cba1243a06
* Tue Aug 22 2000 Nalin Dahyabhai <nalin@redhat.com> - remove that pesky default password - change "Copyright:" to "License:" * Sun Aug 13 2000 Nalin Dahyabhai <nalin@redhat.com> - adjust permissions in files lists - move libexecdir from /usr/sbin to /usr/sbin * Fri Aug 11 2000 Nalin Dahyabhai <nalin@redhat.com> - add migrate_automount.pl to the migration scripts set * Tue Aug 08 2000 Nalin Dahyabhai <nalin@redhat.com> - build a semistatic slurpd with threads, everything else without - disable reverse lookups, per email on OpenLDAP mailing lists - make sure the execute bits are set on the shared libraries * Mon Jul 31 2000 Nalin Dahyabhai <nalin@redhat.com> - change logging facility used from local4 to daemon (#11047) * Thu Jul 27 2000 Nalin Dahyabhai <nalin@redhat.com> - split off clients and servers to shrink down the package and remove the base package's dependency on Perl - make certain that the binaries have sane permissions * Mon Jul 17 2000 Nalin Dahyabhai <nalin@redhat.com> - move the init script back * Thu Jul 13 2000 Nalin Dahyabhai <nalin@redhat.com> - tweak the init script to only source /etc/sysconfig/network if it's found * Wed Jul 12 2000 Prospector <bugzilla@redhat.com> - automatic rebuild * Mon Jul 10 2000 Nalin Dahyabhai <nalin@redhat.com> - switch to gdbm; I'm getting off the db merry-go-round - tweak the init script some more - add instdir to @INC in migration scripts * Thu Jul 06 2000 Nalin Dahyabhai <nalin@redhat.com> - tweak init script to return error codes properly - change initscripts dependency to one on /etc/init.d * Tue Jul 04 2000 Nalin Dahyabhai <nalin@redhat.com> - prereq initscripts - make migration scripts use mktemp * Tue Jun 27 2000 Nalin Dahyabhai <nalin@redhat.com> - do condrestart in post and stop in preun - move init script to /etc/init.d * Fri Jun 16 2000 Nalin Dahyabhai <nalin@redhat.com> - update to 1.2.11 - add condrestart logic to init script - munge migration scripts so that you don't have to be /usr/share/openldap/migration to run them - add code to create pid files in /var/run * Mon Jun 05 2000 Nalin Dahyabhai <nalin@redhat.com> - FHS tweaks - fix for compiling with libdb2 * Thu May 04 2000 Bill Nottingham <notting@redhat.com> - minor tweak so it builds on ia64 * Wed May 03 2000 Nalin Dahyabhai <nalin@redhat.com> - more minimalistic fix for bug #11111 after consultation with OpenLDAP team - backport replacement for the ldapuser patch * Tue May 02 2000 Nalin Dahyabhai <nalin@redhat.com> - fix segfaults from queries with commas in them in in.xfingerd (bug #11111) * Tue Apr 25 2000 Nalin Dahyabhai <nalin@redhat.com> - update to 1.2.10 - add revamped version of patch from kos@bastard.net to allow execution as any non-root user - remove test suite from %build because of weirdness in the build system * Wed Apr 12 2000 Nalin Dahyabhai <nalin@redhat.com> - move the defaults for databases and whatnot to /var/lib/ldap (bug #10714) - fix some possible string-handling problems * Mon Feb 14 2000 Bill Nottingham <notting@redhat.com> - start earlier, stop later. * Thu Feb 03 2000 Nalin Dahyabhai <nalin@redhat.com> - auto rebuild in new environment (release 4) * Tue Feb 01 2000 Nalin Dahyabhai <nalin@redhat.com> - add -D_REENTRANT to make threaded stuff more stable, even though it looks like the sources define it, too - mark *.ph files in migration tools as config files * Fri Jan 21 2000 Nalin Dahyabhai <nalin@redhat.com> - update to 1.2.9 * Mon Sep 13 1999 Bill Nottingham <notting@redhat.com> - strip files * Sat Sep 11 1999 Bill Nottingham <notting@redhat.com> - update to 1.2.7 - fix some bugs from bugzilla (#4885, #4887, #4888, #4967) - take include files out of base package * Fri Aug 27 1999 Jeff Johnson <jbj@redhat.com> - missing ;; in init script reload) (#4734). * Tue Aug 24 1999 Cristian Gafton <gafton@redhat.com> - move stuff from /usr/libexec to /usr/sbin - relocate config dirs to /etc/openldap * Mon Aug 16 1999 Bill Nottingham <notting@redhat.com> - initscript munging * Wed Aug 11 1999 Cristian Gafton <gafton@redhat.com> - add the migration tools to the package * Fri Aug 06 1999 Cristian Gafton <gafton@redhat.com> - upgrade to 1.2.6 - add rc.d script - split -devel package * Sun Feb 07 1999 Preston Brown <pbrown@redhat.com> - upgrade to latest stable (1.1.4), it now uses configure macro. * Fri Jan 15 1999 Bill Nottingham <notting@redhat.com> - build on arm, glibc2.1 * Wed Oct 28 1998 Preston Brown <pbrown@redhat.com> - initial cut. - patches for signal handling on the alpha
180 lines
7.9 KiB
Plaintext
180 lines
7.9 KiB
Plaintext
LDAP Migration Tools
|
|
|
|
The MigrationTools are a set of Perl scripts for migrating users, groups,
|
|
aliases, hosts, netgroups, networks, protocols, RPCs, and services from
|
|
existing nameservices (flat files, NIS, and NetInfo) to LDAP. They are
|
|
located on a default installation under /usr/share/openldap/migration.
|
|
|
|
The tools require the ldapadd and ldif2dbm commands, which are distributed
|
|
with most LDAP servers derived from the University of Michigan LDAP
|
|
distribution. The source code for these is available with OpenLDAP.
|
|
Additionally, Netscape provide an implementation of ldapmodify which
|
|
subsumes the functionality of ldapadd. If you are using Netscape's Directory
|
|
Server, you should set the $NSHOME and $serverId environment variables to
|
|
assist the MigrationTools in locating your LDAP database and LDIF tools;
|
|
they will use ldapmodify instead of ldapadd.
|
|
|
|
These tools are freely redistributable according to the license included
|
|
with the source files. They may be bundled with LDAP/NIS migration products.
|
|
See RFC 2307 for more information on the schema used by these scripts. THIS
|
|
SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT
|
|
SUPPORT.
|
|
|
|
Scripts
|
|
|
|
* migrate_base.pl creates naming context entries, including
|
|
subordinate contexts such as ou=people and ou=devices.
|
|
* migrate_aliases.pl migrates aliases in /etc/aliases to entries
|
|
conforming to the rfc822MailGroup schema. Organizations who have
|
|
deployed LDAP-based messaging solutions, such as Netscape's
|
|
Messaging Server, may wish to use a different schema for
|
|
representing mail aliases. Ypldapd does not use X.500 groups (such
|
|
as groupOfUniqueNames) for mail alias expansion because
|
|
flattening an arbitrarily nested group at runtime may be
|
|
expensive. (It is possible to write a ypldapd plug-in to support
|
|
such a schema, however.)
|
|
* migrate_group.pl migrates groups in /etc/group
|
|
* migrate_hosts.pl migrates hosts in /etc/hosts
|
|
* migrate_networks.pl migrates networks in /etc/networks
|
|
* migrate_passwd.pl migrates users in /etc/passwd. Note that if
|
|
users are allowed read the userPassword attribute, and your LDAP
|
|
server doesn't support authenticating against hashed passwords
|
|
then anyone may read the userPassword attribute's value and
|
|
authenticate as that user. Modern LDAP servers, such as Netscape
|
|
Directory Server, support authenticating against hashed passwords,
|
|
so this is not an issue. The OpenLDAP LDAP server also supports
|
|
such authentication.
|
|
* migrate_protocols.pl migrates protocols in /etc/protocols
|
|
* migrate_services.pl migrates services in /etc/services
|
|
* migrate_netgroup.pl migrates netgroups in /etc/netgroup
|
|
* migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It
|
|
requires revnetgroup.
|
|
* migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It
|
|
requires revnetgroup.
|
|
* migrate_rpc.pl migrates RPCs in /etc/rpc
|
|
|
|
Configuration
|
|
|
|
The configuration for these Perl scripts is contained at the head of
|
|
migrate_common.ph:
|
|
|
|
Perl variable Description
|
|
|
|
$DEFAULT_MAIL_DOMAIN The mail domain used for the mail
|
|
attribute in migrate_passwd.pl when
|
|
extended schema support is enabled. You may
|
|
override this with the DEFAULT_MAIL_DOMAIN
|
|
environment variable.
|
|
|
|
$DEFAULT_BASE The naming suffix to use in
|
|
entries' distinguished names. If
|
|
undefined, this will be constructed by
|
|
mapping the mail domain name into a
|
|
distinguished name (eg aceindustry.com
|
|
becomes dc=aceindustry,dc=com ). You may
|
|
override this with the LDAP_BASEDN
|
|
environment variable.
|
|
|
|
$EXTENDED_SCHEMA Enables extended schema support.
|
|
This adds the organizationalPerson and
|
|
inetOrgPerson object classes, amongst
|
|
others, to users migrated by the
|
|
migrate_passwd.pl script.
|
|
|
|
NAMINGCONTEXT Determines the LDAP/X.500 naming context
|
|
to use for a migration tool. The dictionary
|
|
is keyed by tool (as in migrate_ tool .pl ).
|
|
Values are concatenated with $DEFAULT_BASE
|
|
by the & getsuffix() subroutine.
|
|
|
|
The following environment variables control the behavior of the
|
|
migration shell scripts:
|
|
|
|
Environment variable Description
|
|
|
|
DEFAULT_MAIL_DOMAIN See above
|
|
|
|
LDAPADD Path the ldapadd executable, for online
|
|
migration (if not in the path or
|
|
/usr/local/bin or /usr/bin)
|
|
|
|
LDIF2LDBM Path the ldif2ldbm executable, for offline
|
|
migration (if not in the path or
|
|
/usr/local/bin or /usr/bin)
|
|
|
|
PERL Path to the Perl interpreter (if not
|
|
/usr/bin or /usr/local/bin)
|
|
|
|
LDAPHOST Your LDAP server, for online
|
|
migration. This is optional; you'll be
|
|
prompted if the environment variable is not
|
|
set.
|
|
|
|
LDAP_BASEDN See above ( $DEFAULT_BASE). This is
|
|
optional; you'll be prompted if the
|
|
environment variable is not set.
|
|
|
|
LDAP_BINDDN The distinguished name to bind to the
|
|
LDAP server as, for online migration. This
|
|
is optional; you'll be prompted if the
|
|
environment variable is not set.
|
|
|
|
LDAP_BINDCRED The password to bind to the LDAP server
|
|
with, for online migration. This is
|
|
optional; you'll be prompted if the
|
|
environment variable is not set.
|
|
|
|
You will probably wish to use a shell script or makefile to automate
|
|
population of your LDAP database, either off-lien (with ldif2ldbm) or
|
|
on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you
|
|
may wish to customize their behaviour. The following table explains which
|
|
migration scripts to use:
|
|
|
|
Shell script Existing nameservice LDAP
|
|
running?
|
|
|
|
migrate_all_online.sh /etc flat files Yes
|
|
|
|
migrate_all_offline.sh /etc flat files No
|
|
|
|
migrate_all_netinfo_online.sh NetInfo Yes
|
|
|
|
migrate_all_netinfo_offline.sh NetInfo No
|
|
|
|
migrate_all_nis_online.sh NIS/YP Yes
|
|
|
|
migrate_all_nis_offline.sh NIS/YP No
|
|
|
|
Below are examples of migrate_hosts.pl and migrate_passwd.plbeing used to
|
|
migrate hosts and users, respectively:
|
|
|
|
$ migrate_hosts.pl /etc/hosts
|
|
dn: cn=mira.aceindustry.com,ou=devices,dc=aceindustry,dc=com
|
|
objectclass: ipHost
|
|
objectclass: device
|
|
objectclass: top
|
|
ipHostNumber: 10.1.70.5
|
|
cn: mira
|
|
cn: www.aceindustry.com
|
|
cn: mira.aceindustry.com
|
|
|
|
$ migrate_passwd.pl /etc/passwd
|
|
dn: cn=Joe Bloggs,ou=people,dc=aceindustry,dc=com
|
|
cn: Joe Bloggs
|
|
objectclass: top
|
|
objectclass: person
|
|
objectclass: organizationalPerson
|
|
objectclass: inetOrgPerson
|
|
objectclass: posixAccount
|
|
objectclass: account
|
|
mail: jbloggs@aceindustry.com
|
|
givenname: Joe
|
|
sn: Bloggs
|
|
uid: jbloggs
|
|
userPassword: {crypt}daCXgaxahRNkg
|
|
loginShell: /bin/csh
|
|
uidNumber: 20
|
|
gidNumber: 20
|
|
homeDirectory: /home/jbloggs
|
|
|