[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Where to start a migration from passwd/shadow/smbpasswd to openldap

Buchan Milne schrieb:
> On Thursday, 25 March 2010 14:12:40 Götz Reinicke - IT-Koordinator wrote:
>> Hi,
>> a couple of weeks ago I started to learn ldap and set up some test
>> servers with the latest openldap for centos 5.4. I learned about
>> schemas, ldif, ldap browsers etc. So I have an advanced basic knowledge
>> about the technical fundamentals.
>> The primary goal is to have the login information for our mail and
>> fileserver system in one place.
>> Right now we do use sendmail, dovecot and samba.
>> After testing some of the migration tools for migrating posix and
>> sambaSam accounts, I was asking myselve: what is the best way to start
>> the migration? Right now the directory is completely empty, so I can
>> start from scratch.
>> Both types of accounts do have different attributes and furthermore I'd
>> like to use some inetOrgPerson/organizationalPerson attributes.
> The only thing to worry about here is which structural objectclass to use, it 
> is usually either a choice between 'account' and 'inetOrgPerson'. There is no 
> issue with posixAccount or sambaSamAccount, they are both auxiliary. For the 
> rgc2307 vs rfc2307bis group issue, I don't think samba supports rfc2307bis, so 
> you should go with rfc2307 (using memberUid for denoting members of groups, 
> holding the username, not the DN).

For what I've read so far, I'd go with the 'inetOrgPerson' class, as it
provides more attributes and sooner or later we will use lot of tham.

Concerning the rfc2307 vs rfc2307bis I'm yet not that familier with the
differences and handling. But from

it seams, that it is possible to enable RFC2307bis for the nss_ldap:

"The nss_ldap library from PADL software (http://www.padl.com) supports
this by enabling the library’s RFC2307bis extensions (pass the
--enable-rfc2307bis option to the nss_ldap configure script when
compiling) ..."

And http://www.padl.com/OSS/nss_ldap.html mentions also Support for the
RFC 2307/RFC 2307bis.

Or do I get something wrong?

>> So should I first run the smbldaptool or first fill the directory with
>> the migrate_....sh script?
> You may have to do some preparation of the directory, for example, if you are 
> going to use smbldap-tools in your final system, you could use smbldap-populate 
> for the initial setup (ensure you set the SIDs correctly in the configuration 
> file).
> Once you have samba and smbldap-tools configured correctly, you can migrate 
> your samba accounts to LDAP using pdbedit, which should use the 'add user 
> script' and 'add machine script' commands and/or the direct LDAP write support 
> in samba to do the migration of the accounts for you.
> If you have a test system available, I would definitely test first, especially 
> if you are running samba as a DC.

Thanks for your comment and best regards,


Götz Reinicke

Tel. +49 7141 969 420
Fax  +49 7141 969 55 420
E-Mail goetz.reinicke@filmakademie.de

Filmakademie Baden-Württemberg GmbH
Akademiehof 10
71638 Ludwigsburg

Eintragung Amtsgericht Stuttgart HRB 205016
Vorsitzende des Aufsichtsrats:
Prof. Dr. Claudia Hübner
Staatsrätin für Demographischen Wandel und für Senioren im Staatsministerium

Prof. Thomas Schadt