|
cvsdist |
cba1243 |
LDAP Migration Tools
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
The MigrationTools are a set of Perl scripts for migrating users, groups,
|
|
cvsdist |
cba1243 |
aliases, hosts, netgroups, networks, protocols, RPCs, and services from
|
|
cvsdist |
cba1243 |
existing nameservices (flat files, NIS, and NetInfo) to LDAP. They are
|
|
cvsdist |
cba1243 |
located on a default installation under /usr/share/openldap/migration.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
The tools require the ldapadd and ldif2dbm commands, which are distributed
|
|
cvsdist |
cba1243 |
with most LDAP servers derived from the University of Michigan LDAP
|
|
cvsdist |
cba1243 |
distribution. The source code for these is available with OpenLDAP.
|
|
cvsdist |
cba1243 |
Additionally, Netscape provide an implementation of ldapmodify which
|
|
cvsdist |
cba1243 |
subsumes the functionality of ldapadd. If you are using Netscape's Directory
|
|
cvsdist |
cba1243 |
Server, you should set the $NSHOME and $serverId environment variables to
|
|
cvsdist |
cba1243 |
assist the MigrationTools in locating your LDAP database and LDIF tools;
|
|
cvsdist |
cba1243 |
they will use ldapmodify instead of ldapadd.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
These tools are freely redistributable according to the license included
|
|
cvsdist |
cba1243 |
with the source files. They may be bundled with LDAP/NIS migration products.
|
|
cvsdist |
cba1243 |
See RFC 2307 for more information on the schema used by these scripts. THIS
|
|
cvsdist |
cba1243 |
SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT
|
|
cvsdist |
cba1243 |
SUPPORT.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
Scripts
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
* migrate_base.pl creates naming context entries, including
|
|
cvsdist |
cba1243 |
subordinate contexts such as ou=people and ou=devices.
|
|
cvsdist |
cba1243 |
* migrate_aliases.pl migrates aliases in /etc/aliases to entries
|
|
cvsdist |
cba1243 |
conforming to the rfc822MailGroup schema. Organizations who have
|
|
cvsdist |
cba1243 |
deployed LDAP-based messaging solutions, such as Netscape's
|
|
cvsdist |
cba1243 |
Messaging Server, may wish to use a different schema for
|
|
cvsdist |
cba1243 |
representing mail aliases. Ypldapd does not use X.500 groups (such
|
|
cvsdist |
cba1243 |
as groupOfUniqueNames) for mail alias expansion because
|
|
cvsdist |
cba1243 |
flattening an arbitrarily nested group at runtime may be
|
|
cvsdist |
cba1243 |
expensive. (It is possible to write a ypldapd plug-in to support
|
|
cvsdist |
cba1243 |
such a schema, however.)
|
|
cvsdist |
cba1243 |
* migrate_group.pl migrates groups in /etc/group
|
|
cvsdist |
cba1243 |
* migrate_hosts.pl migrates hosts in /etc/hosts
|
|
cvsdist |
cba1243 |
* migrate_networks.pl migrates networks in /etc/networks
|
|
cvsdist |
cba1243 |
* migrate_passwd.pl migrates users in /etc/passwd. Note that if
|
|
cvsdist |
cba1243 |
users are allowed read the userPassword attribute, and your LDAP
|
|
cvsdist |
cba1243 |
server doesn't support authenticating against hashed passwords
|
|
cvsdist |
cba1243 |
then anyone may read the userPassword attribute's value and
|
|
cvsdist |
cba1243 |
authenticate as that user. Modern LDAP servers, such as Netscape
|
|
cvsdist |
cba1243 |
Directory Server, support authenticating against hashed passwords,
|
|
cvsdist |
cba1243 |
so this is not an issue. The OpenLDAP LDAP server also supports
|
|
cvsdist |
cba1243 |
such authentication.
|
|
cvsdist |
cba1243 |
* migrate_protocols.pl migrates protocols in /etc/protocols
|
|
cvsdist |
cba1243 |
* migrate_services.pl migrates services in /etc/services
|
|
cvsdist |
cba1243 |
* migrate_netgroup.pl migrates netgroups in /etc/netgroup
|
|
cvsdist |
cba1243 |
* migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It
|
|
cvsdist |
cba1243 |
requires revnetgroup.
|
|
cvsdist |
cba1243 |
* migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It
|
|
cvsdist |
cba1243 |
requires revnetgroup.
|
|
cvsdist |
cba1243 |
* migrate_rpc.pl migrates RPCs in /etc/rpc
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
Configuration
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
The configuration for these Perl scripts is contained at the head of
|
|
cvsdist |
cba1243 |
migrate_common.ph:
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
Perl variable Description
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
$DEFAULT_MAIL_DOMAIN The mail domain used for the mail
|
|
cvsdist |
cba1243 |
attribute in migrate_passwd.pl when
|
|
cvsdist |
cba1243 |
extended schema support is enabled. You may
|
|
cvsdist |
cba1243 |
override this with the DEFAULT_MAIL_DOMAIN
|
|
cvsdist |
cba1243 |
environment variable.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
$DEFAULT_BASE The naming suffix to use in
|
|
cvsdist |
cba1243 |
entries' distinguished names. If
|
|
cvsdist |
cba1243 |
undefined, this will be constructed by
|
|
cvsdist |
cba1243 |
mapping the mail domain name into a
|
|
cvsdist |
cba1243 |
distinguished name (eg aceindustry.com
|
|
cvsdist |
cba1243 |
becomes dc=aceindustry,dc=com ). You may
|
|
cvsdist |
cba1243 |
override this with the LDAP_BASEDN
|
|
cvsdist |
cba1243 |
environment variable.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
$EXTENDED_SCHEMA Enables extended schema support.
|
|
cvsdist |
cba1243 |
This adds the organizationalPerson and
|
|
cvsdist |
cba1243 |
inetOrgPerson object classes, amongst
|
|
cvsdist |
cba1243 |
others, to users migrated by the
|
|
cvsdist |
cba1243 |
migrate_passwd.pl script.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
NAMINGCONTEXT Determines the LDAP/X.500 naming context
|
|
cvsdist |
cba1243 |
to use for a migration tool. The dictionary
|
|
cvsdist |
cba1243 |
is keyed by tool (as in migrate_ tool .pl ).
|
|
cvsdist |
cba1243 |
Values are concatenated with $DEFAULT_BASE
|
|
cvsdist |
cba1243 |
by the & getsuffix() subroutine.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
The following environment variables control the behavior of the
|
|
cvsdist |
cba1243 |
migration shell scripts:
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
Environment variable Description
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
DEFAULT_MAIL_DOMAIN See above
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
LDAPADD Path the ldapadd executable, for online
|
|
cvsdist |
cba1243 |
migration (if not in the path or
|
|
cvsdist |
cba1243 |
/usr/local/bin or /usr/bin)
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
LDIF2LDBM Path the ldif2ldbm executable, for offline
|
|
cvsdist |
cba1243 |
migration (if not in the path or
|
|
cvsdist |
cba1243 |
/usr/local/bin or /usr/bin)
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
PERL Path to the Perl interpreter (if not
|
|
cvsdist |
cba1243 |
/usr/bin or /usr/local/bin)
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
LDAPHOST Your LDAP server, for online
|
|
cvsdist |
cba1243 |
migration. This is optional; you'll be
|
|
cvsdist |
cba1243 |
prompted if the environment variable is not
|
|
cvsdist |
cba1243 |
set.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
LDAP_BASEDN See above ( $DEFAULT_BASE). This is
|
|
cvsdist |
cba1243 |
optional; you'll be prompted if the
|
|
cvsdist |
cba1243 |
environment variable is not set.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
LDAP_BINDDN The distinguished name to bind to the
|
|
cvsdist |
cba1243 |
LDAP server as, for online migration. This
|
|
cvsdist |
cba1243 |
is optional; you'll be prompted if the
|
|
cvsdist |
cba1243 |
environment variable is not set.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
LDAP_BINDCRED The password to bind to the LDAP server
|
|
cvsdist |
cba1243 |
with, for online migration. This is
|
|
cvsdist |
cba1243 |
optional; you'll be prompted if the
|
|
cvsdist |
cba1243 |
environment variable is not set.
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
You will probably wish to use a shell script or makefile to automate
|
|
cvsdist |
cba1243 |
population of your LDAP database, either off-lien (with ldif2ldbm) or
|
|
cvsdist |
cba1243 |
on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you
|
|
cvsdist |
cba1243 |
may wish to customize their behaviour. The following table explains which
|
|
cvsdist |
cba1243 |
migration scripts to use:
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
Shell script Existing nameservice LDAP
|
|
cvsdist |
cba1243 |
running?
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
migrate_all_online.sh /etc flat files Yes
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
migrate_all_offline.sh /etc flat files No
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
migrate_all_netinfo_online.sh NetInfo Yes
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
migrate_all_netinfo_offline.sh NetInfo No
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
migrate_all_nis_online.sh NIS/YP Yes
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
migrate_all_nis_offline.sh NIS/YP No
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
Below are examples of migrate_hosts.pl and migrate_passwd.plbeing used to
|
|
cvsdist |
cba1243 |
migrate hosts and users, respectively:
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
$ migrate_hosts.pl /etc/hosts
|
|
cvsdist |
cba1243 |
dn: cn=mira.aceindustry.com,ou=devices,dc=aceindustry,dc=com
|
|
cvsdist |
cba1243 |
objectclass: ipHost
|
|
cvsdist |
cba1243 |
objectclass: device
|
|
cvsdist |
cba1243 |
objectclass: top
|
|
cvsdist |
cba1243 |
ipHostNumber: 10.1.70.5
|
|
cvsdist |
cba1243 |
cn: mira
|
|
cvsdist |
cba1243 |
cn: www.aceindustry.com
|
|
cvsdist |
cba1243 |
cn: mira.aceindustry.com
|
|
cvsdist |
cba1243 |
|
|
cvsdist |
cba1243 |
$ migrate_passwd.pl /etc/passwd
|
|
cvsdist |
cba1243 |
dn: cn=Joe Bloggs,ou=people,dc=aceindustry,dc=com
|
|
cvsdist |
cba1243 |
cn: Joe Bloggs
|
|
cvsdist |
cba1243 |
objectclass: top
|
|
cvsdist |
cba1243 |
objectclass: person
|
|
cvsdist |
cba1243 |
objectclass: organizationalPerson
|
|
cvsdist |
cba1243 |
objectclass: inetOrgPerson
|
|
cvsdist |
cba1243 |
objectclass: posixAccount
|
|
cvsdist |
cba1243 |
objectclass: account
|
|
cvsdist |
cba1243 |
mail: jbloggs@aceindustry.com
|
|
cvsdist |
cba1243 |
givenname: Joe
|
|
cvsdist |
cba1243 |
sn: Bloggs
|
|
cvsdist |
cba1243 |
uid: jbloggs
|
|
cvsdist |
cba1243 |
userPassword: {crypt}daCXgaxahRNkg
|
|
cvsdist |
cba1243 |
loginShell: /bin/csh
|
|
cvsdist |
cba1243 |
uidNumber: 20
|
|
cvsdist |
cba1243 |
gidNumber: 20
|
|
cvsdist |
cba1243 |
homeDirectory: /home/jbloggs
|
|
cvsdist |
cba1243 |
|