Web lists-archives.com

Re: [Samba] Migration to samba4 ad and sync to openldap.

On 4/5/19 3:47 AM, Christian Naumer via samba wrote:
Am 04.04.19 um 21:09 schrieb John McMonagle via samba:
It did not migrate a lot of attributes that are in active directory.
The most important one to us is "mail"
Others by ldap account manager names:
User name
First Name
Last Name
I'm sure there are others.

Yes as Rowland said only a minimum of attributes are transferred.
We wrote a script for that. I'll add it at the end of the mail. Maybe it
will help you.

I did full dump of samba4 ldap with ldapsearch and the attributes do not

They should have been migrate able.
What do I do to migrate the other parameters?

Does the domain administrator account give me access to everything in ldap?

Lam sort of works.
I'm using the domain administrator account to authenticate.
Is that the correct?

Rowland already set you on the right track. IT works for us. let me know
if you need more help.

The lam site gives very little info on setup.
Followed what I could find.
At the moment just using the using the Windows module for Users and Groups
LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org
List attributes:  #givenName;#sn;#mail   (None of these exist as migrated)
LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org
List attributes:#cn;#gidNumber;#memberUID;#description

Here is the script (A colleague wrote this. I just clean it up for
posting). It queries the old LDAP Server for the required data, puts
together an ldif and writes that to the AD. As we were new when we wrote
this forgive us for any things done wrong or to complex :-)

Thanks Christian

That looks like an easy way to get the attributes for a few users so I can continue my tests.

Found a couple more possibilities.
This is a patch someone made to the classic migration.
It's a little old but hopefully the code has not changed much.

That looks really interesting but I've had no luck getting a lsc.xml file that it will except.


case $1 in
                 rm -f /tmp/ldif/*

                 FILTER="cn=Domain Users"
                 USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin"
-w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \
                         | grep -Ev "^#" \
                         | grep -Ew "uniqueMember" \
                         | sort -u \
                         | sort -t"," -k2 \
                         | sed -e "s:uniqueMember\:::g" \
                         | awk -F"," '{printf "%s\n", $1}'`

                 for TAG in ${USERS}
                         # Doing this seperatly, you don't need to parse
the output
                                          uid=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid          |
grep -Ew "uid"          | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"`
                                    title=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title        |
grep -Ew "title"        | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"`
                            givenName=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd givenName    | grep -Ew "givenName"
   | grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"`
                                           sn=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn           |
grep -Ew "sn"           | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"`
                         employeeType=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew
"employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"`
                                         mail=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail         |
grep -Ew "mail"         | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"`

                         if [ -n "${uid}" ]
                                 if [ -z "${mail}" ]

                                 # always works
                                 cat > /tmp/ldif/${uid}.ldif << EOF
dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de
changetype: modify
replace: mail
mail: ${mail}
replace: givenName
givenName: ${givenName}
replace: sn
sn: ${sn}
replace: uid
uid: ${uid}
                                 # not always set
                                 if [ -n "${employeeType}" ]
                                         cat >> /tmp/ldif/${uid}.ldif << EOF
replace: employeeType
employeeType: ${employeeType}

                                 # not always set
                                 if [ -n "${title}" ]
                                         cat >> /tmp/ldif/${uid}.ldif << EOF
replace: title
title: ${title}

                 for tag in /tmp/ldif/*
                         echo ldapmodify -c -H
ldaps://newhostname.domainname.de -D
"cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c
-f $tag

                 echo Call with get or set as parameter
                 echo get: get attributes and write to ldif file for
usage with ldapmodify
                 echo set: set attributes from ldif files
                 exit 1

exit 0

John McMonagle
IT Manager
Advocap Inc.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba