[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where to start a migration from passwd/shadow/smbpasswd to openldap

On Thursday, 25 March 2010 14:12:40 Götz Reinicke - IT-Koordinator wrote:
> Hi,
> a couple of weeks ago I started to learn ldap and set up some test
> servers with the latest openldap for centos 5.4. I learned about
> schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge
> about the technical fundamentals.
> The primary goal is to have the login information for our mail and
> fileserver system in one place.
> Right now we do use sendmail, dovecot and samba.
> After testing some of the migration tools for migrating posix and
> sambaSam accounts, I was asking myselve: what is the best way to start
> the migration? Right now the directory is completely empty, so I can
> start from scratch.
> Both types of accounts do have different attributes and furthermore I'd
> like to use some inetOrgPerson/organizationalPerson attributes.

The only thing to worry about here is which structural objectclass to use, it 
is usually either a choice between 'account' and 'inetOrgPerson'. There is no 
issue with posixAccount or sambaSamAccount, they are both auxiliary. For the 
rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so 
you should go with rfc2307 (using memberUid for denoting members of groups, 
holding the username, not the DN).

> So should I first run the smbldaptool or first fill the directory with
> the migrate_....sh script?

You may have to do some preparation of the directory, for example, if you are 
going to use smbldap-tools in your final system, you could use smbldap-populate 
for the initial setup (ensure you set the SIDs correctly in the configuration 

Once you have samba and smbldap-tools configured correctly, you can migrate 
your samba accounts to LDAP using pdbedit, which should use the 'add user 
script' and 'add machine script' commands and/or the direct LDAP write support 
in samba to do the migration of the accounts for you.

If you have a test system available, I would definitely test first, especially 
if you are running samba as a DC.