[CentOS] migrating users to openldap

Fri Oct 29 23:00:28 UTC 2010
Tim Dunphy <bluethundr at gmail.com>

hey guys, nice suggestions.. it looks like PADL did not cover shadow
entries for some reason.. this will likely have to be a custom script
i will have to write...

in the meantime I made sure I was root and then ran the scripts:

Hey guys,

 The script definitely ran as root:

LBSD2# whoami

LBSD2# ./migrate_passwd.pl /etc/passwd /tmp/passwd.ldif

This is an ldif entry that resulted:

dn: uid=bluethundr,ou=People,dc=summitnjhome,dc=com
uid: bluethundr
cn: Timothy P.
givenName: Timothy P.
mail: bluethundr at padl.com
mailRoutingAddress: bluethundr at mail.padl.com
mailHost: mail.padl.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
userPassword: {crypt}*
krbName: bluethundr at PADL.COM
loginShell: /usr/local/bin/bash
uidNumber: 1001
gidNumber: 1002
homeDirectory: /home/bluethundr
gecos: Timothy P.

so no mater if you are root passwords are not transferred...

On Fri, Oct 29, 2010 at 11:24 AM, jleafey <jay.leafey at mindless.com> wrote:
> On Fri, 29 Oct 2010 16:42:41 +0200 (CEST) "Alexander Dalloz"
> <ad+lists at uni-x.org> wrote
>> <SNIP>
>> The PADL script blindly uses {crypt}, although the password encryption
>> mechanism may be very different.
>> > thanks in advance for any tips you can share that will get this working!
>> Alexander
> I think Alexander is onto something here.  I just checked my default CentOS 5
> installation and /etc/sysconfig/authconfig specifies that the passwords are
> hashed using MD5, so there's a good chance yours is too.  We ran into a problem
> with this when we migrated users to the Sun directory server (not my choice!).
> The {?} part of the userPassword field value specifies the hash method used, so
> if OpenLDAP supports MD5 you may be able to just do a global search-and-replace
> of '{crypt}' with '{MD5}'.
> OTOH, if the "*" you showed in the message was literal, you'll probably have to
> do some additional work to retrieve the user's password from /etc/shadow and
> plug that in instead.  You could just cobble up a script to generate a simple
> LDIF file just to change the passwords if you don't want to alter the output of
> the PDL scripts.  The format is pretty simple, just look at the ldapmodify man
> page for hints.  Just scan through /etc/shadow and look for something with a
> pasword <> "!!" and generate the LDIF to change that user's password.
> Just my $.02!
> --
> Jay Leafey - Memphis, TN
> jay.leafey at mindless.com
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos

Here's my RSA Public key:
gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9

Share and enjoy!!