Migrating from Apple OpenDirectory?

[Michael Wood]

On 22 May 2010 01:23, Andrew Bartlett <abartlet at samba.org> wrote:
> On Fri, 2010-05-21 at 17:44 +0200, Michael Wood wrote:
>> In case you've forgotten, I'm trying to get some users out of Open
>> Directory into Samba4 for authentication purposes.
>>
>> On 20 April 2010 04:54, Andrew Bartlett <abartlet at samba.org> wrote:
>> [...]
>> > Honestly, I'm not sure.  You would need to write up a python script (I
>> > think) that would first import the users from the OpenDirectory
>> > (perserving their SIDs), and then extract the 'arcfour-hmac-md5' (type
>> > 23) key and set it into the unicodePwd attribute in Samba4's LDAP
>> > server.
>> >
>> > Once you have the data in the dump format, this may be easy to parse, or
>> > else it may be better to read it using Heimdal tools somehow.
>>
>> OK, I had some trouble with the stash file from the OS X box, but I
>> now have a dump file in the Heimdal dump format, so I can get at the
>> arcfour-hmac-md5 keys.  Do I just shove those into the unicodePwd
>> attribute?
>
> Yes, as a 16 byte array (not hex encoded or anything, just raw in LDAP -
> you may need to base64 them if putting them in via LDIF).

Excellent :)  Thanks, it seems to work.

I created a user with "net createuser" and then used "ldbmodify -H
/usr/local/samba/private/sam.ldb.d/DC=MY,DC=REALM.ldb" and fed it
something like this:

dn: CN=user,CN=Users,DC=MY,DC=REALM
changetype: modify
replace: unicodePwd
unicodePwd:: Tm9UIHJFYUxsWSBTb1JyWQ==
.

I got the base64 value to use by taking the hex-encoded value from the
Heimdal dump file and doing:

python -c 'print
"0123456789ABCDEF0123456789ABCDEF".decode("hex").encode("base64")'

Now I just need to extract the relevant information out of Open
Directory's LDAP directory and create the corresponding objects in
Samba4, (using ldpmodify, I suppose).

Thanks for the help :)

-- 
Michael Wood <esiotrot at gmail.com>