1. Home
  2. User Management
  3. How can I migrate system users to LDAP?

How can I migrate system users to LDAP?

Please note that these steps won’t work on RockyLinux or CentOS8, because the migrationtools packagedoesn’t exist in their upstream repos.

How can I migrate users and groups from /etc/passwd and /etc/group to Bright’s LDAP?

The following steps should be done on the head node.

1. Install the required packages:

On CentOS7/RHEL7:

# yum install migrationtools.noarch

On Ubuntu:

# apt update
# apt install migrationtools

2. Edit migrate_common.ph configuration file and modify it as follows:

On CentOS7/RHEL7

# cd /usr/share/migrationtools/
# vim migrate_common.ph

On Ubuntu:

# cd /usr/share/perl5
# vim migrate_common.ph

a. Point to Bright LDAP:

$DEFAULT_BASE = "dc=cm,dc=cluster";

b. Comment out “ou=People” and “top” object class, so that they are excluded from the files that will be generated:

#       $NAMINGCONTEXT{'passwd'}            = "ou=People";
#       print $HANDLE "objectClass: top\n";

c. Add support to inetOrgPerson instead of account object class:


3. Edit migrate_passwd.pl script and comment out the following lines to prevent creating the relevant object classes:

# cd /usr/share/migrationtools/
# vim migrate_passwd.pl
#       print $HANDLE "objectClass: person\n";
#       print $HANDLE "objectClass: organizationalPerson\n";
#       print $HANDLE "objectClass: top\n";

If you are using Ubuntu, in addition to the previous, comment out the following:

#print $HANDLE "objectClass: krb5Principal\n";
#print $HANDLE "krb5PrincipalName: $user\@$DEFAULT_REALM\n";

4. Export the local /etc/passwd and /etc/group

# cd /usr/share/migrationtools/
# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

5. Import the exported files into Bright LDAP:

# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f ~/group.ldif
# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f ~/passwd.ldif


  • Consider editing the generated passwd.ldif and group.ldif files and remove the users and groups that you don’t want to add to Bright LDAP. For example we recommend that root is not managed by Bright LDAP.
  • If you’re using a different shadow file, edit migrate_passwd.pl to point to that modified shadow file.
  • You can retrieve the LDAP password from /cm/local/apps/cmd/etc/cmd.conf to use it.


Issue: Can’t start LDAP

# service ldap restart
Stopping slapd:                     [  OK  ]
id: ldap: No such user
find: invalid argument `(' to `-uid'
Checking configuration files for slapd:  /sbin/runuser: user ldap does not exist


LDAP user doesn’t exist in /etc/passwd, add it to /etc/passwd to be able to start LDAP.

Issue: Can’t clear surname

[adel60-centos6-sge->user[abrt]]% clear surname
[adel60-centos6-sge->user*[abrt*]]% commit

Code  Field  Message
----- ------ ---------------------------------------------
1     LDAP   Error performing user ldap_add_ext_s: Invalid
             syntax. New dn:uid=abrt,dc=cm,dc=cluster  


surname can’t be empty; add a value to be able to commit changes.

Updated on February 2, 2022

Related Articles

Leave a Comment