[389-users] Migration from OpenLDAP and PassSync with AD

Nathan Kinder nkinder at redhat.com
Thu Jul 9 17:24:16 UTC 2009 

On 07/09/2009 09:35 AM, Prashanth Sundaram wrote:
> Elaborating the Qs:
>
> Question1:Since we have an existing LDAP server(OpenLDAP) and users were
> logging in to other dev, prod and testing servers using the passwords
> managed by this OpenLDAP server. I believe the way the member servers
> remember the user credentials is by assigning each user with a unique
> security ID. (please correct me if I am wrong) If that gets lost in
> migration, then my users' permissions will have to be re-assigned from
> scratch (pain for sysadmins)
>
> So my question was, will the users be able to login to member servers after
> migrating to FDS and still have same permissions and home directory folder
> and everything looks the same without panicking about any missing
> permissions or files.
>    
I believe you are referring to the uidNumber and gidNumber attributes.  
File permissions use these numbers.  These will remain the same when you 
export from OpenLDAP and import to 389.
> Question2.1: What will happen to the passwords that are different on the FDS
> and AD before the Sync. I do not want the passwords to be reset on FDS or AD
> after 1st sync but only future passwords changes to be Synced to FDS and AD
> and vice versa.
>    
A clear-text password is required to sync since different hashing 
schemes are used on each side.  Passwords will only be synchronized when 
they are changed, which is what you want.
> Question2.1: I was working with windows before and noticed that the Windows
> saves users with a unique id. If that is lost or recreated, the previous
> permissions will no longer hold true for the user, even though the username
> is same. Is it same in Unix environment? Like say I delete a user account
> from FDS and a day after I re-create the ID, will the permissions stay
> intact?
>    
The uidNumber and gidNumber are used in *nix, not the actual uid.  If 
you re-create a user using the same uidNumber and gidNumber, the 
permissions will still have the same net effect as they did with the old 
user entry.
>
> Thanks,
> Prashanth
>
>
>
> https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht
> ml
>
>
>
>    
>> On 07/09/2009 07:19 AM, Prashanth Sundaram wrote:
>>      
>>> Dear fellow Fedora DS users and experts,
>>>
>>> I am working on this new project where there is a two step process. We are
>>> currently using a poorly managed OpenLDAP server for over 3 years and
>>> planning to migrate to Fedora DS.
>>>
>>> Scenario: OPenLDAP=====Migrate all users and passwords===>   Fedora DS
>>> <----------PassSync------->Windows AD
>>>
>>> Question1: Is it possible to migrate current users (around 300users) from
>>> OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like
>>> everything looks same in users perspective.
>>>
>>>        
>> It depends on the schema that is used, but this should be a case of
>> exporting from OpenLDAP and importing to 389.
>>      
>>> Question2: Is is possible to create a password sync between FDS and AD for
>>> all the above users. Yes, the username is same in both the directories.
>>>
>>>        
>> Yes, you can sync passwords.  A number of other common attributes are
>> synchronized as well.  These attributes are listed in the Red Hat
>> Directory Server Administrator's Guide.
>>      
>>>                    Question2.1: The users are stored with different Security
>>> IDs in windows environment than in OpenLDAP or FDS. Will that pose a
>>> problem?
>>>
>>>        
>> I'm not sure what LDAP attribute you are referring to as the "Security
>> ID", so I can't say if this will be a problem.
>>      
>>>                    Question2.2: We have several domain controllers and Active
>>> Directory server which run in sync. Since the PassSync can only run on one
>>> server, will it be a problem that some passwords do not get sync because the
>>> user changed it on XP which redirected to a another server (without
>>> PassSync)?
>>>
>>>        
>> You need to run the PassSync service on all domain controllers.  It's
>> the synchronization agreement that you set up on the 389 side that can
>> only point to one domain controller.
>>      
>>> If any of you has gone thru these issues and anything more, please respond
>>> to this thread or give me links.
>>>
>>> Thanks for your help and patience.
>>> Prashanth
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>>        
>>
>> ------------------------------
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>> End of Fedora-directory-users Digest, Vol 50, Issue 8
>> *****************************************************
>>      
>
> --
> 389 users mailing list
> 389-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>    

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/389-users/attachments/20090709/5c16b79d/attachment.html>

More information about the 389-users mailing list