[Samba] Migration to samba4 ad and sync to openldap.

Christian Naumer cn at brain-biotech.de
Fri Apr 5 08:47:18 UTC 2019

Am 04.04.19 um 21:09 schrieb John McMonagle via samba:
> It did not migrate a lot of attributes that are in active directory.
> The most important one to us is "mail"
> Others by ldap account manager names:
> User name
> First Name
> Last Name
> I'm sure there are others.

Yes as Rowland said only a minimum of attributes are transferred.
We wrote a script for that. I'll add it at the end of the mail. Maybe it
will help you.

> I did full dump of samba4 ldap with ldapsearch and the attributes do not
> exist.
> They should have been migrate able.
> What do I do to migrate the other parameters?
> Does the domain administrator account give me access to everything in ldap?
> Lam sort of works.
> I'm using the domain administrator account to authenticate.
> Is that the correct?

Rowland already set you on the right track. IT works for us. let me know
if you need more help.

> The lam site gives very little info on setup.
> Followed what I could find.
> At the moment just using the using the Windows module for Users and Groups
> Users:
> LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org
> List attributes:  #givenName;#sn;#mail   (None of these exist as migrated)
> Groups:
> LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org
> List attributes:#cn;#gidNumber;#memberUID;#description

Here is the script (A colleague wrote this. I just clean it up for
posting). It queries the old LDAP Server for the required data, puts
together an ldif and writes that to the AD. As we were new when we wrote
this forgive us for any things done wrong or to complex :-)


case $1 in
                rm -f /tmp/ldif/*

                FILTER="cn=Domain Users"
                USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin"
-w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \
                        | grep -Ev "^#" \
                        | grep -Ew "uniqueMember" \
                        | sort -u \
                        | sort -t"," -k2 \
                        | sed -e "s:uniqueMember\:::g" \
                        | awk -F"," '{printf "%s\n", $1}'`

                for TAG in ${USERS}
                        # Doing this seperatly, you don't need to parse
the output
                                         uid=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid          |
grep -Ew "uid"          | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"`
                                   title=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title        |
grep -Ew "title"        | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"`
                           givenName=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd givenName    | grep -Ew "givenName"
  | grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"`
                                          sn=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn           |
grep -Ew "sn"           | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"`
                        employeeType=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew
"employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"`
                                        mail=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail         |
grep -Ew "mail"         | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"`

                        if [ -n "${uid}" ]
                                if [ -z "${mail}" ]

                                # always works
                                cat > /tmp/ldif/${uid}.ldif << EOF
dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de
changetype: modify
replace: mail
mail: ${mail}
replace: givenName
givenName: ${givenName}
replace: sn
sn: ${sn}
replace: uid
uid: ${uid}
                                # not always set
                                if [ -n "${employeeType}" ]
                                        cat >> /tmp/ldif/${uid}.ldif << EOF
replace: employeeType
employeeType: ${employeeType}

                                # not always set
                                if [ -n "${title}" ]
                                        cat >> /tmp/ldif/${uid}.ldif << EOF
replace: title
title: ${title}

                for tag in /tmp/ldif/*
                        echo ldapmodify -c -H
ldaps://newhostname.domainname.de -D
"cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c
-f $tag

                echo Call with get or set as parameter
                echo get: get attributes and write to ldif file for
usage with ldapmodify
                echo set: set attributes from ldif files
                exit 1

exit 0

Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik

B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30  /   fax +49-6251-9331-11

Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen

More information about the samba mailing list