As with many NDS admins, I've done the obvious thing. Set up a test tree, and attempt to import my current DS into the test tree by way of LDIF. Short answer is that it doesn't work the way you'd hope it would. Slightly longer answer is that it'll work if you spend enough time at it.
An example for how to add a group-membership:
dn: cn=LAB,ou=groups,o=corp
changetype: modify
add: member
member: cn=User-xyz,o=corp
dn: cn=User-xyz,o=corp
changetype: modify
add: securityEquals
securityEquals: cn=LAB,ou=groups,o=corp
dn: cn=LAB,ou=groups,o=corp
changetype: modify
add: equivalentToMe
equivalentToMe: cn=User-xyz,o=corp
dn: cn=User-xyz,o=corp
changetype: modify
add: groupMembership
groupMembership: cn=LAB,ou=groups,o=corp
Four steps:
1: Add the user to the group
2: Add the security-equals to the user
3: Add the security-equivalent-to-me to the group
4: Add the Membership to the user
It can be condensed down, and for an example of a full object creation look at This novell-support-forum posting. This is the sort of thing that DirXML is supposed to automate for you, once you have rules set up. Fun stuff, if that's your thing.
An example for how to add a group-membership:
dn: cn=LAB,ou=groups,o=corp
changetype: modify
add: member
member: cn=User-xyz,o=corp
dn: cn=User-xyz,o=corp
changetype: modify
add: securityEquals
securityEquals: cn=LAB,ou=groups,o=corp
dn: cn=LAB,ou=groups,o=corp
changetype: modify
add: equivalentToMe
equivalentToMe: cn=User-xyz,o=corp
dn: cn=User-xyz,o=corp
changetype: modify
add: groupMembership
groupMembership: cn=LAB,ou=groups,o=corp
Four steps:
1: Add the user to the group
2: Add the security-equals to the user
3: Add the security-equivalent-to-me to the group
4: Add the Membership to the user
It can be condensed down, and for an example of a full object creation look at This novell-support-forum posting. This is the sort of thing that DirXML is supposed to automate for you, once you have rules set up. Fun stuff, if that's your thing.