[Samba] Migration to samba4 ad and sync to openldap.
John McMonagle
johnm at advocap.org
Sat Apr 6 12:20:27 UTC 2019
On 4/5/19 3:47 AM, Christian Naumer via samba wrote:
> Am 04.04.19 um 21:09 schrieb John McMonagle via samba:
>> It did not migrate a lot of attributes that are in active directory.
>> The most important one to us is "mail"
>> Others by ldap account manager names:
>> User name
>> First Name
>> Last Name
>> I'm sure there are others.
>
> Yes as Rowland said only a minimum of attributes are transferred.
> We wrote a script for that. I'll add it at the end of the mail. Maybe it
> will help you.
>
>>
>> I did full dump of samba4 ldap with ldapsearch and the attributes do not
>> exist.
>>
>> They should have been migrate able.
>> What do I do to migrate the other parameters?
>>
>> Does the domain administrator account give me access to everything in ldap?
>>
>> Lam sort of works.
>> I'm using the domain administrator account to authenticate.
>> Is that the correct?
>
> Rowland already set you on the right track. IT works for us. let me know
> if you need more help.
>
>>
>> The lam site gives very little info on setup.
>> Followed what I could find.
>> At the moment just using the using the Windows module for Users and Groups
>> Users:
>> LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org
>> List attributes: #givenName;#sn;#mail (None of these exist as migrated)
>> Groups:
>> LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org
>> List attributes:#cn;#gidNumber;#memberUID;#description
>
>
>
>
> Here is the script (A colleague wrote this. I just clean it up for
> posting). It queries the old LDAP Server for the required data, puts
> together an ldif and writes that to the AD. As we were new when we wrote
> this forgive us for any things done wrong or to complex :-)
>
Thanks Christian
That looks like an easy way to get the attributes for a few users so I
can continue my tests.
Found a couple more possibilities.
This is a patch someone made to the classic migration.
https://gist.github.com/jtyocum/f19533448b94012d3722
It's a little old but hopefully the code has not changed much.
https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory
That looks really interesting but I've had no luck getting a lsc.xml
file that it will except.
>
> #!/bin/bash
>
> case $1 in
> get)
> rm -f /tmp/ldif/*
>
> FILTER="(|(cn=Users1)(cn=Users2))"
> FILTER="cn=Domain Users"
> USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin"
> -w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \
> | grep -Ev "^#" \
> | grep -Ew "uniqueMember" \
> | sort -u \
> | sort -t"," -k2 \
> | sed -e "s:uniqueMember\:::g" \
> | awk -F"," '{printf "%s\n", $1}'`
>
> for TAG in ${USERS}
> do
> # Doing this seperatly, you don't need to parse
> the output
> uid=`ldapsearch -H
> ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid |
> grep -Ew "uid" | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"`
> title=`ldapsearch -H
> ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title |
> grep -Ew "title" | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"`
> givenName=`ldapsearch -H ldaps://oldhostname
> -D "cn=Admin" "${TAG}" -w PassW0rd givenName | grep -Ew "givenName"
> | grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"`
> sn=`ldapsearch -H
> ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn |
> grep -Ew "sn" | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"`
> employeeType=`ldapsearch -H ldaps://oldhostname
> -D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew
> "employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"`
> mail=`ldapsearch -H
> ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail |
> grep -Ew "mail" | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"`
>
> if [ -n "${uid}" ]
> then
> if [ -z "${mail}" ]
> then
> mail="${uid}@domainname.de"
> fi
>
> # always works
> cat > /tmp/ldif/${uid}.ldif << EOF
> dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de
> changetype: modify
> replace: mail
> mail: ${mail}
> -
> replace: givenName
> givenName: ${givenName}
> -
> replace: sn
> sn: ${sn}
> -
> replace: uid
> uid: ${uid}
> EOF
> # not always set
> if [ -n "${employeeType}" ]
> then
> cat >> /tmp/ldif/${uid}.ldif << EOF
> -
> replace: employeeType
> employeeType: ${employeeType}
> EOF
> fi
>
> # not always set
> if [ -n "${title}" ]
> then
> cat >> /tmp/ldif/${uid}.ldif << EOF
> -
> replace: title
> title: ${title}
> EOF
> fi
> fi
> done
> ;;
>
> set)
> for tag in /tmp/ldif/*
> do
> echo ldapmodify -c -H
> ldaps://newhostname.domainname.de -D
> "cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c
> -f $tag
> done
> ;;
>
> *)
> echo Call with get or set as parameter
> echo get: get attributes and write to ldif file for
> usage with ldapmodify
> echo set: set attributes from ldif files
> exit 1
> ;;
> esac
>
> exit 0
>
--
John McMonagle
IT Manager
Advocap Inc.
More information about the samba
mailing list