There are many cases where you want to move from an old, legacy LDAP backend to OpenLDAP. Sometimes, this transition requires moving to a new naming context (for instance from o=<company>,c=<country> style to dc-based naming) and a lot of schema changes. The problem that the administrator usually faces is performing the necessary changes on the actual ldap data, a task that usually requires writing a script to manipulate an LDIF export. That is always a hard task and any error/omission is not easily fixed.
Another way to do things is to use the backends/overlays provided by OpenLDAP to transform the actual online data in such a way that a simple LDAP search on the whole tree will be enough to get an LDIF file ready for import on the new system. The necessary steps include (in the order described):
- The meta backend to proxy requests to the legacy LDAP server.
- The rwm overlay to map attributes and objectclasses to new names and delete those that will no longer be needed.
- The relay backend to perform a suffix massage (if it is required). The suffix massage can be done earlier but doing that on a later stage provides the advantage of being able to transform DN-syntax values of mapped attributes.
Here’s an example (real life) configuration for the above scenario:
rwm-map objectclass nsmessagingserveruser
rwm-map objectclass nsCalUser
rwm-map objectclass nsLicenseUser
rwm-map objectclass account
rwm-map objectclass posixaccount
rwm-map attribute edupersonprimaryorgunitdn l
rwm-map attribute radiusprofiledn dialupregularprofile
rwm-map attribute radiussimultaneoususe npsessionsallowed
rwm-map attribute radiusreplymessage radiuslockmsg
rwm-map attribute mailprogramdeliveryinfo
rwm-map attribute nslicensedfor
rwm-map attribute nswmextendeduserprefs
rwm-map attribute mailautoreplytext