Feature #165
Adding Existing Unix Users To LDAP Directory From Local Unix Password File
100%
Description
Install the LDAP migration tools¶
apt-get install migrationtools
This will install a collection of scripts in /usr/share/migrationtools
Edit migrationtools configuration file¶
	Edit /etc/migrationtools/migrate_common.ph by changing the lines show below. The DEFAULT_ changes are customisations for your site, while the UID/GID lines ignore system users (that is those users created and modified by debian package scripts), and the nobody user and group (65534:65534). You can find your system settings by looking in /etc/adduser.conf.
- Skeleton
!# Default DNS domain
!$DEFAULT_MAIL_DOMAIN = "your.domain";
!# Default base
$DEFAULT_BASE = ""BaseDN"";
...
!# Uncomment these to exclude Debian-managed system users and groups
$IGNORE_UID_BELOW = 1000;
!# Don't uncomment this if you want to be able to add users to system groups
!# $IGNORE_GID_BELOW = 1000;
!# And here's the opposite for completeness
$IGNORE_UID_ABOVE = 29999;
$IGNORE_GID_ABOVE = 29999;
- Example
!# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "example.com";
!# Default base
$DEFAULT_BASE = "dc=example,dc=com";
...
!# Uncomment these to exclude Debian-managed system users and groups
$IGNORE_UID_BELOW = 1000;
!# Don't uncomment this if you want to be able to add users to system groups
!# $IGNORE_GID_BELOW = 1000;
!# And here's the opposite for completeness
$IGNORE_UID_ABOVE = 29999;
$IGNORE_GID_ABOVE = 29999;
For Samba LDAP Users¶
The default subtrees used for user and group information are not compatible with the smbldap-tools package which is recommended when using LDAP for Samba authentication and mapping. For that reason, if you are using Samba with LDAP you should make the following additional changes to /etc/migrationtools/migrate_common.ph.
$NAMINGCONTEXT{'passwd'} = "ou=Users";
$NAMINGCONTEXT{'group'} = "ou=Groups";
Note: smbldap-tools can be configured to use the migrationtool naming context defaults. Many things default to using the migrationtool naming context, such as pam_ldap and libnss_ldap. IMHO it is easier to change the smbldap-tools config than change everything else to conform to it. Note the "ldapscripts" package is an alternative to smbldap-tools that defaults to the migrationtool naming context.
Optional: Use different subtrees based on function¶
If you are doing more than LDAP Authentication with your LDAP server you may wish to divide the various functions of the LDAP server into different subtrees. This can also be important if you are using different LDAP servers for different functions while still having the tree look like it is coming from a single source (it can be done but is not discussed here).
In my examples, I have 'ou=dns,"BaseDN" for the DNS server, 'ou=auth,"BaseDN"' for users and groups (authentication/authorization), 'ou=mail,"BaseDN"' for email related information, 'ou=syscfg,"BaseDN"' for system configuration information (like /etc/fstab), and 'ou=net,"BaseDN"' for networking configuration info handled by NSS.
The following assumes you also need to make the changes above for smbldap-tools.
 } else {
         $NAMINGCONTEXT{'aliases'}           = "ou=Aliases,ou=mail";
         $NAMINGCONTEXT{'fstab'}             = "ou=Mounts,ou=syscfg";
         $NAMINGCONTEXT{'passwd'}            = "ou=Users,ou=auth";
         $NAMINGCONTEXT{'netgroup_byuser'}   = "nisMapName=netgroup.byuser,ou=auth";
         $NAMINGCONTEXT{'netgroup_byhost'}   = "nisMapName=netgroup.byhost,ou=auth";
         $NAMINGCONTEXT{'group'}             = "ou=Groups,ou=auth";
         $NAMINGCONTEXT{'netgroup'}          = "ou=Netgroup,ou=auth";
         $NAMINGCONTEXT{'hosts'}             = "ou=Hosts,ou=net";
         $NAMINGCONTEXT{'networks'}          = "ou=Networks,ou=net";
         $NAMINGCONTEXT{'protocols'}         = "ou=Protocols,ou=net";
         $NAMINGCONTEXT{'rpc'}               = "ou=Rpc,ou=net";
         $NAMINGCONTEXT{'services'}          = "ou=Services,ou=net";
 }
	You will also need to makes the following changes to the  sub ldif_entry function in the same file /etc/migrationtools/migrate_common.ph:
 sub ldif_entry
 {
 # remove leading, trailing whitespace
         local ($HANDLE, $lhs, $rhs) = @_;
         local ($type, $val) = split(/\=/, $lhs);
         local ($dn);
         local (@newval);
         if ($val =~ /\,/) {
                 @newval = split(/\,/, $val);
                 $val = $newval["0"];
         }
	
Note on EXTENDED_SCHEMA = 0¶
Apparently EXTENDED_SCHEMA is set to '1' in many other documents. This probably will not work without modification under Debian 3.1 'Sarge'. I haven't tried going all the way, however I have looked at the ldif that would be used and appears the following note applies.
Note: Since Debian Lenny there is a kerberos.schema within 'krb5-kdc-ldap' (although the package 'heimdal-kdc' contains hdb.schema, which you may investigate using as an alternative to kerberos.schema. WFM), so one must manually edit passwd.ldif to remove the two lines refering to kerberos for every user. That is, the following two lines:
objectClass: kerberosSecurityObject
krbName: user@YOUR.DOMAIN
Where user@YOUR.DOMAIN is the username with @YOUR.DOMAIN appended.
2007-03-22: note, EXTENDED_SCHEMA = 1 is useful for adding more fields like 'mail' to ldap People records.
For this to work 2 sections of the file migrate_passwd.pl need to be commented-out. 
#
if ($DEFAULT_REALM) {
print $HANDLE "objectClass: krb5Principal\n"; #}
#
if ($DEFAULT_REALM) {With those 2 changes the passwd.ldif file does not need to be edited in order for ldapadd to work.
- print $HANDLE "krb5PrincipalName: $user\@$DEFAULT_REALM\n"; # }
Perform the Migration¶
If you just want LDAPAuthentication you probably want option 3, migrating only the /etc/passwd and /etc/group databases (but first using migrate_base.pl).
- You may need to create higher-level nodes in the tree before you perform the imports.
- For example to import /etc/passwd using the settings above you would need ou=auth,"BaseDN".
- To create a node that only exists so that nodes can exist beneath it (i.e. an wiki:Self ["LDAPFormatInternalVertices" internal vertex]), you could use 'ldapadd -h localhost -x -W -D "cn=admin,{["BaseDN"]}" -c -f node.ldif' for the following node.ldif.
The migrate_base.pl and migrate_all_online.pl scripts will create most of the required internal vertices (specifically the nodes indicated by $NAMINGCONTEXT in /etc/migrationtools/migrate_common.ph. You should only need to create extra nodes if you choose to use separate subtrees for different functions (e.g. if you use ou=Users,ou=auth for /etc/passwd you will likely need to create ou=auth but not ou=Users).
Skeleton:
!# node, "BaseDN"
dn: ou=node,"BaseDN"
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: your.domain
ou: node
Example;
!# auth, example, com
dn: ou=auth,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: domainRelatedObject
associatedDomain: example.com
ou: auth
In all cases (following Options 1..3) you will need to migrate some base settings
- Execute './migrate_base.pl >base.ldif'
- Execute 'ldapadd -h localhost -x -W -D "cn=admin,{["BaseDN"]}" -c -f base.ldif'
- Example commands:./migrate_base.pl >base.ldif ldapadd -h localhost -x -W -D "cn=admin,dc=example,dc=com" -c -f base.ldif 
- Hint: You can migrate in a single step
 You can pipe the output of migrate into ldapadd instead of redirecting to a file and using @ldapadd -f filenam@e. For example:./migrate_base.pl >base.ldif ldapadd -h localhost -x -W -D "cn=admin,dc=example,dc=com" -c -f base.ldif 
 would become./migrate_base.pl | ldapadd -h localhost -x -W -D "cn=admin,dc=example,dc=com" -c 
Related issues
Updated by Daniel Curtis over 10 years ago
- Project changed from 22 to GNU/Linux Administration
- Category set to Domain Controller