linuxperson
asked on
NIS to LDAP user migration
I have a user in NIS environment and would like to move to openLDAP environment.
does NIS and openLDAP uses the same hash?
what is the best way to move the users so they can use the same password they have used in NIS
does NIS and openLDAP uses the same hash?
what is the best way to move the users so they can use the same password they have used in NIS
ASKER
I am trying to transition the current server which uses NIS client to LDAP client.
root@dev:~# cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubunt u 12.04.5 LTS"
NAME="Ubuntu"
VERSION="12.04.5 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)"
VERSION_ID="12.04"
There is no front end to manage NIS master.
root@dev:~# cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=12.04
DISTRIB_CODENAME=precise
DISTRIB_DESCRIPTION="Ubunt
NAME="Ubuntu"
VERSION="12.04.5 LTS, Precise Pangolin"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu precise (12.04.5 LTS)"
VERSION_ID="12.04"
There is no front end to manage NIS master.
you can use ypcat to export your NIS maps, and then load the data into ldap.
then use ldapclient to "join" this system into and configure /etc/nsswitch.conf to use both files ldap nis.
I am uncertain what it is you are looking for.
the password as it exists in NIS can be loaded in the
Covers the encryption
http://www.openldap.org/faq/data/cache/344.html
There are several guides dealing with transitioning from nis to ldap/openldap.
To avoid having to do all in one fell swoop, there are options where you can subordinate the NIS master to the new openlDAP
IMHO, you should get the manner/mechanism by which users resources will be added/removed to the openldap before trying to eliminate the NIS ...
then use ldapclient to "join" this system into and configure /etc/nsswitch.conf to use both files ldap nis.
I am uncertain what it is you are looking for.
the password as it exists in NIS can be loaded in the
Covers the encryption
http://www.openldap.org/faq/data/cache/344.html
There are several guides dealing with transitioning from nis to ldap/openldap.
To avoid having to do all in one fell swoop, there are options where you can subordinate the NIS master to the new openlDAP
IMHO, you should get the manner/mechanism by which users resources will be added/removed to the openldap before trying to eliminate the NIS ...
ASKER
I installed ldapclient in ubuntu.
apt-get install ldapclient but can't see ldapclient binary.
root@dev:~# ldapclient
ldapclient: command not found
apt-get install ldapclient but can't see ldapclient binary.
root@dev:~# ldapclient
ldapclient: command not found
ASKER
dev:~ # ldapadd -a simple -p -D "cn=Administrator,dc=unix, dc=example ,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
ldapadd: unable to parse port number "-D"
ldapadd: unable to parse port number "-D"
-p specifies port,
You should use -h x.x.x.x -p 389
ldapadd -a simple -p 389 -D "cn=Administrator,dc=unix, dc=example ,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
You should use -h x.x.x.x -p 389
ldapadd -a simple -p 389 -D "cn=Administrator,dc=unix,
-D is not set correctly, did not notice until after copy/paste
"OU=users,dc=unix,dc=examp le,dc=com"
ldapadd -a simple -p 389 -D "OU=users,dc=unix,dc=examp le,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
the -D you used identifies a user.
"OU=users,dc=unix,dc=examp
ldapadd -a simple -p 389 -D "OU=users,dc=unix,dc=examp
the -D you used identifies a user.
ASKER
when i run this command i am getting the following error
ldapadd -a simple -p 389 -D "OU=users,dc=unix,dc=examp le,dc=com" -h x.x.x.x -f /tmp/nis_passwd_map
Add or modify entries from an LDAP server
usage: ldapadd [options]
The list of desired operations are read from stdin or from the file
specified by "-f file".
Add or modify options:
-a add values (default)
-c continuous operation mode (do not stop on errors)
-E [!]ext=extparam modify extensions (! indicate s criticality)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-S file write skipped modifications to `file'
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehav ior>[/<con tinuationB ehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapadd -a simple -p 389 -D "OU=users,dc=unix,dc=examp
Add or modify entries from an LDAP server
usage: ldapadd [options]
The list of desired operations are read from stdin or from the file
specified by "-f file".
Add or modify options:
-a add values (default)
-c continuous operation mode (do not stop on errors)
-E [!]ext=extparam modify extensions (! indicate s criticality)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-S file write skipped modifications to `file'
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehav
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ASKER
dev:~ # ldapadd -x -D "OU=people,dc=unix,dc=exam ple,dc=com " -h x.x.x.x -f /tmp/nis_passwd_map
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disall
How do i give my username/password for bind?
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disall
How do i give my username/password for bind?
You are missing the -a and -w password
Not sure why you are masquerading the host IP if it is on a private network 10.x.x.x etc.
Pare you in the server where openladp is installed. If so use 127.0.0.1 as the host ldapadd
Are you able to run ldapsearch to list the objects at the root?
Not sure why you are masquerading the host IP if it is on a private network 10.x.x.x etc.
Pare you in the server where openladp is installed. If so use 127.0.0.1 as the host ldapadd
Are you able to run ldapsearch to list the objects at the root?
ASKER
yes. as a root i am able to list the objects.
Here is how added the user using .ldif file.
ldapadd -h localhost -p 389 -D "cn=Administrator,dc=unix, dc=example ,dc=com" -W -f myuser.ldif
Here is how added the user using .ldif file.
ldapadd -h localhost -p 389 -D "cn=Administrator,dc=unix,
ASKER
in NIS we have netgroup to control the users to say who can login to what server.
Do we have the same concept in LDAP? if so how do i utilize it?
Do we have the same concept in LDAP? if so how do i utilize it?
Yes, you define the LDAP.conf and the groups within /etc/nsswitch.conf.
How to list the group's of which the user is a member.
What guide are you using to setup openladp?
How to list the group's of which the user is a member.
What guide are you using to setup openladp?
ASKER
Let me check it for you
This question needs an answer!
Become an EE member today
7 DAY FREE TRIALMembers can start a 7-Day Free trial then enjoy unlimited access to the platform.
View membership options
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
13 characters crypt
$1$ .... MD5
Are you transitioning the systems to use LDAP or will you use openladp with NIS compatibility such that current NIS replicas will now use the openladp asthe new master?
How do you currently manage the NIS master,
Do you have a front end where your users/data is maintained which is then used to update the NIS master that will be transitioned to update openladp?