Re: Directory Server LDAP/LDIF import - working yet not working???

From: Gary Tay Teng Teck (
Date: 11/25/04

Date: Thu, 25 Nov 2004 07:38:28 +0800

John_B wrote:

> We currently have NIS and are looking to get rid of NIS completely in
> favor of LDAP. We don't want N2L; we want NIS to go away completely.
> I installed DS 5.2 (or whichever version is on Sun's web site) on a test
> server. I then generated LDIF files from the /etc files on our NIS
> master using the tool from (after modifying
> their common source with the correct domain information, of course).
> Since ou=People already existed for our domain after the install, I
> transferred the LDIF file to the console and performed a successful
> import - or what *appeared* to be a successful import.
> It imported all of the users without any rejected records. When I
> select the People subsuffix for our domain in the console under the
> Directory tab, I do indeed see all of the users from the import in the
> frame on the right. If I double-click on any user, their Posix
> information is there. So, it did import the data.
> But there are a few things that are very disturbing.
> 1. Each of the imported users has a blue dot icon. In the example data
> (cn=example,cn=com), each user has a small person icon next to them.
> This tells me that the system didn't really accept the imported data as
> users.
> 2. None of the entries can be searched. Even when I do an advanced
> search, the DN matches the base, but even when I specify "uid contains
> {specific user ID}" it never comes up with any results.
> 3. When I double-click on any user, it brings up the Generic Editor
> whereas when I double-click on one of the example users I get the much
> easier-to-read Edit User window.
> So, it's like the data is there but yet not recognied as "People".
> Sadly, I have to confess that I was thrust into our current situation
> due to the I.T. hell that we all know as Sarbanes-Oxley with only a
> 10,000-foot understanding of LDAP. Thanks to SOX this is a critical
> project that must be configured, tested, and deployed by year's end.
> Fortunately, we're not doing anything more at this point than get user
> authentication to LDAP. We'll leave the fancier things for later on
> where there are no pressure and time constraints.
> Unfortunately, most of Sun's documentation seems to make the somewhat
> arrogant assumption that all NIS -> LDAP transitions are going to always
> involve keeping NIS compatibility mode via N2L. That's not the case
> here. This is to be nothing more than importing /etc/passwd (and
> shadow) and /etc/group information into LDAP followed by the elimination
> of NIS.
> As for why we're going to use DS 5.2 instead of what's built into
> Solaris, we prefer to have a three-way multi-master configuration with
> two in our home office (for redundancy) and one in a remote office so
> that users in that office don't have to hit the WAN. Unfortunately, the
> DS that's included with Solaris only offers two-way multi-mastering.
> I already downloaded the various LDAP BluePrints and Directory Server
> manuals, but I could not find anything to resolve this. I'm not saying
> that the information is not there; I'm just saying that I couldn't find
> it, but I'll keep looking anyway.
> Any assistance will be immensely appreciated.

If u intend to use OpenLDAP rather than DS5.2, I have a HOWTO:


Relevant Pages

  • Re: One login for multiple machines
    ... get authenticated from remote server (thus not need to create ... network) a centrally-stored login on a Linux server for Windows PCs ... I've excerpted some relevant info from two web pages on NIS and LDAP... ... It is for this reason that LDAP ...
  • Re: Centralized authentication
    ... >A few people suggested NIS+. ... Virtually all of our boxes are FreeBSD, ... >don't know very much about either server. ... >setup and get working than an LDAP server. ...
  • Re: NIS+ Server and LDAP Server on same machine?
    ... The LDAP directory server process does not need the ... > NIS domainname set to anything specific. ... Solaris, then configure LDAP client). ...
  • Upgrading Directory Services.
    ... I've been using NIS and DNS since the late 80's and LDAP since 1997. ... my LDAP experience to date has only been in support of my ... practices on how to setup the Directory Server. ...
  • Directory Server LDAP/LDIF import - working yet not working???
    ... We currently have NIS and are looking to get rid of NIS completely in ... I then generated LDIF files from the /etc files on our NIS ... 10,000-foot understanding of LDAP. ... This is to be nothing more than importing /etc/passwd (and ...