Migration from SUN / Oracle to OpenLDAP

Known problems

SUN / Oracle LDAP directory does not stricly respect LDAP RFC, as a consequence:
  • Some data from SUN / Oracle may not be imported into OpenLDAP
  • Some LDAP clients (applications) working with SUN / Oracle may not work with OpenLDAP
For example:
  • Sun DS allows substrings search on DN syntax, OpenLDAP do not (see RFC 4517)
  • Sun DS allows 1, true or TRUE for Boolean syntax, OpenLDAP just accept TRUE (see RFC 4517 sect. 3.3)
  • Sun DS allows groups without members, OpenLDAP do not (see RFC 4519, sect. 3.5)
  • numSubordinates operational attributes (count of immediate subordinates) are not directly available in OpenLDAP (need a search control)
  • Sun DS ACI are not compatible with OpenLDAP
  • OpenLDAP does not allow direct cn=subschema administration
  • Attribute country (c) is stricly checked in OpenLDAP, not in SUN DS (Sun DS can have "France" as value, it must be "FR" in OpenLDAP)

See also http://www.openldap.org/faq/data/cache/649.html

How to analyze the SUN / Oracle directory

Access logs

SUN / Oracle access logs are very similar to OpenLDAP access logs (indeed, the initial source code is the same). We can analyse the logs with some script written by SUN people, available here: http://wikis.sun.com/display/SunJavaSystem/Directory+Server+Tools+and+One-Liners

We suppose you have all your access logs in the logs/ directory, and run scripts on the parent directory.

Search filters

Use this command line to list used search filters:

grep filter logs/* | sed -e "s/^.*filter=//g" -e "s/attrs=.*$//g" |grep -v objectClass=F5 | sed -e "s/=[^)]\(\+\))/\1/g" -e "s/[(&|)\"]\+/#/g" |awk -F"#" '{gsub(/^[#]+|[#]+$/,""); for (i=1; i<=NF; i++) print $i}' | grep '*' | sed -e "s/=\(*\?\)[a-zA-Z0-9]\+/=\1pattern/g" |sort |uniq -c |sort -n

Output example:

     28 uid=*pattern*
     46 cn=*
     47 cn=*pattern*
1000586 objectClass=*

IP using LDAPv2 protocol

LDAPv2 is the old protocol version, you can detect who is using it:

grep "version=2" -B1 logs/* | grep from | cut -d ' ' -f12 | sort | uniq -c

Output example:

      2 10.10.121.35
   5147 10.10.134.28

SORT control (with VLV)

Find which attributes are used with SORT extended controls:

grep "SORT " logs/* | cut -d' ' -f9 | sort | uniq -c

Output example:

     19 cn
      5 ou

These attributes need to have an ORDERING matching rule in OpenLDAP to let the SORT control work.

Operations per seconds

Get http://wikis.sun.com/download/attachments/7078437/opsPerSecond.pl and run it:

./opsPerSecond.pl logs/*

Output example:

FILE LINES SECONDS TOTAL SRCH DEL MOD ADD MODRDN BIND UNBIND EXT CONNECTIONS
logs/access.20110820 27224 86388 11531 0.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
logs/access.20110821 275971 86421 132013 1.1 0.0 0.0 0.0 0.0 0.4 0.1 0.0 0.1
logs/access.20110822 617686 86399 298963 2.4 0.0 0.0 0.0 0.0 0.9 0.1 0.0 0.1
logs/access.20110823 603346 86399 291551 2.3 0.0 0.0 0.0 0.0 0.9 0.1 0.0 0.1
logs/access.20110824 572456 86421 276875 2.2 0.0 0.0 0.0 0.0 0.8 0.1 0.0 0.1
logs/access.20110825 553771 86406 267267 2.1 0.0 0.0 0.0 0.0 0.8 0.1 0.0 0.1
logs/access.20110826 307838 86391 145864 1.1 0.0 0.0 0.0 0.0 0.5 0.1 0.0 0.1
logs/access.20110827 29728 86368 12307 0.1 0.0 0.0 0.0 0.0 0.0 0.0 0.0 0.0
logs/access.20110828 299018 86407 143543 1.2 0.0 0.0 0.0 0.0 0.4 0.1 0.0 0.1

Operations analysis

Get http://wikis.sun.com/download/attachments/7078437/logconv.pl and run it:

./logconv.pl logs/*

Output example:

----------- Access Log Output ------------

Start of Log:  20/Aug/2011:08:57:52
End of Log:    29/Aug/2011:17:47:11

Restarts:                     0

Opened Connections:           41
Closed Connections:           0
Total Operations:             1640
Total Results:                1639
Overall Performance:          99.9%
Most Pending Operations:      1

Searches:                     1545
Modifications:                0
Adds:                         3
Deletes:                      51
Mod RDNs:                     0
Compares:                     0

5.x Stats 
Persistent Searches:          0
Internal Operations:          0
Entry Operations:             0
Extended Operations:          0
Abandoned Requests:           0
Smart Referrals Received:     0

VLV Operations:               319
VLV Unindexed Searches:       319
SORT Operations:              320
SSL Connections:              0

Entire Search Base Queries:   320
Unindexed Searches:           0

FDs Taken:                    41
FDs Returned:                 0
Highest FD Taken:             30

Broken Pipes:                 0
Connections Reset By Peer:    0
Resource Unavailable:         0

Binds:                        41
Unbinds:                      36

 LDAP v2 Binds:               0
 LDAP v3 Binds:               41
 Expired Password Logins:     0
 SSL Client Binds:            0
 Failed SSL Client Binds:     0
 SASL Binds:                  0

 Directory Manager Binds:     0
 Anonymous Binds:             0
 Other Binds:                 41

Schemas

List attributes syntax

Use this to know which syntax are used in your schema:

grep -Eo 'SYNTAX ([0-9]|\.)+' schema.ldif | sort | uniq -c

Output example:

      2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.12
      7 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
      2 SYNTAX 1.3.6.1.4.1.1466.115.121.1.26

Most used syntaxes are:
  • 1.3.6.1.4.1.1466.115.121.1.12: DN - OpenLDAP is very strict and allow only well formed DN
  • 1.3.6.1.4.1.1466.115.121.1.15: Directory String - All that you want, but UTF-8 only
  • 1.3.6.1.4.1.1466.115.121.1.26: IA5 String - Some characters not allowed

Also available in: HTML TXT