAPNames=printer
Example:
Diff'ing the two different LDAP groups one sees that server 1 has an attribute mapping server 2 does not. In this example it is
ldapAttributeList: NDSName=Printer$LDAPNames=printer
as dumped from the command above.
Create an ldif file called, say, printer.ldif with the following: specifying the group name and mapping to be added.
dn: CN=LDAP Group - 90svr2,o=emg
changetype: modify
add: ldapAttributeList
ldapAttributeList: NDSName=Printer$LDAPNames=printer
All the custom attribute mappings that are missing can be placed after the "add:" line as above or type them manually.
After saving the file run it:
LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapmodify -H ldaps://10.1.10.101:636 -D "cn=admin,o=emg" -w novell -f printer.ldif
ndstrace -c "load nldap"
At this point the mappings should have been copied over, read and are now available to LDAP clients.
To dump out the mapping list you would run something like the following example on the server with all the correct mappings (changing the information to your environment and group object name):
LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapsearch -H ldaps://10.1.10.101:636 -D cn=admin,o=emg -w novell -b o=emg 'cn=LDAP Group - 90svr1' ldapAttributeList
Sample returns:
ldapAttributeList: NDSName=C$LDAPNames=c\24countryName
ldapAttributeList: NDSName=CN$LDAPNames=cn\24commonName
ldapAttributeList: NDSName=uniqueID$LDAPNames=uid\24userId
ldapAttributeList: NDSName=GID$LDAPNames=groupID
ldapAttributeList: NDSName=Printer$LDAPNames=printer
This can be piped to a file, the diffs found and the differences in mappings cab be diff'd. Then the missing mappings are placed into a newly created LDIF file. This file can now be used to add the mappings to the other server's ldap group object.
Example:
Diff'ing the two different LDAP groups one sees that server 1 has an attribute mapping server 2 does not. In this example it is
ldapAttributeList: NDSName=Printer$LDAPNames=printer
as dumped from the command above.
Create an ldif file called, say, printer.ldif with the following: specifying the group name and mapping to be added.
dn: CN=LDAP Group - 90svr2,o=emg
changetype: modify
add: ldapAttributeList
ldapAttributeList: NDSName=Printer$LDAPNames=printer
All the custom attribute mappings that are missing can be placed after the "add:" line as above or type them manually.
After saving the file run it:
LDAPTLS_CACERT=/var/opt/novell/eDirectory/data/SSCert.pem ldapmodify -H ldaps://10.1.10.101:636 -D "cn=admin,o=emg" -w novell -f printer.ldif
In this example one would now have an attribute mapping from eDir's attribute "Printer" to LDAP's "printer" on the second server's LDAP group object. To force LDAP to read it refresh LDAP.
(It should already be done but it's good to make sure):
ndstrace -c "unload nldap"ndstrace -c "load nldap"
At this point the mappings should have been copied over, read and are now available to LDAP clients.