hey guys, nice suggestions.. it looks like PADL did not cover shadow entries for some reason.. this will likely have to be a custom script i will have to write...
in the meantime I made sure I was root and then ran the scripts:
Hey guys,
The script definitely ran as root:
LBSD2# whoami root
LBSD2# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif
This is an ldif entry that resulted:
dn: uid=bluethundr,ou=People,dc=summitnjhome,dc=com uid: bluethundr cn: Timothy P. givenName: Timothy P. sn: mail: bluethundr@padl.com mailRoutingAddress: bluethundr@mail.padl.com mailHost: mail.padl.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: kerberosSecurityObject userPassword: {crypt}* krbName: bluethundr@PADL.COM loginShell: /usr/local/bin/bash uidNumber: 1001 gidNumber: 1002 homeDirectory: /home/bluethundr gecos: Timothy P.
so no mater if you are root passwords are not transferred...
On Fri, Oct 29, 2010 at 11:24 AM, jleafey jay.leafey@mindless.com wrote:
On Fri, 29 Oct 2010 16:42:41 +0200 (CEST) "Alexander Dalloz" ad+lists@uni-x.org wrote
<SNIP>
The PADL script blindly uses {crypt}, although the password encryption mechanism may be very different.
thanks in advance for any tips you can share that will get this working!
Alexander
I think Alexander is onto something here. I just checked my default CentOS 5 installation and /etc/sysconfig/authconfig specifies that the passwords are hashed using MD5, so there's a good chance yours is too. We ran into a problem with this when we migrated users to the Sun directory server (not my choice!). The {?} part of the userPassword field value specifies the hash method used, so if OpenLDAP supports MD5 you may be able to just do a global search-and-replace of '{crypt}' with '{MD5}'.
OTOH, if the "*" you showed in the message was literal, you'll probably have to do some additional work to retrieve the user's password from /etc/shadow and plug that in instead. You could just cobble up a script to generate a simple LDIF file just to change the passwords if you don't want to alter the output of the PDL scripts. The format is pretty simple, just look at the ldapmodify man page for hints. Just scan through /etc/shadow and look for something with a pasword <> "!!" and generate the LDIF to change that user's password.
Just my $.02!
Jay Leafey - Memphis, TN jay.leafey@mindless.com
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos