There are many cases where you want to move from an old, legacy LDAP backend to OpenLDAP. Sometimes, this transition requires moving to a new naming context (for instance from o=<company>,c=<country> style to dc-based naming) and a lot of schema changes. The problem that the administrator usually faces is performing the necessary changes on the actual ldap data, a task that usually requires writing a script to manipulate an LDIF export. That is always a hard task and any error/omission is not easily fixed.
Another way to do things is to use the backends/overlays provided by OpenLDAP to transform the actual online data in such a way that a simple LDAP search on the whole tree will be enough to get an LDIF file ready for import on the new system. The necessary steps include (in the order described):

  • The meta backend to proxy requests to the legacy LDAP server.
  • The rwm overlay to map attributes and objectclasses to new names and delete those that will no longer be needed.
  • The relay backend to perform a suffix massage (if it is required). The suffix massage can be done earlier but doing that on a later stage provides the advantage of being able to transform DN-syntax values of mapped attributes.

Here’s an example (real life) configuration for the above scenario:

database                meta
rootdn          “cn=Manager,dc=company,dc=gr”
suffix                  “o=company,c=gr”
uri                     “ldap://ldap.server/o=company,c=gr”
overlay                 rwm
rwm-map                 objectclass nsmessagingserveruser
rwm-map                 objectclass nsCalUser
rwm-map                 objectclass nsLicenseUser
rwm-map                 objectclass account
rwm-map                 objectclass posixaccount
rwm-map                 attribute edupersonprimaryorgunitdn l
rwm-map                 attribute radiusprofiledn dialupregularprofile
rwm-map                 attribute radiussimultaneoususe npsessionsallowed
rwm-map                 attribute radiusreplymessage radiuslockmsg
rwm-map                 attribute mailprogramdeliveryinfo
rwm-map                 attribute nslicensedfor
rwm-map                 attribute nswmextendeduserprefs
rwm-map                 attribute mailautoreplytext

database                relay
rootdn          “cn=Manager,dc=company,dc=gr”
suffix                  “dc=company,dc=gr”
relay                   “o=company,c=gr”
overlay                 rwm
rwm-suffixmassage       “o=company,c=gr”