Novell Import Conversion Export Utility

The Novell Import Conversion Export utility lets you:

The Novell Import Conversion Export utility manages a collection of handlers that read or write data in a variety of formats. Source handlers read data, while destination handlers write data. A single executable module can be both a source and a destination handler. The engine receives data from a source handler, processes the data, then passes the data to a destination handler.

For example, if you want to import LDIF data into an LDAP directory, the Novell Import Conversion Export engine uses an LDIF source handler to read an LDIF file and an LDAP destination handler to send the data to the LDAP directory server. See Troubleshooting LDIF Files for more information on LDIF file syntax, structure, and debugging.

You can run the Novell Import Conversion Export client utility from the command line or from a snap-in to ConsoleOneTM. The comma-delimited data handler, however, is a command line utility only.

You can use the Novell Import Conversion Export utility in either of the following ways:

The wizard and the command line interface both give you access to the Novell Import Conversion Export engine, but the command line interface gives you greater options for combining source and destination handlers.

The Novell Import Conversion Export utility replaces both the BULKLOAD and ZONEIMPORT utilities included with previous versions of NDS and eDirectory.


Using the Novell eDirectory Import/Export Wizard

The Novell eDirectory Import/Export Wizard is a ConsoleOne snap-in designed to help you:


Performing an LDIF Import

  1. In ConsoleOne, select Wizard > NDS Import/Export.

    2.

  2. Click Import LDIF File > Next.

    3.

  3. Enter the name of the LDIF file containing the data you want to import > click Next.

    Click Advanced to set other LDIF source handler options. Click Help on the Advanced dialog box for more information on the available options.

    4.

  4. Select the LDAP server where the data will be imported.

    You can store information for several servers and name each set of information. Click New to add a new server.

    5.

  5. Add the information from Table 31.


    Table 31. LDAP Server Options

    Option Description

    Server DNS name/IP address

    Enter the DNS name or IP address of the destination LDAP server.

    Port

    Enter the integer port number of the destination LDAP server.

    DER file containing server key used for SSL communication

    Enter the name of the DER file containing a server key used for SSL authentication.

    Login method

    Click Authenticated Login or Anonymous for the entry specified in the User DN field.

    User DN

    Enter the distinguished name of the entry that should be used when binding to the server-specified bind operation.

    Password

    Enter the password attribute of the entry specified in the User DN field.

  6. Click Next > Finish to begin the LDIF import.

    7.

Performing an LDIF Export

  1. In ConsoleOne, select Wizard > NDS Import/Export.

    2.

  2. Click Export LDIF File > Next.

    3.

  3. Select the LDAP server holding the entries you want to export.

    You can store information for several servers and name each set of information. Click New to add a new server. Click Advanced to set additional options for the LDAP source handler. Click Help on the Advanced dialog box for more information on the available options.

    4.

  4. Add the information from Table 32.


    Table 32. LDAP Server Options

    Option Description

    Server DNS name/IP address

    Enter the DNS name or IP address of the source LDAP server.

    Port

    Enter the integer port number of the source LDAP server.

    DER file containing server key used for SSL communication

    Enter the name of the DER file containing a server key used for SSL authentication.

    Login method

    Click Authenticated Login or Anonymous for the entry specified in the User DN field.

    User DN

    Enter the distinguished name of the entry that should be used when binding to the server-specified bind operation.

    Password

    Enter the password attribute of the entry specified in the User DN field.

  5. Click Next.

    6.

  6. Specify the search criteria for the entries you want to export.


    Table 33. Search Criteria Options

    Option Description

    Base DN

    Enter the base distinguished name for the search request. If this field is left empty, the base DN defaults to "" (empty string).

    Scope

    Specifies the scope of the search request.

    Filter

    Enter an RFC 1558 compliant search filter. The default is objectclass=*.

    Attributes

    Specify the attributes you want returned for each search entry.

  7. Click Next.

    8.

  8. Enter the name of the LDIF file that will store the export information > click Next.

    9.

  9. Click Finish to begin the LDIF export.

    10.

Performing Data Migration between LDAP Servers

  1. In ConsoleOne, select Wizard > NDS Import/Export.

    2.

  2. Click Migrate Data between LDAP Servers > Next.

    3.

  3. Select the LDAP server holding the entries you want to migrate.

    You can store information for several servers and name each set of information. Click New to add a new server. Click Advanced to set additional options for the LDAP source handler. Click Help on the Advanced dialog box for more information on the available options.

    4.

  4. Add the information from Table 34.


    Table 34. LDAP Server Options

    Option Description

    Server DNS name/IP address

    Enter the DNS name or IP address of the source LDAP server.

    Port

    Enter the integer port number of the source LDAP server.

    DER file containing server key used for SSL communication

    Enter the name of the DER file containing a server key used for SSL authentication.

    Login method

    Click Authenticated Login or Anonymous for the entry specified in the User DN field.

    User DN

    Enter the distinguished name of the entry that should be used when binding to the server-specified bind operation.

    Password

    Enter the password attribute of the entry specified in the User DN field.

  5. Click Next.

    6.

  6. Specify the following search criteria for the entries you want to migrate:


    Table 35. Search Criteria Options

    Option Description

    Base DN

    Enter the base distinguished name for the search request. If this field is left empty, the base DN defaults to "" (empty string).

    Scope

    Specifies the scope of the search request.

    Filter

    Enter an RFC 2254 compliant search filter. The default is objectclass=*.

    Attributes

    Specifies the attributes you want returned for each search entry.

  7. Click Next.

    8.

  8. Select the LDAP server where the data will be migrated.

    9.

  9. Click Next > Finish.

    NOTE:  Ensure that the schema is consistent across LDAP Services.

    10.

Using the Command Line Interface

You can use the command line version of the Novell Import Conversion Export utility to perform the following:

The Novell Import Conversion Export utility is installed as part of ConsoleOne. Both a Win32* version (ICE.EXE) and a NetWare® version (ICE.NLM) are included in the installation. On Linux and Solaris systems, the Import/Export utility is included in the NDSadmutl package.


Novell Import Conversion Export Syntax

The Novell Import Conversion Export utility is launched with the following syntax:

ice general_options
-S[LDIF | LDAP | DELIM] source_options
-D[LDIF | LDAP | DELIM] destination_options

General options are optional and must come before any source or destination options. The -S (source) and -D (destination) handler sections can be placed in any order.

The following is a list of the available source and destination handlers:


General Options

General options affect the overall processing of the Novell Import Conversion Export engine.


Table 36. General Options

Option Description

-l log_file

Specifies a filename where output messages (including error messages) are logged. If this option is not used, error messages are sent to ice.log.

If this option is not used on Linux or Solaris systems, error messages will not be logged.

-o

Overwrites an existing log file. If this flag is not set, messages are appended to the log file instead.

-e LDIF_error_log_ file

Specifies a filename where entries that fail are output in LDIF format. This file can be examined, modified to correct the errors, then reapplied to the directory.

-p URL

Specifies the location of an XML placement rule to be used by the engine. Placement rules let you change the placement of an entry. See Conversion Rules for more information.

-c URL

Specifies the location of an XML creation rule to be used by the engine. Creation rules let you supply missing information that might be needed to allow an entry to be created successfully on import. For more information, see Conversion Rules.

-s URL

Specifies the location of an XML schema mapping rule to be used by the engine. Schema mapping rules let you extend the schema on the destination server to accommodate all of the object classes and attribute types in entries coming from the source server.

You can use a schema mapping rule to map a schema element on a source server to a different but equivalent schema element on a destination server. For more information, see Conversion Rules.

Source Handler Options

The source handler option (-S) determines the source of the import data. Only one of the following can be specified on the command line.


Table 37. Source Handler Options

Option Description

-SLDIF

Specifies that the source is an LDIF file.

For a list of supported LDIF options, see LDIF Source Handler Options.

-SLDAP

Specifies that the source is an LDAP server.

For a list of supported LDAP options, see LDAP Source Handler Options

-SDELIM

Specifies that the source is a comma-delimited data file.

For a list of supported DELIM options, see DELIM Source Handler Options.

Destination Handler Options

The destination handler options (-D) specify the destination of the export data. Only one of the following can be specified on the command line.


Table 38. Destination Handler Options

Option Description

-DLDIF

Specifies that the destination is an LDIF file.

For a list of supported options, see LDIF Destination Handler Options.

-DLDAP

Specifies that the destination is an LDAP server.

For a list of supported options, see LDAP Destination Handler Options.

-DDELIM

Specifies that the destination is a comma-delimited file.

For a list of supported options, see DELIM Destination Handler Options.

LDIF Source Handler Options

The LDIF source handler reads data from an LDIF file then sends it to the Novell Import Conversion Export engine.


Table 39. LDIF Source Handler Options

Option Description

-f LDIF_file

Specifies a filename containing LDIF records read by the LDIF source handler and sent to the engine.

If you omit this option on Linux or Solaris systems, the input will be taken from stdin.

-a

If the records in the LDIF file are content records (that is, they contain no changetypes), they will be treated as records with a change type of add.

-c

Prevents the LDIF source handler from stopping on errors. This includes errors on parsing LDIF and errors sent back from the destination handler. When this option is set and an error occurs, the LDIF source handler reports the error, finds the next record in the LDIF file, and continues.

-n

Does not perform update operations, but prints what would be done. When this option is set, the LDIF source handler parses the LDIF file but does not send any records to the Novell Import Conversion Export engine (or to the destination handler).

-v

Enables the verbose mode of the handler.

LDIF Destination Handler Options

The LDIF destination handler receives data from the Novell Import Conversion Export engine and writes it to an LDIF file.


Table 40. LDIF Destination Handler Options

Option Description

-f LDIF_file

Specifies the filename where LDIF records can be written.

If you omit this option on Linux or Solaris systems, the output will go to stdout.

-v

Enables verbose mode of the handler.

LDAP Source Handler Options

The LDAP source handler reads data from an LDAP server by sending a search request to the server. It then sends the search entries it receives from the search operation to the Novell Import Conversion Export engine.


Table 41. LDAP Source Handler Options

Option Description

-s server_name

Specifies the DNS name or IP address of the LDAP server to which the handler will send a search request. The default is the local host.

-p port

Specifies the integer port number of the LDAP server specified by server_name. The default is 389. For secure operations the default port is 636.

-d DN

Specifies the distinguished name of the entry that should be used when binding to the server-specified bind operation.

-w password

Specifies the password attribute of the entry specified by DN.

-W

Prompts for the password of the entry specified by DN.

This option is applicable only for Linux and Solaris.

-F filter

Specifies an RFC 1558 compliant search filter. If this option is omitted, the search filter defaults to objectclass=*.

-n

Does not actually perform a search, but shows what search would be performed.

-a attribute_list

Specifies a comma-separated list of attributes to retrieve as part of the search. In addition to attribute names, there are three other values:

  • Get no attributes (1.1)
  • All user attributes (*)
  • An empty list gets all non-operational attributes.

If this option is omitted, the attribute list defaults to the empty list.

-o attribute_list

Specifies a comma-separated list of attributes to be omitted from the search results received from the LDAP server before they are sent to the engine. This option is useful in cases where you want to use a wildcard with the -a option to get all attributes of some class and then remove a few of them from the search results before passing the data on to the engine.

For example, -a* -o telephoneNumber searches for all user-level attributes and filters the telephone number from the results.

-R

Do not automatically follow referrals. The default is to follow referrals with the name and password given with the -d and -w options.

-e value

Specifies which debugging flags should be enabled in the LDAP client SDK. For more information, see Using LDAP SDK Debugging Flags.

-b base_DN

Specifies the base distinguished name for the search request. If this option is omitted, the base DN defaults to "" (empty string).

-c search_scope

Specifies the scope of the search request. Valid values are:

  • One

    Searches only the immediate children of the base object.

  • Base

    Searches only the base object entry itself.

  • Sub

    Searches the LDAP subtree rooted at and including the base object.

If this option is omitted, the search scope defaults to Sub.

-r deref_aliases

Specifies the way aliases should be dereferenced during the search operation. Values include:

  • Never

    Prevents the server from dereferencing aliases.

  • Always

    Causes aliases to be dereferenced when locating the base object of the search and when evaluating entries that match the search filter.

  • Search

    Causes aliases to be dereferenced when applying the filter to entries within the scope of the search after the base object has been located, but not when locating the base object itself.

  • Find

    Causes aliases to be dereferenced when locating the base object of the search, but not when actually evaluating entries that match the search filter.

If this option is omitted, the alias dereferencing behavior defaults to Never.

-l time_limit

Specifies a time limit for the search in seconds.

-z size _limit

Specifies the maximum number of entries to be returned by the search.

-V version

Specifies the LDAP protocol version to be used for the connection. It must be 2 or 3. If this option is omitted, the default is 3.

-v

Enables verbose mode of the handler.

-L filename

Specifies a file in DER format containing a server key used for SSL authentication.

-A

Retrieves attribute names only. Attribute values are not returned by the search operation.

LDAP Destination Handler Options

The LDAP destination handler receives data from the Novell Import Conversion Export engine and sends it to an LDAP server in the form of update operations to be performed by the server.


Table 42. LDAP Destination Handler Options

Option Description

-s server_name

Specifies the DNS name or IP address of the LDAP server to which the handler will send a search request. The default is the local host.

-p port

Specifies the integer port number of the LDAP server specified by server_name. The default is 389. For secure operations the default port is 636.

-d DN

Specifies the distinguished name of the entry that should be used when binding to the server-specified bind operation.

-w password

Specifies the password attribute of the entry specified by DN.

-W

Prompts for the password of the entry specified by DN.

This option is applicable only for Linux and Solaris.

-B

Use this option if you do not want to use asynchronous LDAP Bulk Update/Replication Protocol (LBURP) requests for transferring update operations to the server. Instead, use standard synchronous LDAP update operation requests. For more information, see LDAP Bulk Update/Replication Protocol.

-F

Allows the creation of forward references. When an entry is going to be created before its parent exists, a placeholder called a forward reference is created for the entry's parent to allow the entry to be successfully created. If a later operation creates the parent, the forward reference is changed into a normal entry.

-l

Stores password values using the simple password method of the Novell Modular Authentication Service (NMAS). Passwords are kept in a secure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers. This improves the speed with which an object that has password information can be loaded.

-e value

Specifies which debugging flags should be enabled in the LDAP client SDK. For more information, see Using LDAP SDK Debugging Flags.

-V version

Specifies the LDAP protocol version to be used for the connection. It must be 2 or 3. If this option is omitted, the default is 3.

-v

Enables verbose mode of the handler

-L filename

Specifies a file in DER format containing a server key used for SSL authentication.

DELIM Source Handler Options

The DELIM source handler reads data from a comma-delimited data file, then sends it to the destination handler.


Table 43. DELIM Source Handler Options

Option Description

-f filename

Specifies a filename containing comma-delimited records read by the DELIM source handler and sent to the destination handler.

-F value

Specifies a filename containing the attribute data order for the file specified by -f. If this option is not specified, you must enter this information directly using -t. See Performing a Comma-Delimited Import for more information.

-t value

Comma-delimited list of attributes specifying the attribute data order for the file specified by -f. Either this option or -F must be specified. See Performing a Comma-Delimited Import for more information.

-c

Prevents the DELIM source handler from stopping on errors. This includes errors on parsing comma-delimited data files and errors sent back from the destination handler. When this option is set and an error occurs, the DELIM source handler reports the error, finds the next record in the comma-delimited data file, and continues.

-n value

Specifies the LDAP naming attribute for the new object. This attribute must be contained in the attribute data you specify using -F or -t.

-l value

Specifies the path to append the RDN to (such as o=myCompany). If you are passing the DN, this value is not necessary.

-o value

Comma-delimited list of object classes (if none are contained in your input file), or additional object classes such as auxiliary classes. The default value is inetorgperson.

-i value

Comma-delimited list of columns to skip. This value is an integer specifying the number of the column to skip. For example, to skip the third and fifth columns, specify 3,5.

-d value

Specifies the delimiter. The default delimiter is a comma ( , ).

-q value

Specifies the secondary delimiter. The default secondary delimiter is single-quotes (' ').

DELIM Destination Handler Options

The DELIM destination handler receives data from the source handler and writes it to a comma-delimited data file.


Table 44. DELIM Destination Handler Options

Option Description

-f filename

Specifies the filename where comma-delimited records can be written.

-v

Enables verbose mode of the handler.

-F value

Specifies a filename containing the attribute data order for the source data. If this option is not specified, you must enter this information directly using -t.

-t value

Comma-delimited list of attributes specifying the attribute data order for the source data. Either this option or -F must be specified.

-l value

Can be either RDN or DN. Specifies whether the driver should place the entire DN or just the RDN in the data. RDN is the default value.

-d value

Specifies the delimiter. The default delimiter is a comma ( , ).

-q value

Specifies the secondary delimiter. The default secondary delimiter is single-quotes (' ').

-n value

Specifies a naming attribute to be appended during import, for example, cn.

Examples

Listed below are sample commands that can be used with the Novell Import Conversion Export command line utility for the following functions: 


Performing an LDIF Import

To perform an LDIF import, combine the LDIF source and LDAP destination handlers, for example:

ice -S LDIF -f entries.ldif -D LDAP -s server1.acme.com -p 389 -d cn=admin,c=us -w secret

This command line reads LDIF data from ENTRIES.LDIF and sends it to the LDAP server server1.acme.com at port 389 using the identity cn=admin,c=us, and the password "secret."


Performing an LDIF Export

To perform an LDIF export, combine the LDAP source and LDIF destination handlers, for example:

ice -S LDAP -s server1.acme.com -p 389 -d cn=admin,c=us -w password -F objectClass=* -c sub -D LDIF -f server1.ldif

This command line performs a subtree search for all objects in the server server1.acme.com at port 389 using the identity cn=admin,c=us, and the password "password," and outputs the data in LDIF format to SERVER1.LDIF.


Performing a Comma-Delimited Import

To perform a comma-delimited import, use a command similar to the following:

ice -SDELIM -f/tmp/in.csv -F/tmp/order.csv -ncn -lo=acme -DLDAP -sserver1.acme.com -p389 -dcnadmin,c=us -wsecret

This command reads comma-delimited values from the C:\TMP\IN.CSV file and reads the attribute order from the C:TMP\ORDER.CSV file. For each attribute entry in IN.CSV, the attribute type is specified in ORDER.CSV. For example, if IN.CSV contains the following:

pat,pat,engineer,john

Then ORDER.CSV would contain the following:

dn,cn,objectclass,title,sn

The information in ORDER.CSV could be input directly using the -t option.

The data is then sent to the LDAP server server1.acme.com at port 389 using the identity cn=admin,c=us, and password "secret."

This example specifies that cn should become the new DN for this object using the -n option, and this object was added to the organization container acme using the -l option.


Performing a Comma-Delimited Export

To perform a comma-delimited export, use a command similar to the following:

ice -SLDAP -sserver1.acme.com -p389 -dcn=admin,c=us -wpassword -lobjectClass=* -csub -DDELIM -f/tmp/server1.csv -Forder.csv

This command line performs a subtree search for all objects in the server server1.acme.com at port 389 using the identity cn=admin,c=us, and password "password" and outputs the data in comma-delimited format to the /TMP/SERVER1.CSV file.


Performing a Data Migration between LDAP Servers

To perform a data migration between LDAP servers, combine the LDAP source and LDAP destination handlers, for example:

ice -S LDAP -s server1.acme.com -p 389 -d cn=admin,c=us -w password -F objectClass=* -c sub -D LDAP -s server2.acme.com -p 389 -d cn=admin,c=us -w secret

This particular command line performs a subtree search for all objects in the server server1.acme.com at port 389 using the identity cn=admin,c=us with the password "password," and sends it to the LDAP server server2.acme.com at port 389 using the identity cn=admin,c=us and the password "secret."


Conversion Rules

The Novell Import Conversion Export engine lets you specify a set of rules that describe processing actions to be taken on each record received from the source handler and before the record is sent on to the destination handler. These rules are specified in XML (either in the form of an XML file or XML data stored in the directory) and solve the following problems when importing entries from one LDAP directory to another:

There are three types of conversion rules:


Table 45. Conversion Rules

Rule Description

Placement

Placement rules let you change the placement of an entry. For example, if you are importing a group of users in the l=San Francisco, c=US container but you want them to be in the l=Los Angeles, c=US container when the import is complete, you could use a placement rule to do this. For information on the format of these rules, see Placement Rules.

Creation

Creation rules let you supply missing information that might be needed to allow an entry to be created successfully on import.

For example, assume that you have exported LDIF data from a server whose schema requires only the cn (commonName) attribute for user entries, but the server to which you are importing the LDIF data requires both the cn and sn (surname) attributes. You could use the creation rule to supply a default sn value, (such as "") for each entry as it is processed by the engine. When the entry is sent to the destination server, it will have the required sn attribute and the entry can be added successfully. For information on the format of these rules, see Create Rules.

Schema Mapping

When you are transferring data between servers, either directly or using LDIF, there are almost always schema differences in the servers. In some cases, you might need to extend the schema on the destination server to accommodate the object classes and attribute types in entries coming from the source server.

You might also need to map a schema element on the source server to a different but equivalent schema element on the destination server. You can use schema mapping rules to do this. For information on the format of these rules, see Schema Mapping Rules.

You can enable conversion rules in both the Novell eDirectory Import/Export Wizard and the command line interface. For more information on XML rules, see Using XML Rules.


Using the Novell eDirectory Import/Export Wizard

  1. In ConsoleOne, select Wizard > NDS Import/Export.

    2.

  2. Click the task you want to perform.

    3.

  3. Click Advanced > complete the following options:

    Option Description

    Schema Rules

    Specifies the location of an XML schema mapping rule to be used by the engine.

    Placement Rules

    Specifies the location of an XML placement rule to be used by the engine.

    Creation Rules

    Specifies the location of an XML creation rule to be used by the engine.

  4. Click Close.

    5.

  5. Follow the online instructions to finish your selected task.

    6.

Using the Command Line Interface

You can enable conversion rules with the -p, -c, and -s general options on the Novell Import Conversion Export executable. For more information, see General Options.


Table 46. Conversion Rules Options

Option Description

-p URL

URL specifies the location of an XML placement rule to be used by the engine.

-c URL

URL specifies the location of an XML creation rule to be used by the engine.

-s URL

URL specifies the location of an XML schema mapping rule to be used by the engine.

For all three options, URL must be one of the following:


Using XML Rules

The Novell Import Conversion Export conversion rules use the same XML format as DirXMLTM. For more information on DirXML, see DirXML Administration Guide.


Schema Mapping Rules

The <attr-name-map> element is the top level element for the schema mapping rules. Mapping rules determine how the import schema interacts with the export schema. They associate specified import class definitions and attributes with corresponding definitions in the export schema.

Mapping rules can be set up for attribute names or class names.

The following is the formal DTD definition of schema mapping rules.

<!ELEMENT attr-name-map (attr-name | class-name)*>

<!ELEMENT attr-name (nds-name, app-name)>
<!ATTLIST attr-name 
          class-name    CDATA    #IMPLIED>

<!ELEMENT class-name (nds-name, app-name)>

<!ELEMENT nds-name (#PCDATA)>

<!ELEMENT app-name (#PCDATA)>

You can have multiple mapping elements in the file. Each element is processed in the order that it appears in the file. If you map the same class or attribute more than once, the first mapping takes precedence.

The following samples illustrate how to create a schema mapping rule.

Schema Rule 1: The following rule maps the source's surname attribute to the destination's sn attribute for the inetOrgPerson class.

<attr-name-map>
   <attr-name class-name="inetOrgPperson">
      <nds-name>surname</nds-name>
      <app-name>sn</app-name>
   </attr-name>
</attr-name-map>

Schema Rule 2: The following rule maps the source's inetOrgPerson class definition to the destination's User class definition.

<attr-name-map>
   <class-name>
      <nds-name>inetOrgPerson</nds-name>
      <app-name>User</app-name>
   </class-name>
</attr-name-map>

Schema Rule 3: The following example contains two rules. The first rule maps the source's Surname attribute to the destination's sn attribute for all classes that use these attributes. The second rule maps the source's inetOrgPerson class definition to the destination's User class definition.

<attr-name-map>
   <attr-name>
      <nds-name>surname</nds-name>
      <app-name>sn</app-name>
   </attr-name>
   <class-name>
      <nds-name>inetOrgPerson</nds-name>
      <app-name>User</app-name>
   </class-name>
</attr-name-map>

Sample Command: If the schema rules are saved to an SR1.XML file, the following command instructs the utility to use the rules while processing the 1ENTRY.LDF file and to send the results to a destination file, OUTT1.LDF.

ice -o -sfile://sr1.xml -SLDIF -f1entry.ldf -c -DLDIF 
-foutt1.ldf


Create Rules

Create rules specify the conditions for creating a new entry in the destination directory. They support the following elements:

The following is the formal DTD definition for create rules:

<!ELEMENT create-rules (create-rule)*>

<!ELEMENT create-rule (match-attr*, 
                       required-attr*, 
                       template?) >
<!ATTLIST create-rule 
          class-name    CDATA   #IMPLIED
          description   CDATA   #IMPLIED>

<!ELEMENT match-attr    (value)+ >
<!ATTLIST match-attr
          attr-name      CDATA    #REQUIRED>

<!ELEMENT required-attr (value)*>
<!ATTLIST required-attr 
          attr-name     CDATA   #REQUIRED>

<!ELEMENT template EMPTY>
<!ATTLIST template
          template-dn   CDATA   #REQUIRED>

You can have multiple create rule elements in the file. Each rule is processed in the order that it appears in the file. If a record does not match any of the rules, that record is skipped and the skipping does not generate an error.

The following examples illustrate how to format create rules.

Create Rule 1: The following rule places three conditions on add records that belong to the inetOrgPerson class. These records must have givenName and Surname attributes. They should have an L attribute, but if they don't, the create rule supplies a default value of Provo for them.

<create-rules>
   <create-rule class-name="inetOrgPerson">
      <required-attr attr-name="givenName"/>
      <required-attr attr-name="surname"/>
      <required-attr attr-name="L">
         <value>Provo</value>
      </required-attr>
   </create-rule>
</create-rules>

Create Rule 2: The following create rule places three conditions on all add records, regardless of their base class:

<create-rules>
   <create-rule>
      <required-attr attr-name="givenName"/>
      <required-attr attr-name="Surname"/>
      <required-attr attr-name="L">
         <value>Provo</value>
      </required-attr>
   </create-rule>
</create-rules>

Create Rule 3: The following create rule places two conditions on all records, regardless of base class:

<create-rules>
   <create-rule>
      <match-attr attr-name="uid">
         <value>cn=ratuid</value>
      </match-attr>
      <required-attr attr-name="L">
         <value>Provo</value>
      </required-attr>
   </create-rule>
</create-rules>

Sample Command: If the create rules are saved to an CRL.XML file, the following command instructs the utility to use the rules while processing the 1ENTRY.LDF file and to send the results to a destination file, OUTT1.LDF.

ice -o -cfile://cr1.xml -SLDIF -f1entry.ldf -c -DLDIF 
-foutt1.ldf


Placement Rules

Placement rules determine where an entry is created in the destination directory. They support the following conditions for determining whether the rule should be used to place an entry:

The last element in the rule specifies where to place the entry. The placement rule can use zero or more of the following:

The following is the formal DTD definition for the placement rule.

<!ELEMENT placement-rules (placement-rule*)>
<!ATTLIST placement-rules
          src-dn-format    (%dn-format;)   "slash"
          dest-dn-format   (%dn-format;)   "slash"
          src-dn-delims    CDATA           #IMPLIED
          dest-dn-delims   CDATA           #IMPLIED>

<!ELEMENT placement-rule (match-class*,
                          match-path*,
                          match-attr*,
                          placement)>
<!ATTLIST placement-rule
          description      CDATA            #IMPLIED>

<!ELEMENT match-class      EMPTY>
<!ATTLIST match-class
          class-name       CDATA            #REQUIRED>

<!ELEMENT match-path       EMPTY>
<!ATTLIST match-path
          prefix           CDATA            #REQUIRED>

<!ELEMENT match-attr       (value)+ >
<!ATTLIST match-attr
          attr-name        CDATA            #REQUIRED>

<!ELEMENT placement        (#PCDATA | 
                           copy-name | 
                           copy-attr | 
                           copy-path | 
                           copy-path-suffix)* >

You can have multiple placement-rule elements in the file. Each rule is processed in the order that it appears in the file. If a record does not match any of the rules, that record is skipped, and the skipping does not generate an error.

The following examples illustrate how to format placement rules. The scr-dn-format="ldap" and dest-dn-format="ldap" attributes set the rule so that the name space for the dn in the source and destination is LDAP format.

The Novell Import Conversion Export utility only supports source and destination names in LDAP format.

Placement Example 1: The following placement rule requires that the record have a base class of inetOrgPerson. If the record matches this condition, the entry is placed immediately subordinate to the test container and the left-most component of its source dn is used as part of its dn.

<placement-rules src-dn-format="ldap" dest-dn-format="ldap">
    <placement-rule> 
       <match-class class-name="inetOrgPerson"></match-class>
       <placement>o=test<copy-name/></placement> 
    </placement-rule> 
 </placement-rules>

With this rule, a record with a base class of inetOrgPerson and with the following dn:

dn: cn=Kim Jones, ou=English, ou=Humanities, o=UofZ

would have the following dn in the destination directory:

dn: cn=Kim Jones, o=test

Placement Example 2: The following placement rule requires that the record have an sn attribute. If the record matches this condition, the entry is placed immediately subordinate to the test container and the left-most component of its source dn is used as part of its dn.

<placement-rules src-dn-format="ldap" dest-dn-format="ldap">
    <placement-rule> 
       <match-attr attr-name="sn"></match-attr> 
       <placement>o=test<copy-name/></placement> 
    </placement-rule> 
 </placement-rules>

With this rule, a record with the following dn and sn attribute:

dn: cn=Kim Jones, ou=English, ou=Humanities, o=UofZ
sn: Jones

would have the following dn in the destination directory:

dn: cn=Kim Jones, o=test

Placement Example 3: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the entry is placed immediately subordinate to the test container and its sn attribute is used as part of its dn. The specified attribute in the copy-attr element must be a naming attribute of the entry's base class.

<placement-rules src-dn-format="ldap" dest-dn-format="ldap">
  <placement-rule> 
    <match-attr attr-name="sn"></match-attr> 
    <placement>o=test<copy-attr attr-name="sn"/></placement>
  </placement-rule> 
</placement-rules>

With this rule, a record with the following dn and sn attribute:

dn: cn=Kim Jones, ou=English, ou=Humanities, o=UofZ
sn: Jones

would have the following dn in the destination directory:

dn: cn=Jones, o=test

Placement Sample 4: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the source dn is used as the destination dn.

<placement-rules src-dn-format="ldap" dest-dn-format="ldap">
    <placement-rule> 
       <match-attr attr-name="sn"></match-attr> 
       <placement><copy-path/></placement> 
    </placement-rule> 
 </placement-rules>

Placement Sample 5: The following placement rule requires the record to have an sn attribute. If the record matches this condition, the entry's entire DN is copied to the test container.

<placement-rules src-dn-format="ldap" dest-dn-format="ldap">
    <placement-rule> 
       <match-attr attr-name="sn"></match-attr> 
       <placement>o=test<copy-path-suffix/></placement> 
    </placement-rule> 
 </placement-rules>

With this rule, a record with the following dn and sn attribute:

dn: cn=Kim Jones, ou=English, ou=Humanities, o=UofZ
sn: Jones

would have the following dn in the destination directory:

dn: cn=Kim Jones, ou=English, ou=Humanities, o=UofZ, o=test

Sample Command: If the placement rules are saved to an PR1.XML file, the following command instructs the utility to use the rules while processing the 1ENTRY.LDF file and to send the results to a destination file, FOUTT1.LDF

ice -o -pfile://pr1.xml -SLDIF -f1entry.ldf -c -DLDIF 
-foutt1.ldf


LDAP Bulk Update/Replication Protocol

The Novell Import Conversion Export utility uses the LDAP Bulk Update/Replication Protocol (LBURP) to send asynchronous requests to an LDAP server. This guarantees that the requests are processed in the order specified by the protocol and not in an arbitrary order influenced by multiprocessor interactions or the operating system's scheduler.

LBURP also lets the Novell Import Conversion Export utility send several update operations in a single request and receive the response for all of those update operations in a single response. This adds to the network efficiency of the protocol.

LBURP works as follows:

  1. The Novell Import Conversion Export utility binds to an LDAP server.
    2.
  2. The server sends a bind response to the client.
    3.
  3. The client sends a start LBURP extended request to the server.
    4.
  4. The server sends a start LBURP extended response to the client.
    5.
  5. The client sends zero or more LBURP operation extended requests to the server.

    These requests can be sent asynchronously. Each request contains a sequence number identifying the order of this request relative to other requests sent by the client over the same connection. Each request also contains one or more LDAP update operations.

    6.
  6. The server processes each of the LBURP operation extended requests in the order specified by the sequence number and sends an LBURP operation extended response for each request.
    7.
  7. After all of the updates have been sent to the server, the client sends an end LBURP extended request to the server.
    8.
  8. The server sends an end LBURP extended response to the client.
    9.

The LBURP protocol lets Novell Import Conversion Export present data to the server as fast as the network connection between the two will allow. If the network connection is fast enough, this lets the server stay busy processing update operations 100% of the time because it never has to wait for Novell Import Conversion Export to give it more work to do.

The LBURP processor in eDirectory also commits update operations to the database in groups to gain further efficiency in processing the update operations. LBURP can greatly improve the efficiency of your LDIF imports over a traditional synchronous approach.

LBURP is enabled by default, but you can choose to disable it during an LDIF import.

To enable or disable LBURP during an LDIF import:

  1. In ConsoleOne, select Wizard > NDS Import/Export.

    2.

  2. Click Import LDIF File > Next.

    3.

  3. Enter the name of the LDIF file containing the data you want to import > click Next.

    4.

  4. Select the LDAP server where the data will be imported.

    5.

  5. Click Advanced > click Use LBURP.

    6.

  6. Follow the online instructions to complete the remainder of the LDIF import wizard.

    IMPORTANT:  Since LBURP is a relatively new protocol, eDirectory servers prior to version 8.5 (and most non-eDirectory servers) do not support it. If you are using the Novell eDirectory Import/Export Wizard to import an LDIF file to one of these servers, you must disable the LBURP option for the LDIF import to work.

    7.

You can use the command line option to enable or disable LBURP during an LDIF import. To do so, use the option -B.


Migrating Schema Between LDAP Directories

You can refer to Application Notes on the Novell Developer Portal for more information about migrating schema between LDAP directories.


Improving the Speed of LDIF Imports

In cases where you have thousands or even millions of records in a single LDIF file you are importing, consider the following:


Importing Directly to a Server with a Read/Write Replica

If it's possible to do so, select a destination server for your LDIF import that has read/write replicas containing all the entries represented in the LDIF file. This will maximize network efficiency.

Avoid having the destination server chain to other eDirectory servers for updates. This can severely reduce performance. However, if some of the entries to be updated are only on eDirectory servers that are not running LDAP, you might have to allow chaining to import the LDIF file.

For more information on replicas and partition management, see Managing Partitions and Replicas.


Using LBURP

Novell Import Conversion Export maximizes network and eDirectory server processing efficiency by using LBURP to transfer data between the wizard and the server. Using LBURP during an LDIF import greatly improves the speed of your LDIF import.

For more information on LBURP, see LDAP Bulk Update/Replication Protocol.


Configuring the Database Cache

The amount of database cache available for use by eDirectory has a direct bearing on the speed of LDIF imports, especially as the total number of entries on the server increases. When doing an LDIF import, you might want to allocate the maximum memory possible to eDirectory during the import. After the import is complete and the server is handling an average load, you can restore your previous memory settings. This is particularly important if the import is the only activity taking place on the eDirectory server.

See Maintaining Novell eDirectory for more information on configuring the eDirectory database cache.


Using Simple Passwords

eDirectory uses public and private key pairs for authentication. Generating these keys is a very CPU-intensive process. With eDirectory 8.6, you can choose to store passwords using the simple password feature of the Novell Modular Authentication ServiceTM (NMASTM). When you do this, passwords are kept in a secure location in the directory, but key pairs are not generated until they are actually needed for authentication between servers. This greatly improves the speed with which an object that has password information can be loaded.

To enable simple passwords during an LDIF import:

  1. In ConsoleOne, click Wizard > NDS Import/Export.

    2.

  2. Click Import LDIF File > Next.

    3.

  3. Enter the name of the LDIF file containing the data you want to import > click Next.

    4.

  4. Select the LDAP server where the data will be imported.

    5.

  5. Click Advanced > click Store NMAS Simple Passwords/Hashed Passwords.

    6.

  6. Follow the online instructions to complete the remainder of the Wizard.

If you choose to store passwords using simple passwords, you must use an NMAS-aware Novell ClientTM to log in to the eDirectory tree and access traditional file and print services. NMAS must also be installed on the server. LDAP applications binding with name and password will work seamlessly with the simple password feature.

For more information on NMAS, see Novell Modular Authentication Services Installation and Administration Guide.


Using Indexes Appropriately

Having unnecessary indexes can slow down your LDIF import because each defined index requires additional processing for each entry having attribute values stored in that index. You should make sure that you don't have unnecessary indexes before you do an LDIF import, and you might want to consider creating some of your indexes after you have finished loading the data reviewed predicate statistics to see where they are really needed.

See Index Manager for more information on tuning indexes.



Previous | Next