Migrating from Apple OpenDirectory?
Michael Wood
esiotrot at gmail.com
Tue Apr 20 03:56:02 MDT 2010
Hi
On 20 April 2010 04:54, Andrew Bartlett <abartlet at samba.org> wrote:
> On Thu, 2010-04-15 at 16:52 +0200, Michael Wood wrote:
>> Forgot to send this to the list:
>>
>> Thanks again for your helpful reply.
>>
>> On 14 April 2010 14:28, Andrew Bartlett <abartlet at samba.org> wrote:
>> > On Wed, 2010-04-14 at 13:50 +0200, Michael Wood wrote:
>> [...]
>> >> I see the Heimdal documentation mentions dumping the MIT Kerberos
>> >> database using kdb5_util dump -b7 and then importing it using hprop
>> >> and hpropd:
>> >> http://www.h5l.org/manual/heimdal-1-3-branch/info/heimdal/Migration.html#Migration
>> >>
>> >> Am I heading in the right direction? :)
>> >
>> > Yes.
>> >
>> >> If so, what documentation do I need to look at for using the results
>> >> of the above with Samba 4?
>> >
>> > We would need to construct a custom tool, but once it's in the heimdal
>> > format db, it's much, much easier.
>>
>> I'm sure you guys have way too much to do already, so how long do you
>> think it might take to make such a tool?
>
> Honestly, I'm not sure. You would need to write up a python script (I
> think) that would first import the users from the OpenDirectory
> (perserving their SIDs), and then extract the 'arcfour-hmac-md5' (type
> 23) key and set it into the unicodePwd attribute in Samba4's LDAP
> server.
OK, so in other words, get the hash from the dump file generated by
kdb5_util and put it into Samba4's LDAP server instead of into some
Heimdal database? And I suppose using slapcat to get the LDAP data
and running it through the samba equivalent of slapadd (or a Python
script as you mentioned) should do for the LDAP data?
> Once you have the data in the dump format, this may be easy to parse, or
> else it may be better to read it using Heimdal tools somehow.
The dump format looks trivial to parse, but I don't know yet which
field is the arcfour-hmac-md5 hash or what the other hashes are and
whether or not they're needed.
> I'm sorry to dash your hopes, but it's not a tool I'm likely to write
> myself, but I can provide advise.
No, my hopes remain undashed :) Providing advice is perfect. From
what you've said above it seems like this should be pretty easy. I
just need to figure out a few details.
Thanks.
--
Michael Wood <esiotrot at gmail.com>
More information about the samba-technical
mailing list