Re: Directory Server LDAP/LDIF import - working yet not working???

From: Gary Tay Teng Teck (
Date: 11/25/04

Date: Thu, 25 Nov 2004 07:38:28 +0800

John_B wrote:

> We currently have NIS and are looking to get rid of NIS completely in
> favor of LDAP. We don't want N2L; we want NIS to go away completely.
> I installed DS 5.2 (or whichever version is on Sun's web site) on a test
> server. I then generated LDIF files from the /etc files on our NIS
> master using the tool from (after modifying
> their common source with the correct domain information, of course).
> Since ou=People already existed for our domain after the install, I
> transferred the LDIF file to the console and performed a successful
> import - or what *appeared* to be a successful import.
> It imported all of the users without any rejected records. When I
> select the People subsuffix for our domain in the console under the
> Directory tab, I do indeed see all of the users from the import in the
> frame on the right. If I double-click on any user, their Posix
> information is there. So, it did import the data.
> But there are a few things that are very disturbing.
> 1. Each of the imported users has a blue dot icon. In the example data
> (cn=example,cn=com), each user has a small person icon next to them.
> This tells me that the system didn't really accept the imported data as
> users.
> 2. None of the entries can be searched. Even when I do an advanced
> search, the DN matches the base, but even when I specify "uid contains
> {specific user ID}" it never comes up with any results.
> 3. When I double-click on any user, it brings up the Generic Editor
> whereas when I double-click on one of the example users I get the much
> easier-to-read Edit User window.
> So, it's like the data is there but yet not recognied as "People".
> Sadly, I have to confess that I was thrust into our current situation
> due to the I.T. hell that we all know as Sarbanes-Oxley with only a
> 10,000-foot understanding of LDAP. Thanks to SOX this is a critical
> project that must be configured, tested, and deployed by year's end.
> Fortunately, we're not doing anything more at this point than get user
> authentication to LDAP. We'll leave the fancier things for later on
> where there are no pressure and time constraints.
> Unfortunately, most of Sun's documentation seems to make the somewhat
> arrogant assumption that all NIS -> LDAP transitions are going to always
> involve keeping NIS compatibility mode via N2L. That's not the case
> here. This is to be nothing more than importing /etc/passwd (and
> shadow) and /etc/group information into LDAP followed by the elimination
> of NIS.
> As for why we're going to use DS 5.2 instead of what's built into
> Solaris, we prefer to have a three-way multi-master configuration with
> two in our home office (for redundancy) and one in a remote office so
> that users in that office don't have to hit the WAN. Unfortunately, the
> DS that's included with Solaris only offers two-way multi-mastering.
> I already downloaded the various LDAP BluePrints and Directory Server
> manuals, but I could not find anything to resolve this. I'm not saying
> that the information is not there; I'm just saying that I couldn't find
> it, but I'll keep looking anyway.
> Any assistance will be immensely appreciated.

If u intend to use OpenLDAP rather than DS5.2, I have a HOWTO: