Web lists-archives.com

Re: [Samba] Migration to samba4 ad and sync to openldap.




On 4/5/19 3:47 AM, Christian Naumer via samba wrote:
Am 04.04.19 um 21:09 schrieb John McMonagle via samba:
It did not migrate a lot of attributes that are in active directory.
The most important one to us is "mail"
Others by ldap account manager names:
User name
First Name
Last Name
I'm sure there are others.

Yes as Rowland said only a minimum of attributes are transferred.
We wrote a script for that. I'll add it at the end of the mail. Maybe it
will help you.


I did full dump of samba4 ldap with ldapsearch and the attributes do not
exist.

They should have been migrate able.
What do I do to migrate the other parameters?

Does the domain administrator account give me access to everything in ldap?

Lam sort of works.
I'm using the domain administrator account to authenticate.
Is that the correct?

Rowland already set you on the right track. IT works for us. let me know
if you need more help.


The lam site gives very little info on setup.
Followed what I could find.
At the moment just using the using the Windows module for Users and Groups
Users:
LDAP suffix: CN=Users,DC=ad,DC=advocap,DC=org
List attributes:  #givenName;#sn;#mail   (None of these exist as migrated)
Groups:
LDAP suffix:CN=Users,DC=ad,DC=advocap,DC=org
List attributes:#cn;#gidNumber;#memberUID;#description




Here is the script (A colleague wrote this. I just clean it up for
posting). It queries the old LDAP Server for the required data, puts
together an ldif and writes that to the AD. As we were new when we wrote
this forgive us for any things done wrong or to complex :-)

Thanks Christian

That looks like an easy way to get the attributes for a few users so I can continue my tests.

Found a couple more possibilities.
This is a patch someone made to the classic migration.
https://gist.github.com/jtyocum/f19533448b94012d3722
It's a little old but hopefully the code has not changed much.

https://lsc-project.org/documentation/tutorial/openldaptoactivedirectory
That looks really interesting but I've had no luck getting a lsc.xml file that it will except.



#!/bin/bash

case $1 in
         get)
                 rm -f /tmp/ldif/*

                 FILTER="(|(cn=Users1)(cn=Users2))"
                 FILTER="cn=Domain Users"
                 USERS=`ldapsearch -H ldaps://oldhostname -D "cn=Admin"
-w PassW0rd -b "ou=Groups,dc=domainname,dc=de" "${FILTER}" uniqueMember \
                         | grep -Ev "^#" \
                         | grep -Ew "uniqueMember" \
                         | sort -u \
                         | sort -t"," -k2 \
                         | sed -e "s:uniqueMember\:::g" \
                         | awk -F"," '{printf "%s\n", $1}'`

                 for TAG in ${USERS}
                 do
                         # Doing this seperatly, you don't need to parse
the output
                                          uid=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd uid          |
grep -Ew "uid"          | grep -Ev "(^#|^dn:)" | sed -e "s|uid: ||g"`
                                    title=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd title        |
grep -Ew "title"        | grep -Ev "(^#|^dn:)" | sed -e "s|title: ||g"`
                            givenName=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd givenName    | grep -Ew "givenName"
   | grep -Ev "(^#|^dn:)" | sed -e "s|givenName: ||g"`
                                           sn=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd sn           |
grep -Ew "sn"           | grep -Ev "(^#|^dn:)" | sed -e "s|sn: ||g"`
                         employeeType=`ldapsearch -H ldaps://oldhostname
-D "cn=Admin" "${TAG}" -w PassW0rd employeeType | grep -Ew
"employeeType" | grep -Ev "(^#|^dn:)" | sed -e "s|employeeType: ||g"`
                                         mail=`ldapsearch -H
ldaps://oldhostname -D "cn=Admin" "${TAG}" -w PassW0rd mail         |
grep -Ew "mail"         | grep -Ev "(^#|^dn:)" | sed -e "s|mail: ||g"`

                         if [ -n "${uid}" ]
                         then
                                 if [ -z "${mail}" ]
                                 then
                                         mail="${uid}@domainname.de"
                                 fi

                                 # always works
                                 cat > /tmp/ldif/${uid}.ldif << EOF
dn: CN=${uid},CN=Users,dc=hq,dc=domainname,dc=de
changetype: modify
replace: mail
mail: ${mail}
-
replace: givenName
givenName: ${givenName}
-
replace: sn
sn: ${sn}
-
replace: uid
uid: ${uid}
EOF
                                 # not always set
                                 if [ -n "${employeeType}" ]
                                 then
                                         cat >> /tmp/ldif/${uid}.ldif << EOF
-
replace: employeeType
employeeType: ${employeeType}
EOF
                                 fi

                                 # not always set
                                 if [ -n "${title}" ]
                                 then
                                         cat >> /tmp/ldif/${uid}.ldif << EOF
-
replace: title
title: ${title}
EOF
                                 fi
                         fi
                 done
         ;;

         set)
                 for tag in /tmp/ldif/*
                 do
                         echo ldapmodify -c -H
ldaps://newhostname.domainname.de -D
"cn=Administrator,cn=Users,dc=hq,dc=domainname,dc=de" -y /etc/pwd.txt -c
-f $tag
                 done
         ;;

         *)
                 echo Call with get or set as parameter
                 echo get: get attributes and write to ldif file for
usage with ldapmodify
                 echo set: set attributes from ldif files
                 exit 1
                 ;;
esac

exit 0



--
John McMonagle
IT Manager
Advocap Inc.


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba