Hi folks,
I've just started playing with fedora directory server, and I'm looking for a straightforward way to import existing Linux accounts (passwd/shadow/group files) into fedora-ds.
I've looked at the padl migration tools and tried them out, but they don't seem to quite get it right. First, the groups are put into ou=Groups instead of ou=Group (as fedora-ds expects). Editing the ldif file to change Groups to Group allows me to import the group data, but then the objectClasses are wrong. The padl tools create groups as class "posixGroup", but fedora-ds seems to use "groupofuniquenames" for groups.
Also, the padl migration tools use objectClasses "posixAccount","account" and "shadowAccount" for entries in the passwd file, but fedora-ds seems to expect "person", "organizationalPerson" and "inetorgperson".
Has anybody written a simple HOWTO for migrating passwd/shadow/group files to fedora-ds?
Thanks, Bryan
Bryan K. Wright wrote:
Hi folks,
I've just started playing with fedora directory server, and I'm looking for a straightforward way to import existing Linux accounts (passwd/shadow/group files) into fedora-ds.
I've looked at the padl migration tools and tried them out, but they don't seem to quite get it right. First, the groups are put into ou=Groups instead of ou=Group (as fedora-ds expects). Editing the ldif file to change Groups to Group allows me to import the group data, but then the objectClasses are wrong. The padl tools create groups as class "posixGroup", but fedora-ds seems to use "groupofuniquenames" for groups.
Fedora DS groups can be both posixGroup and groupOfUniqueNames. Just add the objectclass "groupOfUniqueNames" to your posixGroup entries (or vice versa, if you have existing gouns that you want to use as posix groups).
Also, the padl migration tools use objectClasses "posixAccount","account" and "shadowAccount" for entries in the passwd file, but fedora-ds seems to expect "person", "organizationalPerson" and "inetorgperson".
Similar to the above, entries can be both inetOrgPerson and posixAccount, shadowAccount, and account (see the caveat about using the account objectclass here - http://directory.fedora.redhat.com/wiki/Howto:Posix)
Has anybody written a simple HOWTO for migrating passwd/shadow/group files to fedora-ds?
Not yet, but we're in the process.
Thanks, Bryan
Bryan K. Wright wrote:
Hi folks,
I've just started playing with fedora directory server, and I'm looking for a straightforward way to import existing Linux accounts (passwd/shadow/group files) into fedora-ds.
I've looked at the padl migration tools and tried them out, but they don't seem to quite get it right. First, the groups are put into ou=Groups instead of ou=Group (as fedora-ds expects). Editing the ldif file to change Groups to Group allows me to import the group data, but then the objectClasses are wrong. The padl tools create groups as class "posixGroup", but fedora-ds seems to use "groupofuniquenames" for groups.
Bryan, the object classes advertise how the entry's data may be used. The same entry may be used for multiple purposes. You may want to use the same posix groups for email or aci's as well (for example).
Also, the padl migration tools use objectClasses "posixAccount","account" and "shadowAccount" for entries in the passwd file, but fedora-ds seems to expect "person", "organizationalPerson" and "inetorgperson".
Again, 'person', 'organizationalPerson' and 'inetOrgPerson' are generic-ish LDAP objectclasses. These are describing the entry and its contents. These are used in different ways. When you specify an objectclass of 'posixAccount' you are saying that this entry is a posix account (aptly named). Different objectClasses allow/require different attributes.
For example, in order to store homeDirectory, gecos, uidNumber, gidNumber (LDAP attribute equivalents of the /etc/passwd values) in the Directory, you will want to use posixAccount.
Take a look at 'http://ldap.akbkhome.com/index.php/objectclass.html' to see what objectClasses allow what attributes. Specifically: 'http://ldap.akbkhome.com/index.php/objectclass/posixAccount.html'
Has anybody written a simple HOWTO for migrating passwd/shadow/group files to fedora-ds?
How are you planning to access the data in the Directory? libnss-ldap and pam-ldap? If so, there is a lot of flexibility in how you store the data. You can configure filters in those modules to find the data that you want. You might want to look at those, as there is some decent documentation, and then see what THEY expect.
Hope that helps.
Elliot
389-users@lists.fedoraproject.org