Please note that these steps won’t work on RockyLinux or CentOS8, because the migrationtools packagedoesn’t exist in their upstream repos.
How can I migrate users and groups from /etc/passwd and /etc/group to Bright’s LDAP?
The following steps should be done on the head node.
1. Install the required packages:
On CentOS7/RHEL7:
# yum install migrationtools.noarch
On Ubuntu:
# apt update# apt install migrationtools
2. Edit migrate_common.ph configuration file and modify it as follows:
On CentOS7/RHEL7
# cd /usr/share/migrationtools/
# vim migrate_common.ph
On Ubuntu:
# cd /usr/share/perl5# vim migrate_common.ph
a. Point to Bright LDAP:
[...]
$DEFAULT_BASE = "dc=cm,dc=cluster";
[...]
b. Comment out “ou=People” and “top” object class, so that they are excluded from the files that will be generated:
[...]
# $NAMINGCONTEXT{'passwd'} = "ou=People";
[...]
# print $HANDLE "objectClass: top\n";
[...]
c. Add support to inetOrgPerson instead of account object class:
[...]
$EXTENDED_SCHEMA = 1;
[...]
3. Edit migrate_passwd.pl script and comment out the following lines to prevent creating the relevant object classes:
# cd /usr/share/migrationtools/
# vim migrate_passwd.pl
# print $HANDLE "objectClass: person\n";
# print $HANDLE "objectClass: organizationalPerson\n";
[...]
# print $HANDLE "objectClass: top\n";
If you are using Ubuntu, in addition to the previous, comment out the following:
[...]#print $HANDLE "objectClass: krb5Principal\n";[...]#print $HANDLE "krb5PrincipalName: $user\@$DEFAULT_REALM\n";[...]
4. Export the local /etc/passwd and /etc/group
# cd /usr/share/migrationtools/
# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldif
5. Import the exported files into Bright LDAP:
# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f ~/group.ldif
# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f ~/passwd.ldif
Notes
- Consider editing the generated passwd.ldif and group.ldif files and remove the users and groups that you don’t want to add to Bright LDAP. For example we recommend that root is not managed by Bright LDAP.
- If you’re using a different shadow file, edit migrate_passwd.pl to point to that modified shadow file.
- You can retrieve the LDAP password from /cm/local/apps/cmd/etc/cmd.conf to use it.
Troubleshooting
Issue: Can’t start LDAP
# service ldap restartStopping slapd: [ OK ]
id: ldap: No such user
find: invalid argument `(' to `-uid'
Checking configuration files for slapd: /sbin/runuser: user ldap does not exist
[FAILED]
Resolution
LDAP user doesn’t exist in /etc/passwd, add it to /etc/passwd to be able to start LDAP.
Issue: Can’t clear surname
[adel60-centos6-sge->user[abrt]]% clear surname
[adel60-centos6-sge->user*[abrt*]]% commitCode Field Message
----- ------ ---------------------------------------------
1 LDAP Error performing user ldap_add_ext_s: Invalid
syntax. New dn:uid=abrt,dc=cm,dc=cluster
Resolution
surname can’t be empty; add a value to be able to commit changes.