Stunts LDAP In those days I was able to appreciate once more the flexibility
operating systems based on
linux (or unix in general), especially when you perform system administration operations
a bit 'out of normal.
In this case I'm handling the
migration of users to a server that was based on an old version of Mandriva
, and manage the database users to a LDAP server
using a series of scripts (
smbldap ) long not supported, all migrating to a new server
openSUSE 11.2. The goal is to continue to use an LDAP backend, but remapping the data representation (the so-called
LDAP schema) as managed natively by the excellent administration tool YaST
just openSUSE.
During the migration I also wanted to change the login name
some people (mainly as a mild anti-spam measure) and delete other users, no longer needed. All this without knowing the password to anyone, so I had to preserve all these passwords.
LDAP is one of those things you have to face
little at a time, is a directory server
in the documentation tells you everything you need for creating phantasmagoric
custom schema, and how to interrogate them with very complex queries. But nobody tells you clearly how the various Linux distributions store the data of users
inside.
Or rather, the information is there, even if difficult to read, in
RFC 2256 (A Summary of the X.500 (96) User Schema for use with LDAPv3) and RFC 2307
(An Approach for Using LDAP as a Network Information Service). You just have to read it 3 times, to understand that all information relating to a user can be summarized in:
dn: uid = loginname , ou = people, dc = cad, polished dc =, dc = com
objectClass: top objectClass
:
inetOrgPerson objectClass: posixAccount
cn: First Name Last Name
sn: Surname
givenName: Name
uid: loginname
uidNumber: 12345
gidNumber: 13254
homeDirectory: / home / loginname
loginShell: / bin / bash userPassword
: e1NTS ***** *** = dYUmw
Fields in italics are those of each individual user, userPassword and the course was changed for security reasons.
that remains is to create a nice text file
contains exactly this information, exporting LDIF from the previous server as needed, remove the attributes you no longer use, rename the attributes that were used differently in two
scheme, and finally delete the users no longer want. In the end everything is imported to the new server LDIF, et voila, login on the first try!
The various steps followed are not interesting enough to be disclosed here, but I want to indicate the main
tool used:
- for export data from an LDAP server use ldapsearch
ldapsearch-L-x -D 'cn = Administrator, dc = cad, polished dc =, dc = com'-W \\
-b 'ou = Users, dc = cad, polished dc =, dc = com' '(objectclass = posixAccount) '
- for delete unwanted attributes, nothing better than a series of grep-v
ldapsearch-L-x-D 'cn = Administrator, dc = cad, polished dc =, dc = com'-W \\
-b 'ou = Users, dc = cad, dc = polished, dc = com '' (objectclass = posixAccount) '
- for rename attributes or values, a little' sed and regular expression
sed ' s / uid = \\ (.* \\), ou = Users / uid = \\ 1, ou = people / '
- finally, the retouching hand, the great ldapvi
ldapvi-D cn = Administrator, dc = cad, polished dc =, dc = com
Try to do the same on a Windows system!
