[Samba] Migration to samba4 ad and sync to openldap.
Christian Naumer
cn at brain-biotech.de
Fri Apr 5 08:47:18 UTC 2019
Am 04.04.19 um 21:09 schrieb John McMonagle via samba:
> It did not migrate a lot of attributes that are in active directory.
> The most important one to us is "mail"
> Others by ldap account manager names:
> User name
> First Name
> Last Name
> I'm sure there are others.
Yes as Rowland said only a minimum of attributes are transferred.
We wrote a script for that. I'll add it at the end of the mail. Maybe it
will help you.
>
> I did full dump of samba4 ldap with ldapsearch and the attributes do not
> exist.
>
> They should have been migrate able.
> What do I do to migrate the other parameters?
>
> Does the domain administrator account give me access to everything in ldap?
>
> Lam sort of works.
> I'm using the domain administrator account to authenticate.
> Is that the correct?
Rowland already set you on the right track. IT works for us. let me know
if you need more help.
>
> The lam site gives very little info on setup.
> Followed what I could find.
> At the moment just using the using the Windows module for Users and Groups
> Users:
> LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org
> List attributes: #givenName;#sn;#mail (None of these exist as migrated)
> Groups:
> LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org
> List attributes:#cn;#gidNumber;#memberUID;#description
Here is the script (A colleague wrote this. I just clean it up for
posting). It queries the old LDAP Server for the required data, puts
together an ldif and writes that to the AD. As we were new when we wrote
this forgive us for any things done wrong or to complex :-)
#!/bin/bash
case $1 in
get)
rm -f /tmp/ldif/*
FILTER="(|(cn=Users1)(cn=Users2))"
FILTER="cn=Domain Users"
USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin"
-w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \
| grep -Ev "^#" \
| grep -Ew "uniqueMember" \
| sort -u \
| sort -t"," -k2 \
| sed -e "s:uniqueMember\:::g" \
| awk -F"," '{printf "%s\n", $1}'`
for TAG in ${USERS}
do
# Doing this seperatly, you don't need to parse
the output
uid=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid |
grep -Ew "uid" | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"`
title=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title |
grep -Ew "title" | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"`
givenName=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd givenName | grep -Ew "givenName"
| grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"`
sn=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn |
grep -Ew "sn" | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"`
employeeType=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew
"employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"`
mail=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail |
grep -Ew "mail" | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"`
if [ -n "${uid}" ]
then
if [ -z "${mail}" ]
then
mail="${uid}@domainname.de"
fi
# always works
cat > /tmp/ldif/${uid}.ldif << EOF
dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de
changetype: modify
replace: mail
mail: ${mail}
-
replace: givenName
givenName: ${givenName}
-
replace: sn
sn: ${sn}
-
replace: uid
uid: ${uid}
EOF
# not always set
if [ -n "${employeeType}" ]
then
cat >> /tmp/ldif/${uid}.ldif << EOF
-
replace: employeeType
employeeType: ${employeeType}
EOF
fi
# not always set
if [ -n "${title}" ]
then
cat >> /tmp/ldif/${uid}.ldif << EOF
-
replace: title
title: ${title}
EOF
fi
fi
done
;;
set)
for tag in /tmp/ldif/*
do
echo ldapmodify -c -H
ldaps://newhostname.domainname.de -D
"cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c
-f $tag
done
;;
*)
echo Call with get or set as parameter
echo get: get attributes and write to ldif file for
usage with ldapmodify
echo set: set attributes from ldif files
exit 1
;;
esac
exit 0
--
Dr. Christian Naumer
Research Scientist
Plattform-Koordinator Bioprozesstechnik
B.R.A.I.N Aktiengesellschaft
Darmstaedter Str. 34-36, D-64673 Zwingenberg
e-mail cn at brain-biotech.de, homepage www.brain-biotech.de
fon +49-6251-9331-30 / fax +49-6251-9331-11
Sitz der Gesellschaft: Zwingenberg/Bergstrasse
Registergericht AG Darmstadt, HRB 24758
Vorstand: Dr. Juergen Eck (Vorsitzender), Manfred Bender,
Ludger Roedder
Aufsichtsratsvorsitzender: Dr. Georg Kellinghusen
More information about the samba
mailing list