LDAP Migration Tools

The MigrationTools are a set of Perl scripts for migrating users, groups,

aliases, hosts, netgroups, networks, protocols, RPCs, and services from

existing nameservices (flat files, NIS, and NetInfo) to LDAP. They are

located on a default installation under /usr/share/openldap/migration.

The tools require the ldapadd and ldif2dbm commands, which are distributed

with most LDAP servers derived from the University of Michigan LDAP

distribution. The source code for these is available with OpenLDAP.

Additionally, Netscape provide an implementation of ldapmodify which

subsumes the functionality of ldapadd. If you are using Netscape's Directory

Server, you should set the $NSHOME and $serverId environment variables to

assist the MigrationTools in locating your LDAP database and LDIF tools;

they will use ldapmodify instead of ldapadd.

These tools are freely redistributable according to the license included

with the source files. They may be bundled with LDAP/NIS migration products.

See RFC 2307 for more information on the schema used by these scripts. THIS

SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT

SUPPORT.

Scripts

   * migrate_base.pl creates naming context entries, including

     subordinate contexts such  as ou=people and ou=devices.

   * migrate_aliases.pl migrates aliases in /etc/aliases to entries

     conforming to the rfc822MailGroup schema. Organizations who have

     deployed LDAP-based  messaging solutions, such as Netscape's

     Messaging Server, may wish to use a different  schema for

     representing mail aliases. Ypldapd does not use X.500 groups (such

     as  groupOfUniqueNames) for mail alias expansion because

     flattening an arbitrarily nested  group at runtime may be

     expensive. (It is possible to write a ypldapd plug-in to support

     such a schema, however.)

   * migrate_group.pl migrates groups in /etc/group

   * migrate_hosts.pl migrates hosts in /etc/hosts

   * migrate_networks.pl migrates networks in /etc/networks

   * migrate_passwd.pl migrates users in /etc/passwd. Note that if

     users are  allowed read the userPassword attribute, and your LDAP

     server doesn't support  authenticating against hashed passwords

     then anyone may read the userPassword  attribute's value and

     authenticate as that user. Modern LDAP servers, such as  Netscape

     Directory Server, support authenticating against hashed passwords,

     so this is not  an issue. The OpenLDAP LDAP server also supports

     such authentication.

   * migrate_protocols.pl migrates protocols in /etc/protocols

   * migrate_services.pl migrates services in /etc/services

   * migrate_netgroup.pl migrates netgroups in /etc/netgroup

   * migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It

     requires revnetgroup.

   * migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It

     requires revnetgroup.

   * migrate_rpc.pl migrates RPCs in /etc/rpc

Configuration

The configuration  for these Perl scripts  is contained at the  head of

migrate_common.ph:

 Perl variable                  Description

 $DEFAULT_MAIL_DOMAIN           The mail  domain used for   the mail

                                attribute in  migrate_passwd.pl when

                                extended schema support is enabled.  You may

                                override this with the DEFAULT_MAIL_DOMAIN

                                environment variable.

 $DEFAULT_BASE                  The   naming  suffix   to  use    in

                                entries'  distinguished   names.  If

                                undefined, this will be constructed by

                                mapping the mail domain name into a

                                distinguished name (eg aceindustry.com

                                becomes dc=aceindustry,dc=com ).  You may

                                override this with the LDAP_BASEDN

                                environment variable.

 $EXTENDED_SCHEMA               Enables  extended  schema   support.

                                This  adds the  organizationalPerson and

                                inetOrgPerson object classes, amongst

                                others, to users migrated by the

                                migrate_passwd.pl script.

 NAMINGCONTEXT                  Determines  the   LDAP/X.500  naming context

                                to use for a migration tool.  The dictionary

                                is keyed by tool (as in migrate_ tool .pl ).

                                Values are concatenated with $DEFAULT_BASE

                                by the & getsuffix() subroutine.

The  following  environment  variables  control  the  behavior  of  the

migration shell scripts:

 Environment variable           Description

 DEFAULT_MAIL_DOMAIN            See above

 LDAPADD                        Path  the   ldapadd executable,  for online

                                migration (if not in the path or

                                /usr/local/bin or /usr/bin)

 LDIF2LDBM                      Path the  ldif2ldbm  executable, for offline

                                migration (if not in the path or

                                /usr/local/bin or /usr/bin)

 PERL                           Path  to the  Perl  interpreter  (if not

                                /usr/bin or /usr/local/bin)

 LDAPHOST                       Your   LDAP   server,  for    online

                                migration. This is optional; you'll be

                                prompted if the environment variable is not

                                set.

 LDAP_BASEDN                    See above ( $DEFAULT_BASE).  This is

                                optional; you'll be prompted if the

                                environment variable is not set.

 LDAP_BINDDN                    The distinguished  name  to  bind to the

                                LDAP server as, for online migration. This

                                is optional; you'll be prompted if the

                                environment variable is not set.

 LDAP_BINDCRED                  The  password to  bind to   the LDAP server

                                with, for online migration.  This is

                                optional; you'll be prompted if the

                                environment variable is not set.

You will  probably wish to use  a shell script or  makefile to automate

population of your LDAP database, either off-lien (with ldif2ldbm) or

on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you

may wish to customize their behaviour. The following table explains which

migration scripts to use:

 Shell script                     Existing nameservice    LDAP

                                                          running?

 migrate_all_online.sh            /etc flat files         Yes

 migrate_all_offline.sh           /etc flat files         No

 migrate_all_netinfo_online.sh    NetInfo                 Yes

 migrate_all_netinfo_offline.sh   NetInfo                 No

 migrate_all_nis_online.sh        NIS/YP                  Yes

 migrate_all_nis_offline.sh       NIS/YP                  No

Below are examples of  migrate_hosts.pl and migrate_passwd.plbeing used to

migrate hosts and users, respectively:

$ migrate_hosts.pl /etc/hosts

dn: cn=mira.aceindustry.com,ou=devices,dc=aceindustry,dc=com

objectclass: ipHost

objectclass: device

objectclass: top

ipHostNumber: 10.1.70.5

cn: mira

cn: www.aceindustry.com

cn: mira.aceindustry.com

$ migrate_passwd.pl /etc/passwd

dn: cn=Joe Bloggs,ou=people,dc=aceindustry,dc=com

cn: Joe Bloggs

objectclass: top

objectclass: person

objectclass: organizationalPerson

objectclass: inetOrgPerson

objectclass: posixAccount

objectclass: account

mail: jbloggs@aceindustry.com

givenname: Joe

sn: Bloggs

uid: jbloggs

userPassword: {crypt}daCXgaxahRNkg

loginShell: /bin/csh

uidNumber: 20

gidNumber: 20

homeDirectory: /home/jbloggs