directory-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Burch <>
Subject Re: Migrating from iPlanet to ApacheDS 2.0 server - Issue
Date Tue, 04 Jun 2013 15:59:43 GMT
On 04/06/13 16:25, Emmanuel Lécharny wrote:
> Le 6/4/13 4:52 PM, Brian Burch a écrit :
>> On 04/06/13 14:53, Emmanuel Lécharny wrote:
>>> Le 6/4/13 8:36 AM, Titus Rakkesh a écrit :
>>>> Dear All,
>>> Hi,
>>>>       We have a live application which was running in iPlanet directory
>>>> server for the last 5 years and the LDAP is having around 3 million
>>>> user
>>>> info stored in. Currently we are in a need of getting the clone of that
>>>> LDAP and migrate to ApacheDS 2.0 one. Simply saying our requirement
>>>> is to
>>>> migrate all objects(schemas, roles, administrator accounts, Full
>>>> User Store
>>>> data and everything) to ApacheDS. After the migration, we should be
>>>> able to
>>>> redirect the application requests to the new LDAP without changing
>>>> application code.
>>>> Pls direct us how we can do this?
>>> The first thing is to see if the schema you are using on iPlanet is
>>> compatible with ApacheDS schema. This may require a bit of tuning. The
>>> second step would be to inject the 3 millions of entries into apacheds,
>>> which may take a while, with the current version (expect around 5 to 20
>>> hours, depending on which kind of disk and system you use).
>> I migrated a fairly complex iPlanet directory to apacheDS 1.5 several
>> years ago.
>> I clearly and painfully remember the most difficult task was setting
>> up new ACI's to properly replicated all the different permissions I
>> had in the iPlanet directory. The syntax and semantics are very
>> different. I did all my setup by creating individual ldif files, so
>> that I could experiment and test the outcome of the rules one by one.
>> I already had all of my custom schema definitions as ldif's. Many of
>> them did not translate easily from iPlanet, but I could convert,
>> experiment and test those one by one too.
>> Studio might be good for moving the people entries, but I recommend
>> building a set of ldifs to create the tree structure.
>> I can remember having issues with some groups too, but nothing was too
>> difficult to convert successfully.
>> My original iPlanet directory used master-slave replication. ApacheDS
>> 1.5 didn't have this feature working at the time, so I reverted to a
>> single master directory and implemented a snapshot backup regime. I
>> have not felt the need to experiment with replication on the 2.0
>> milestones. In fact, I haven't yet felt the need to upgrade to 2.0,
>> although I'm watching each milestone with interest and intend to use
>> it soon.
>> I preferred to move from one java directory implementation to another.
>> At the time, I didn't feel conversion to openldap would have been any
>> simpler - although I can't be certain that I was correct.
>> Good luck,
> Many thanks for this feedback, Brian !
> FTR, how many entries do you have in your server ?

Only a few hundred. The complexity comes from the fact that I designed 
and created the original iPlanet directory for a customer with many 
thousand entries and a sophisticated set of applications. I used the 
same schema and architecture for my own installation because it allowed 
me to develop and test away from their production environment. (I no 
longer work for that organisation, but I believe they attempted to fold 
the data and functions into Novell Directory and Microsoft ADS. I do not 
know whether that effort was successful.)

I spent quite a lot of time working with Fedora Directory when the 
product was taken over from iPlanet, but I never got it working to my 
satisfaction... the more troublesome issues were associated with iPlanet 
Certificate Management System, but I have subsequently migrated my own 
CA to OpenSSL.



View raw message