LDAP applications usually require an attribute called UniqueID. Actually, LDAP calls this the "uid," which NDS in some versions by default maps to NDS's Unix schema extensions as the Unix uid. (This may be fixed in brand new installs of eDir 8.7.x ...) So you may need to break that first in the LDAP Group object, because Unix's uid usually means eDirectory's uidnumber, which is a numerical field, not a text string.

UniqueID is what it says, Unique in the tree as an ID. This is different from CN, because CN's can repeat within a tree (in different containers, admittedly). So UniqueID must be unique in a search result. Thus by definition, a search that returns two or more UniqueID's is a bad result. (We could map the LDAP attrib uid to NDS's CN, but that could return more
than one value, because the search is usually from near the top of the tree
and down).

So to get iPrint working, as an example of a LDAP app, we set UniqueID only on users who should have it, and no other accounts. Thus we prevent duplicates.

TID 10088627
(http://support.novell.com/cgi-bin/search/searchtid.cgi?/10088627.htm) tells you how to set the UniqueID using ICE and LDIF files, which will work spendidly.

I like to use JRB tools to do it, mostly as a different approach and because of the power of the tool set. This uses the SETNAME.EXE and GETNAME.EXE tools, which read and write aribtrary attributes (/a="attrib Name"), and GRPLIST.EXE, which lists members of a group.

One nice feature is that you can easily tell a tool to only apply changes or report values for members or a group, which would usually take two steps elsewhere. Or you can specify all users, or a subset, or an input file.

Here's what you need to do:

1a. Get the list of members of the group (grplist .Sample-Group.acme.com /n), then list the members of the Sample-Group group and CN only (/n).

Or,

1b. Get the members of the group without the attribute set (getname .Sample-Group.acme.com /i /f="UniqueID" /n=a /a="CN"), then get the attribute UniqueID (/f=), for the group Sample-Group. (The "/i" tells JRB it is a group and to look at its members). Show only those without a value for the attrib ute (/n=a) and show it as DN, then CN (/a="CN").

2. Save the output file in JRB as a .csv and load it into Excel, since we need to do column operations. Excel or OpenOffice Calc is nice for column operations.

3. In Excel, make each line say:

4. Use the column import to make all the DNs from the file and CNs from the file into columns.

5. Move the columns around as needed.

6. Insert the command string above to make a .BAT file.

7. Run the batch file.

Writing a PERL script to do the same is pretty trivial. You could also generate an input file that SETNAME can accept.

Basically, this may feel like an awesome task at first, but it's really quite easy to accomplish.

Lots of LDAP-based apps make the assumption that UniqueID is present, so it becomes more relevant the more you rely upon LDAP authentication.