path: root/migration-tools.txt

LDAP Migration Tools

The MigrationTools are a set of Perl scripts for migrating users, groups,
aliases, hosts, netgroups, networks, protocols, RPCs, and services from
existing nameservices (flat files, NIS, and NetInfo) to LDAP. They are
located on a default installation under /usr/share/openldap/migration.

The tools require the ldapadd and ldif2dbm commands, which are distributed
with most LDAP servers derived from the University of Michigan LDAP
distribution. The source code for these is available with OpenLDAP.
Additionally, Netscape provide an implementation of ldapmodify which
subsumes the functionality of ldapadd. If you are using Netscape's Directory
Server, you should set the $NSHOME and $serverId environment variables to
assist the MigrationTools in locating your LDAP database and LDIF tools;
they will use ldapmodify instead of ldapadd.

These tools are freely redistributable according to the license included
with the source files. They may be bundled with LDAP/NIS migration products.
See RFC 2307 for more information on the schema used by these scripts. THIS
SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT
SUPPORT.

Scripts

   * migrate_base.pl creates naming context entries, including
     subordinate contexts such  as ou=people and ou=devices.
   * migrate_aliases.pl migrates aliases in /etc/aliases to entries
     conforming to the rfc822MailGroup schema. Organizations who have
     deployed LDAP-based  messaging solutions, such as Netscape's
     Messaging Server, may wish to use a different  schema for
     representing mail aliases. Ypldapd does not use X.500 groups (such
     as  groupOfUniqueNames) for mail alias expansion because
     flattening an arbitrarily nested  group at runtime may be
     expensive. (It is possible to write a ypldapd plug-in to support
     such a schema, however.)
   * migrate_group.pl migrates groups in /etc/group
   * migrate_hosts.pl migrates hosts in /etc/hosts
   * migrate_networks.pl migrates networks in /etc/networks
   * migrate_passwd.pl migrates users in /etc/passwd. Note that if
     users are  allowed read the userPassword attribute, and your LDAP
     server doesn't support  authenticating against hashed passwords
     then anyone may read the userPassword  attribute's value and
     authenticate as that user. Modern LDAP servers, such as  Netscape
     Directory Server, support authenticating against hashed passwords,
     so this is not  an issue. The OpenLDAP LDAP server also supports
     such authentication.
   * migrate_protocols.pl migrates protocols in /etc/protocols
   * migrate_services.pl migrates services in /etc/services
   * migrate_netgroup.pl migrates netgroups in /etc/netgroup
   * migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It
     requires revnetgroup.
   * migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It
     requires revnetgroup.
   * migrate_rpc.pl migrates RPCs in /etc/rpc

Configuration

The configuration  for these Perl scripts  is contained at the  head of
migrate_common.ph:

 Perl variable                  Description

 $DEFAULT_MAIL_DOMAIN           The mail  domain used for   the mail
                                attribute in  migrate_passwd.pl when
                                extended schema support is enabled.  You may
                                override this with the DEFAULT_MAIL_DOMAIN
                                environment variable.

 $DEFAULT_BASE                  The   naming  suffix   to  use    in
                                entries'  distinguished   names.  If
                                undefined, this will be constructed by
                                mapping the mail domain name into a
                                distinguished name (eg aceindustry.com
                                becomes dc=aceindustry,dc=com ).  You may
                                override this with the LDAP_BASEDN
                                environment variable.

 $EXTENDED_SCHEMA               Enables  extended  schema   support.
                                This  adds the  organizationalPerson and
                                inetOrgPerson object classes, amongst
                                others, to users migrated by the
                                migrate_passwd.pl script.

 NAMINGCONTEXT                  Determines  the   LDAP/X.500  naming context
                                to use for a migration tool.  The dictionary
                                is keyed by tool (as in migrate_ tool .pl ).
                                Values are concatenated with $DEFAULT_BASE
                                by the & getsuffix() subroutine.

The  following  environment  variables  control  the  behavior  of  the
migration shell scripts:

 Environment variable           Description

 DEFAULT_MAIL_DOMAIN            See above

 LDAPADD                        Path  the   ldapadd executable,  for online
                                migration (if not in the path or
                                /usr/local/bin or /usr/bin)

 LDIF2LDBM                      Path the  ldif2ldbm  executable, for offline
                                migration (if not in the path or
                                /usr/local/bin or /usr/bin)

 PERL                           Path  to the  Perl  interpreter  (if not
                                /usr/bin or /usr/local/bin)

 LDAPHOST                       Your   LDAP   server,  for    online
                                migration. This is optional; you'll be
                                prompted if the environment variable is not
                                set.

 LDAP_BASEDN                    See above ( $DEFAULT_BASE).  This is
                                optional; you'll be prompted if the
                                environment variable is not set.

 LDAP_BINDDN                    The distinguished  name  to  bind to the
                                LDAP server as, for online migration. This
                                is optional; you'll be prompted if the
                                environment variable is not set.

 LDAP_BINDCRED                  The  password to  bind to   the LDAP server
                                with, for online migration.  This is
                                optional; you'll be prompted if the
                                environment variable is not set.

You will  probably wish to use  a shell script or  makefile to automate
population of your LDAP database, either off-lien (with ldif2ldbm) or
on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you
may wish to customize their behaviour. The following table explains which
migration scripts to use:

 Shell script                     Existing nameservice    LDAP
                                                          running?

 migrate_all_online.sh            /etc flat files         Yes

 migrate_all_offline.sh           /etc flat files         No

 migrate_all_netinfo_online.sh    NetInfo                 Yes

 migrate_all_netinfo_offline.sh   NetInfo                 No

 migrate_all_nis_online.sh        NIS/YP                  Yes

 migrate_all_nis_offline.sh       NIS/YP                  No

Below are examples of  migrate_hosts.pl and migrate_passwd.plbeing used to
migrate hosts and users, respectively:

$ migrate_hosts.pl /etc/hosts
dn: cn=mira.aceindustry.com,ou=devices,dc=aceindustry,dc=com
objectclass: ipHost
objectclass: device
objectclass: top
ipHostNumber: 10.1.70.5
cn: mira
cn: www.aceindustry.com
cn: mira.aceindustry.com

$ migrate_passwd.pl /etc/passwd
dn: cn=Joe Bloggs,ou=people,dc=aceindustry,dc=com
cn: Joe Bloggs
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: account
mail: jbloggs@aceindustry.com
givenname: Joe
sn: Bloggs
uid: jbloggs
userPassword: {crypt}daCXgaxahRNkg
loginShell: /bin/csh
uidNumber: 20
gidNumber: 20
homeDirectory: /home/jbloggs