Name Service Migration Scripts

This section describes the shell and perl scripts that can migrate your name service data either from source files or NIS maps to your Active Directory. These scripts are found in /opt/ldapux/migrate/ads. The two shell scripts migrate_all_online.ads.sh and migrate_all_nis_online.ads.sh migrate all your source files or NIS maps, while the perl scripts migrate_passwd_ads.pl, migrate_hosts_ads.pl, migrate_networks_ads.pl, migrate_protocols_ads.pl, migrate_rpc_ads.pl, migrate_services_ads.pl, and migrate_group_ads.pl and so forth migrate individual maps. The shell scripts call the perl scripts.

The migration scripts require perl, version 5 or later, which is installed with the NIS/LDAP Gateway in /opt/ldapux/contrib/bin/perl.

Naming Context

The naming context specifies where in your directory your name service data will be, under the base DN. For example, if your base DN is “ou=unix, dc=cup, dc=hp, dc=com,” the passwd map would be at “cn=people, ou=unix, dc=cup, dc=hp, dc=com”. Table 5-2 shows the default naming context for the supported services. The default will work in most cases.

Table 5-2 Default Naming Context

Map Name	Location in the Directory Tree
passwd	cn=Users
group	cn=Users
hosts	cn=Hosts
networks	cn=Networks
protocols	cn=Protocols
rpc	cn=Rcp
services	cn=Services

If you change the default naming context, modify the file migrate_common.ph and change it to reflect your naming context.




	NOTE: Since users and groups are migrated to the same container, they must have unique names (common name) for the migration to succeed.

After the password and group data migration, the posix user accounts are disabled with no password. This happens because UNIX user and group passwords cannot be migrated to Active Directory for Kerberos authentication. Therefore, to allow users to log on to a UNIX system, the Active Directory administrator needs to enable the user account first and set the initial password.




	CAUTION: The password migration tool migrates all user accounts from the specified source files or NIS server. For security reasons, the root user and any objects with uid=0 should either be removed from the resulting ldif file before migrating to Active Directory, or be removed from the Active Directory.




	NOTE: msSFUPassword is not used by the LDAP-UX Client Services because it uses Kerberos as its authentication method. If you want to set msSFUPassword for your own purposes, you can set it with ADSI edit on your domain controllers. LDAPUX assumes all posix passwords are either in cleartext or encrypted with unix crypt and stored with a prefix {crypt}.

Migrating All Your Files

The two shell scripts migrate_all_online_ads.sh and migrate_all_nis_online_ads.sh migrate all your name service data either to LDIF or into your directory. The migrate_all_online_ads.sh shell script gets information from the source files, such as /etc/passwd, and /etc/group. The migrate_all_nis_online_ads.sh script gets information from your NIS maps using the ypcat(1) command. The scripts take no parameters but prompt you for needed information. They also prompt you for whether to leave the output as LDIF or to add the entries to your directory. These scripts call the perl scripts described under “Migrating Individual Files”. You will need to modify these scripts to ensure that any calls to perl scripts not listed in Table 5-2 are commented out.




	CAUTION: LDAP-UX Client Services provides defautl attribute and search descriptor setting to work with Microsoft Windows Services for UNIX 3.0 (SFU 3.0) when working with the Windows 2000 Active Directory. If you use SFU 2.0, you must re-link the attribute configuration file to SFU 2.0 before running migration. Use this command to switch to SFU 2.0: ln -fs /etc/opt/ldapux/defautl_profile_attr_ads_sfu2.ldif \ /etc/opt/ldapux/default_profile_attr_ads.ldif LDAP-UX Client Services will also use SFU 2.0 in the absence of the softlink /etc/opt/ldapux/default_profile_attr_ads.ldif.

Migrating Individual Files

The following perl scripts migrate each of your source files in /etc to LDIF. These scripts are called by the shell scripts described under “Migrating All Your Files”. The perl scripts get their information from the input source file and output LDIF.

Environment Variables

When using the perl scripts to migrate individual files, you must set the following mandatory environment variables:

LDAP_BASEDN

The base distinguished name where you want your data.
For example, the following command sets the base DN to DC=cup, DC=hp, DC=com:

export LDAP_BASEDN=”DC=cup, DC=hp, DC=com”

SYNC_NISDOMAIN: Windows 2000 domain where the NIS objects reside.

General Syntax for Perl Migration Scripts

All the perl migration scripts use the following general syntax:

scriptname inputfile [outputfile]

where

scriptname: is the name of the particular script you are using. The scripts are listed below.
inputfile: is the name of the appropriate name service source file corresponding to the script you are using.
outputfile: is optional and is the name of the file where the LDIF is written. stdout is the default output.

Migration Scripts

The migration scripts are described in Table 5-3 below.

Table 5-3 Migration Scripts

Script Name	Description
migrate_base.pl	creates base DN information.
migrate_group_ads.pl	migrates groups in /etc/group.
migrate_hosts_ads.pl ^[1]	migrates hosts in /etc/hosts.
migrate_networks_ads.pl	migrates networks in /etc/networks
migrate_passwd_ads.pl^[2]	migrates users in /etc/passwd.
migrate_protocols_ads.pl	migrates protocols in /etc/protocols.
migrate_rpc_ads.pl	migrates RPCs in /etc/rpc.
migrate_services_ads.pl^[3]	migrates services in /etc/services.
migrate_common.ph	is a set of routines and configuration information all the perl scripts use.
^[1]Systems have been configured with the same hostname, then the migration script migrate_host.pl will create multiple entries in its resulting LDIF file with the same distinguished name for the hostname for each of the IP addresses. Since distinguished names need to be unique in an LDAP directory, users need to first manually merge the IP addresses with one designated host record and delete the duplicated records in their LDIF file. A resulting merge might look as follows: . . . . dn: cn=machineA, ou=hosts, ou=unix, dc=cup, dc=hp, dc=com objectClass: top objectClass: computer ipHostNumber: 15.13.130.72 ipHostNumber: 15.13.104.4 ipHostNumber: 15.13.95.92 cn: machineA cn: msSFUName: machineA . . . . ^[2]Special characters (e.g. Tab, control characters) are not allowed in the gecos field of password entries. ^[3]When migrating services data into the LDAP directory, users should keep in mind that only multiple protocols can be associated with one service name, but not multiple service ports.

Examples

The following are some examples using the migration scripts.

The following command converts all NIS files in /etc to LDIF:

$ migrate_all_online.sh

The following commands convert /etc/passwd into LDIF and output it to stdout:

$ export LDAP_BASEDN=”DC=cup,DC=hp,DC=com”
$ migrate_passwd_ads.pl /etc/passwd
 
dn: cn=Joe Bloggs,cn=Users,dc=cup, dc=hp, dc=com
objectClass: user
msSFUName: jbloggs
cn: Joe Bloggs
syncNisDomain: cup
loginShell: /usr/bin/sh
uidNumber: 101
gidNumber: 20
msSFUHomeDirectory: /home/jbloggs
gecos: Joe Bloggs,Cupertino,888-9999,
sAMAccountName: jbloggs

The following commands convert /etc/group into LDIF and place the result in /tmp/group.ldif:

$ export LDAP_BASEDN=”DC=cup,DC=hp,DC=com”
$ migrate_group.pl /etc/group /tmp/group.ldif
$ cat /tmp/group.ldif
 
dn: cn=users,dc=cup,dc=hp,dc=com
objectclass: group
cn: users
gidNumber: 20
memberUid: root
syncNisDomain: cup
sAMAccountName: users

Name Service Migration Scripts

Technical documentation

» Table of Contents

» Glossary

» Index