180 lines
7.9 KiB
Plaintext
180 lines
7.9 KiB
Plaintext
|
LDAP Migration Tools
|
||
|
|
|
||
|
|
The MigrationTools are a set of Perl scripts for migrating users, groups,
|
||
|
|
aliases, hosts, netgroups, networks, protocols, RPCs, and services from
|
||
|
|
existing nameservices (flat files, NIS, and NetInfo) to LDAP. They are
|
||
|
|
located on a default installation under /usr/share/openldap/migration.
|
||
|
|
|
||
|
|
The tools require the ldapadd and ldif2dbm commands, which are distributed
|
||
|
|
with most LDAP servers derived from the University of Michigan LDAP
|
||
|
|
distribution. The source code for these is available with OpenLDAP.
|
||
|
|
Additionally, Netscape provide an implementation of ldapmodify which
|
||
|
|
subsumes the functionality of ldapadd. If you are using Netscape's Directory
|
||
|
|
Server, you should set the $NSHOME and $serverId environment variables to
|
||
|
|
assist the MigrationTools in locating your LDAP database and LDIF tools;
|
||
|
|
they will use ldapmodify instead of ldapadd.
|
||
|
|
|
||
|
|
These tools are freely redistributable according to the license included
|
||
|
|
with the source files. They may be bundled with LDAP/NIS migration products.
|
||
|
|
See RFC 2307 for more information on the schema used by these scripts. THIS
|
||
|
|
SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT
|
||
|
|
SUPPORT.
|
||
|
|
|
||
|
|
Scripts
|
||
|
|
|
||
|
|
* migrate_base.pl creates naming context entries, including
|
||
|
|
subordinate contexts such as ou=people and ou=devices.
|
||
|
|
* migrate_aliases.pl migrates aliases in /etc/aliases to entries
|
||
|
|
conforming to the rfc822MailGroup schema. Organizations who have
|
||
|
|
deployed LDAP-based messaging solutions, such as Netscape's
|
||
|
|
Messaging Server, may wish to use a different schema for
|
||
|
|
representing mail aliases. Ypldapd does not use X.500 groups (such
|
||
|
|
as groupOfUniqueNames) for mail alias expansion because
|
||
|
|
flattening an arbitrarily nested group at runtime may be
|
||
|
|
expensive. (It is possible to write a ypldapd plug-in to support
|
||
|
|
such a schema, however.)
|
||
|
|
* migrate_group.pl migrates groups in /etc/group
|
||
|
|
* migrate_hosts.pl migrates hosts in /etc/hosts
|
||
|
|
* migrate_networks.pl migrates networks in /etc/networks
|
||
|
|
* migrate_passwd.pl migrates users in /etc/passwd. Note that if
|
||
|
|
users are allowed read the userPassword attribute, and your LDAP
|
||
|
|
server doesn't support authenticating against hashed passwords
|
||
|
|
then anyone may read the userPassword attribute's value and
|
||
|
|
authenticate as that user. Modern LDAP servers, such as Netscape
|
||
|
|
Directory Server, support authenticating against hashed passwords,
|
||
|
|
so this is not an issue. The OpenLDAP LDAP server also supports
|
||
|
|
such authentication.
|
||
|
|
* migrate_protocols.pl migrates protocols in /etc/protocols
|
||
|
|
* migrate_services.pl migrates services in /etc/services
|
||
|
|
* migrate_netgroup.pl migrates netgroups in /etc/netgroup
|
||
|
|
* migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It
|
||
|
|
requires revnetgroup.
|
||
|
|
* migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It
|
||
|
|
requires revnetgroup.
|
||
|
|
* migrate_rpc.pl migrates RPCs in /etc/rpc
|
||
|
|
|
||
|
|
Configuration
|
||
|
|
|
||
|
|
The configuration for these Perl scripts is contained at the head of
|
||
|
|
migrate_common.ph:
|
||
|
|
|
||
|
|
Perl variable Description
|
||
|
|
|
||
|
|
$DEFAULT_MAIL_DOMAIN The mail domain used for the mail
|
||
|
|
attribute in migrate_passwd.pl when
|
||
|
|
extended schema support is enabled. You may
|
||
|
|
override this with the DEFAULT_MAIL_DOMAIN
|
||
|
|
environment variable.
|
||
|
|
|
||
|
|
$DEFAULT_BASE The naming suffix to use in
|
||
|
|
entries' distinguished names. If
|
||
|
|
undefined, this will be constructed by
|
||
|
|
mapping the mail domain name into a
|
||
|
|
distinguished name (eg aceindustry.com
|
||
|
|
becomes dc=aceindustry,dc=com ). You may
|
||
|
|
override this with the LDAP_BASEDN
|
||
|
|
environment variable.
|
||
|
|
|
||
|
|
$EXTENDED_SCHEMA Enables extended schema support.
|
||
|
|
This adds the organizationalPerson and
|
||
|
|
inetOrgPerson object classes, amongst
|
||
|
|
others, to users migrated by the
|
||
|
|
migrate_passwd.pl script.
|
||
|
|
|
||
|
|
NAMINGCONTEXT Determines the LDAP/X.500 naming context
|
||
|
|
to use for a migration tool. The dictionary
|
||
|
|
is keyed by tool (as in migrate_ tool .pl ).
|
||
|
|
Values are concatenated with $DEFAULT_BASE
|
||
|
|
by the & getsuffix() subroutine.
|
||
|
|
|
||
|
|
The following environment variables control the behavior of the
|
||
|
|
migration shell scripts:
|
||
|
|
|
||
|
|
Environment variable Description
|
||
|
|
|
||
|
|
DEFAULT_MAIL_DOMAIN See above
|
||
|
|
|
||
|
|
LDAPADD Path the ldapadd executable, for online
|
||
|
|
migration (if not in the path or
|
||
|
|
/usr/local/bin or /usr/bin)
|
||
|
|
|
||
|
|
LDIF2LDBM Path the ldif2ldbm executable, for offline
|
||
|
|
migration (if not in the path or
|
||
|
|
/usr/local/bin or /usr/bin)
|
||
|
|
|
||
|
|
PERL Path to the Perl interpreter (if not
|
||
|
|
/usr/bin or /usr/local/bin)
|
||
|
|
|
||
|
|
LDAPHOST Your LDAP server, for online
|
||
|
|
migration. This is optional; you'll be
|
||
|
|
prompted if the environment variable is not
|
||
|
|
set.
|
||
|
|
|
||
|
|
LDAP_BASEDN See above ( $DEFAULT_BASE). This is
|
||
|
|
optional; you'll be prompted if the
|
||
|
|
environment variable is not set.
|
||
|
|
|
||
|
|
LDAP_BINDDN The distinguished name to bind to the
|
||
|
|
LDAP server as, for online migration. This
|
||
|
|
is optional; you'll be prompted if the
|
||
|
|
environment variable is not set.
|
||
|
|
|
||
|
|
LDAP_BINDCRED The password to bind to the LDAP server
|
||
|
|
with, for online migration. This is
|
||
|
|
optional; you'll be prompted if the
|
||
|
|
environment variable is not set.
|
||
|
|
|
||
|
|
You will probably wish to use a shell script or makefile to automate
|
||
|
|
population of your LDAP database, either off-lien (with ldif2ldbm) or
|
||
|
|
on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you
|
||
|
|
may wish to customize their behaviour. The following table explains which
|
||
|
|
migration scripts to use:
|
||
|
|
|
||
|
|
Shell script Existing nameservice LDAP
|
||
|
|
running?
|
||
|
|
|
||
|
|
migrate_all_online.sh /etc flat files Yes
|
||
|
|
|
||
|
|
migrate_all_offline.sh /etc flat files No
|
||
|
|
|
||
|
|
migrate_all_netinfo_online.sh NetInfo Yes
|
||
|
|
|
||
|
|
migrate_all_netinfo_offline.sh NetInfo No
|
||
|
|
|
||
|
|
migrate_all_nis_online.sh NIS/YP Yes
|
||
|
|
|
||
|
|
migrate_all_nis_offline.sh NIS/YP No
|
||
|
|
|
||
|
|
Below are examples of migrate_hosts.pl and migrate_passwd.plbeing used to
|
||
|
|
migrate hosts and users, respectively:
|
||
|
|
|
||
|
|
$ migrate_hosts.pl /etc/hosts
|
||
|
|
dn: cn=mira.aceindustry.com,ou=devices,dc=aceindustry,dc=com
|
||
|
|
objectclass: ipHost
|
||
|
|
objectclass: device
|
||
|
|
objectclass: top
|
||
|
|
ipHostNumber: 10.1.70.5
|
||
|
|
cn: mira
|
||
|
|
cn: www.aceindustry.com
|
||
|
|
cn: mira.aceindustry.com
|
||
|
|
|
||
|
|
$ migrate_passwd.pl /etc/passwd
|
||
|
|
dn: cn=Joe Bloggs,ou=people,dc=aceindustry,dc=com
|
||
|
|
cn: Joe Bloggs
|
||
|
|
objectclass: top
|
||
|
|
objectclass: person
|
||
|
|
objectclass: organizationalPerson
|
||
|
|
objectclass: inetOrgPerson
|
||
|
|
objectclass: posixAccount
|
||
|
|
objectclass: account
|
||
|
|
mail: jbloggs@aceindustry.com
|
||
|
|
givenname: Joe
|
||
|
|
sn: Bloggs
|
||
|
|
uid: jbloggs
|
||
|
|
userPassword: {crypt}daCXgaxahRNkg
|
||
|
|
loginShell: /bin/csh
|
||
|
|
uidNumber: 20
|
||
|
|
gidNumber: 20
|
||
|
|
homeDirectory: /home/jbloggs
|
||
|
|
|