1. Home
  2. User Management
  3. How can I migrate system users to LDAP?

How can I migrate system users to LDAP?

This article is being updated. Please be aware the content herein, not limited to version numbers and slight syntax changes, may not match the output from the most recent versions of Bright. This notation will be removed when the content has been updated.

How can I migrate users and groups from /etc/passwd and /etc/group to Bright’s LDAP?

The following steps should be done on the head node.

1. Install the required packages:

# yum install migrationtools.noarch

2. Edit migrate_common.ph configuration file and modify it as follows:

# cd /usr/share/migrationtools/
# vim migrate_common.ph

a. Point to Bright LDAP:

[...]
$DEFAULT_BASE = "dc=cm,dc=cluster";
[...]

b. Comment out “ou=People” and “top” object class, so that they are excluded from the files that will be generated:

[...]
#       $NAMINGCONTEXT{'passwd'}            = "ou=People";
[...]
#       print $HANDLE "objectClass: top\n";
[...]

c. Add support to inetOrgPerson instead of account object class:

[...]
$EXTENDED_SCHEMA = 1;
[...]

3. Edit migrate_passwd.pl script and comment out the following lines to prevent creating the relevant object classes:

# cd /usr/share/migrationtools/
# vim migrate_passwd.pl
#       print $HANDLE "objectClass: person\n";
#       print $HANDLE "objectClass: organizationalPerson\n";
[...]
#       print $HANDLE "objectClass: top\n";

4. Export the local /etc/passwd and /etc/group

# cd /usr/share/migrationtools/
# ./migrate_group.pl /etc/group ~/group.ldif
# ./migrate_passwd.pl /etc/passwd ~/passwd.ldif

5. Import the exported files into Bright LDAP:

# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f ~/group.ldif
# ldapadd -x -W -D "cn=root,dc=cm,dc=cluster" -f ~/passwd.ldif

Notes

  • Consider editing the generated passwd.ldif and group.ldif files and remove the users and groups that you don’t want to add to Bright LDAP. For example we recommend that root is not managed by Bright LDAP.
  • If you’re using a different shadow file, edit migrate_passwd.pl to point to that modified shadow file.
  • You can retrieve the LDAP password from /cm/local/apps/cmd/etc/cmd.conf to use it.

Troubleshooting

issue: Can’t start LDAP

# service ldap restart
Stopping slapd:                     [  OK  ]
id: ldap: No such user
find: invalid argument `(' to `-uid'
Checking configuration files for slapd:  /sbin/runuser: user ldap does not exist
                                    [FAILED]

resolution

LDAP user doesn’t exist in /etc/passwd, add it to /etc/passwd to be able to start LDAP.

issue: Can’t clear surname

[adel60-centos6-sge->user[abrt]]% clear surname
[adel60-centos6-sge->user*[abrt*]]% commit

Code  Field  Message
----- ------ ---------------------------------------------
1     LDAP   Error performing user ldap_add_ext_s: Invalid
             syntax. New dn:uid=abrt,dc=cm,dc=cluster  

resolution

surname can’t be empty; add a value to be able to commit changes.

Updated on October 16, 2020

Was this article helpful?

Related Articles

Leave a Comment