NIS to LDAP user migration

The hash is auto determined based on format presumably you mean password encryption.
13 characters crypt
$1$ .... MD5

Are you transitioning the systems to use LDAP or will you use openladp with NIS compatibility such that current NIS replicas will now use the openladp asthe new master?

How do you currently manage the NIS master,
Do you have a front end where your users/data is maintained which is then used to update the NIS master that will be transitioned to update openladp?

I am trying to transition the current server which uses NIS client to LDAP client.

root@dev:~# cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubuntu 12.04.5 LTS"
NAME="Ubuntu"
VERSION="12.04.5 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)"
VERSION_ID="12.04"

There is no front end to manage NIS master.

you can use ypcat to export your NIS maps, and  then load the data into ldap.
then use ldapclient to "join" this system into and configure /etc/nsswitch.conf to use both files ldap nis.
I am uncertain what it is you are looking for.
the password as it exists in NIS can be loaded in the
Covers the encryption
http://www.openldap.org/faq/data/cache/344.html

There are several guides dealing with transitioning from nis to ldap/openldap.

To avoid having to do all in one fell swoop, there are options where you can subordinate the NIS master to the new openlDAP

IMHO, you should get the manner/mechanism by which users resources will be added/removed to the openldap before trying to eliminate the NIS ...

I installed ldapclient in ubuntu.



apt-get install ldapclient but can't see ldapclient binary.

root@dev:~# ldapclient
ldapclient: command not found

dev:~ # ldapadd -a simple -p -D "cn=Administrator,dc=unix,dc=example,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
ldapadd: unable to parse port number "-D"

-p specifies port,
You should use -h x.x.x.x -p 389

 ldapadd -a simple -p 389 -D "cn=Administrator,dc=unix,dc=example,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map

-D is not set correctly, did not notice until after copy/paste
"OU=users,dc=unix,dc=example,dc=com"
 ldapadd -a simple -p 389 -D "OU=users,dc=unix,dc=example,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map

the -D you used identifies a user.

when i run this command i am getting the following error

 ldapadd -a simple -p 389 -D "OU=users,dc=unix,dc=example,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
Add or modify entries from an LDAP server

usage: ldapadd [options]
        The list of desired operations are read from stdin or from the file
        specified by "-f file".
Add or modify options:
  -a         add values (default)
  -c         continuous operation mode (do not stop on errors)
  -E [!]ext=extparam    modify extensions (! indicate s criticality)
  -f file    read operations from `file'
  -M         enable Manage DSA IT control (-MM to make critical)
  -P version protocol version (default: 3)
  -S file    write skipped modifications to `file'
Common options:
  -d level   set LDAP debugging level to `level'
  -D binddn  bind DN
  -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
             [!]assert=<filter>     (RFC 4528; a RFC 4515 Filter string)
             [!]authzid=<authzid>   (RFC 4370; "dn:<dn>" or "u:<user>")
             [!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
                     one of "chainingPreferred", "chainingRequired",
                     "referralsPreferred", "referralsRequired"
             [!]manageDSAit         (RFC 3296)
             [!]noop
             ppolicy
             [!]postread[=<attrs>]  (RFC 4527; comma-separated attr list)
             [!]preread[=<attrs>]   (RFC 4527; comma-separated attr list)
             [!]relax
             abandon, cancel, ignore (SIGINT sends abandon/cancel,
             or ignores response; if critical, doesn't wait for SIGINT.
             not really controls)
  -h host    LDAP server
  -H URI     LDAP Uniform Resource Identifier(s)
  -I         use SASL Interactive mode
  -n         show what would be done but don't actually do it
  -N         do not use reverse DNS to canonicalize SASL host name
  -O props   SASL security properties
  -o <opt>[=<optparam] general options
             nettimeout=<timeout> (in seconds, or "none" or "max")
             ldif-wrap=<width> (in columns, or "no" for no wrapping)
  -p port    port on LDAP server
  -Q         use SASL Quiet mode
  -R realm   SASL realm
  -U authcid SASL authentication identity
  -v         run in verbose mode (diagnostics to standard output)
  -V         print version info (-VV only)
  -w passwd  bind password (for simple authentication)
  -W         prompt for bind password
  -x         Simple authentication
  -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
  -y file    Read password from file
  -Y mech    SASL mechanism
  -Z         Start TLS request (-ZZ to require successful response)

dev:~ # ldapadd -x -D "OU=people,dc=unix,dc=example,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
ldap_bind: Server is unwilling to perform (53)
        additional info: unauthenticated bind (DN with no password) disall

How do i give my username/password for bind?

You are missing the -a and -w password
Not sure why you are masquerading the host IP if it is on a private network 10.x.x.x etc.
Pare you in the server where openladp is installed. If so use 127.0.0.1 as the host ldapadd
Are you able to run ldapsearch to list the objects at the root?

yes. as a root i am able to list the objects.

Here is how added the user using .ldif file.

ldapadd -h localhost -p 389 -D "cn=Administrator,dc=unix,dc=example,dc=com" -W -f myuser.ldif

in NIS we have netgroup to control the users to say who can login to what server.

Do we have the same concept in LDAP? if so how do i utilize it?

Yes, you define the LDAP.conf and the groups within /etc/nsswitch.conf.
How to list the group's of which the user is a member.

What guide are you using to setup openladp?

Let me check it for you