Migrate Local OS Users and Groups to LDAP using OpenLDAP on CentOS 5

by Jeff Hunter, Sr. Database Administrator

Contents

Introduction

Install OpenLDAP Server Package

Migrate Users and Groups

Test User Authentication Through LDAP

About the Author

Introduction
This guide demonstrates how to extract information from local OS user accounts and groups on the Linux
platform and then export those users and objects to a readable LDIF file that can be modified (if necessary) and
imported into an LDAP directory. This provides a nice shortcut for setting up users and groups in a newly
initialized directory that can be used to authenticate through LDAP.
The Linux machine used in this example is running the latest version of Oracle which at the time of this writing
is Oracle Database 11g Release 2 (11.2.0.3.0). The machine name for the database server is
racnode1.idevelopment.info and contains user accounts and groups that best define the conventions that I
would want to centralize for all Oracle database servers. The local user accounts and groups will be exported
from the database server and imported to an LDAP directory on ldapsrv.idevelopment.info.
The example used in this tutorial is based on a clean installation of OpenLDAP Software on the CentOS 5
platform. This tutorial will also work for Red Hat Enterprise Linux 5 and Oracle Linux 5. The LDAP directory
used in this guide has been initialized with a base DN of dc=idevelopment,dc=info and organization units
People, Group, and Hosts. Obviously, the name of your LDAP server and the base DN will differ and the
examples presented in this guide will need to be modified accordingly for you environment.

Refer to the following two tutorials on how to install OpenLDAP Software and initialize the LDAP directory on
the server (ldapsrv.idevelopment.info in this guide) on the CentOS 5 platform.

Install and Configure OpenLDAP

Initialize a New LDAP Directory

Oracle Users and Groups

The users and groups being migrated to LDAP are reflective of a typical Oracle RAC 11g Release 2
configuration that includes Oracle Grid Infrastructure and Oracle Database software.
Groups
Group Name
oinstall
asmadmin
asmdba
asmoper
dba
oper

gidNumber
1000
1200
1201
1202
1300
1301
Users

User uid Gid

110
0
110
oracle
1
jhunte
500
r
grid

Groups

loginShe homeDirecto
ll
ry

100 1000(oinstall),1200(asmadmin),1201(asmdba),1202(a
/bin/bash /home/grid
0 smoper)
100
1000(oinstall),1201(asmdba),1300(dba),1301(oper) /bin/bash /home/oracle
0
500 500(jhunter),1300(dba),1301(oper)

/bin/bash /home/jhunter

In the end, we will also be able to create additional LDAP users based on a template LDIF record for a user and
group developed in the migration phase of this guide.

Install OpenLDAP Server Package

The first step is to install the OpenLDAP server package on the database server. The LDAP server package
comes with a set of shell Perl migration scripts for converting existing users, along with UIDs, GIDs, home
directories, passwords, etc., into LDIF records.
[root@racnode1 ~]# yum -y install openldap-servers

Migrate Users and Groups

This section contains instructions on how to use the migration scripts provided by OpenLDAP Software to
migrate local user accounts and groups to an LDAP directory for authentication purposes.

Perl must be installed on the system to use the scripts described in this section.

Migration Scripts
The OpenLDAP server package installed in the previous step includes a set of shell and Perl scripts that can be
used to migrate user data and authentication information on the local system into an LDAP format. Those
scripts can be found in the /usr/share/openldap/migration directory.
[root@racnode1 ~]# ls -l /usr/share/openldap/migration
total 140
-rwxr-xr-x 1 root root 2656 Jul 12 04:07 migrate_aliases.pl
-rwxr-xr-x 1 root root 2954 Jul 12 04:07 migrate_all_netinfo_offline.sh
-rwxr-xr-x 1 root root 2950 Jul 12 04:07 migrate_all_netinfo_online.sh
-rwxr-xr-x 1 root root 3008 Jul 12 04:07 migrate_all_nis_offline.sh
-rwxr-xr-x 1 root root 3003 Jul 12 04:07 migrate_all_nis_online.sh
-rwxr-xr-x 1 root root 3168 Jul 12 04:07 migrate_all_nisplus_offline.sh
-rwxr-xr-x 1 root root 3150 Jul 12 04:07 migrate_all_nisplus_online.sh
-rwxr-xr-x 1 root root 5274 Jul 12 04:07 migrate_all_offline.sh
-rwxr-xr-x 1 root root 7472 Jul 12 04:07 migrate_all_online.sh
-rwxr-xr-x 1 root root 3224 Jul 12 04:07 migrate_automount.pl
-rwxr-xr-x 1 root root 2612 Jul 12 04:07 migrate_base.pl
-rw-r--r-- 1 root root 8880 Jul 12 04:07 migrate_common.ph
-rwxr-xr-x 1 root root 2956 Jul 12 04:07 migrate_fstab.pl
-rwxr-xr-x 1 root root 2718 Jul 12 04:07 migrate_group.pl
-rwxr-xr-x 1 root root 2755 Jul 12 04:07 migrate_hosts.pl
-rwxr-xr-x 1 root root 2860 Jul 12 04:07 migrate_netgroup_byhost.pl
-rwxr-xr-x 1 root root 2860 Jul 12 04:07 migrate_netgroup_byuser.pl
-rwxr-xr-x 1 root root 3883 Jul 12 04:07 migrate_netgroup.pl
-rwxr-xr-x 1 root root 2844 Jul 12 04:07 migrate_networks.pl
-rwxr-xr-x 1 root root 5639 Jul 12 04:07 migrate_passwd.pl
-rwxr-xr-x 1 root root 2432 Jul 12 04:07 migrate_profile.pl
-rwxr-xr-x 1 root root 2877 Jul 12 04:07 migrate_protocols.pl
-rwxr-xr-x 1 root root 2858 Jul 12 04:07 migrate_rpc.pl
-rwxr-xr-x 1 root root 10020 Jul 12 04:07 migrate_services.pl
-rwxr-xr-x 1 root root 3423 Jul 12 04:07 migrate_slapd_conf.pl
-rw-r--r-- 1 root root 8060 Jul 12 04:07 migration-tools.txt
-rw-r--r-- 1 root root 1855 Jul 12 04:07 README

The "Migrate All" Scripts

There are two versions of migrate_all_* shell scripts in the migration directory: online and offline. I don't
use the migrate_all_* scripts to identify users since it actually attempts to perform the import into the LDAP
directory. The difference between online and offline is whether the script assumes the LDAP server is online
(uses ldapadd) or offline (uses slapadd). Each script will attempt to update the LDAP directory immediately
during execution. Again, since I want to modify the generated LDIF records to only import certain users and
groups, I will not be covering the "migrate all" scripts in this guide.
The README and the migration-tools.txt files in the /usr/share/openldap/migration directory provide
more details on how use the LDAP migration scripts.

Common Defines for MigrationTools

Modify the /usr/share/openldap/migration/migrate_common.ph file so that it reflects the correct domain.
You should only need to modify the $DEFAULT_MAIL_DOMAIN, $DEFAULT_BASE, and $EXTENDED_SCHEMA
variables.
[root@racnode1 ~]# vi /usr/share/openldap/migration/migrate_common.ph
...
# Default DNS domain
$DEFAULT_MAIL_DOMAIN = "idevelopment.info";
# Default base
$DEFAULT_BASE = "dc=idevelopment,dc=info";
...
# turn this on to support more general object clases
# such as person.
$EXTENDED_SCHEMA = 1;
...

Export Base
Exporting the LDIF entries for the base DN on the machine you are extracting the local users and groups from
is not necessary in this guide. This optional step can be performed to view which organizationalUnit
definitions and other objects are present on the local system. I run it mostly for interest in seeing what type of
entries it would try to create and import to the LDAP directory.
[root@racnode1 ~]# cd /usr/share/openldap/migration
[root@racnode1 migration]# ./migrate_base.pl > base.ldif

Exporting the base configuration is optional and will not be imported into the LDAP directory in this
section.

Export Users and Groups

Export the local user and group information into a format that is readable by LDAP. This is done by running the
appropriate migration script in the /usr/share/openldap/migration directory. Run the appropriate script
based on the existing name service.

Users
First, we need to tell the script where to find password information. We do this by setting the shell variable
ETC_SHADOW to be /etc/shadow.

[root@racnode1 migration]# export ETC_SHADOW=/etc/shadow

Next, export all local users to an LDIF file named people.ldif.

[root@racnode1 migration]# ./migrate_passwd.pl /etc/passwd people.ldif

Remove extraneous people by modifying the people.ldif file to extract only those users that you want to
import into the LDAP directory.
[root@racnode1 migration]# vi people.ldif
dn: uid=jhunter,ou=People,dc=idevelopment,dc=info
uid: jhunter
cn: Jeffrey Hunter
givenName: Jeffrey
sn: Hunter
mail: jhunter@idevelopment.info
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$ZxO.cXOx$tiZQStYEF2sYN0TFtQFZx0
shadowLastChange: 15360
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/jhunter
gecos: Jeffrey Hunter
dn: uid=grid,ou=People,dc=idevelopment,dc=info
uid: grid
cn: Grid Infrastructure Owner
givenName: Grid Infrastructure
sn: Owner
mail: grid@idevelopment.info
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$prDmL5Ft$R3myzLbAjxzXO/7ycR6HU0
shadowLastChange: 15360
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1100
gidNumber: 1000
homeDirectory: /home/grid
gecos: Grid Infrastructure Owner

dn: uid=oracle,ou=People,dc=idevelopment,dc=info
uid: oracle
cn: Oracle Software Owner
givenName: Oracle Software
sn: Owner
mail: oracle@idevelopment.info
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$FWY0gU.9$aJMPBkM/JsvdMTwa3ZO2N0
shadowLastChange: 15360
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1101
gidNumber: 1000
homeDirectory: /home/oracle
gecos: Oracle Software Owner

Groups
Export all local groups to an LDIF file named group.ldif.
[root@racnode1 migration]# ./migrate_group.pl /etc/group group.ldif

Again, remove extraneous entries by modifying the group.ldif file to extract only those groups that you want
to import into the LDAP directory.
[root@racnode1 migration]# vi group.ldif
dn: cn=jhunter,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: jhunter
userPassword: {crypt}x
gidNumber: 500
dn: cn=oinstall,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: oinstall
userPassword: {crypt}x
gidNumber: 1000
dn: cn=asmadmin,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: asmadmin
userPassword: {crypt}x
gidNumber: 1200
memberUid: grid

dn: cn=asmdba,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: asmdba
userPassword: {crypt}x
gidNumber: 1201
memberUid: grid
memberUid: oracle
dn: cn=asmoper,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: asmoper
userPassword: {crypt}x
gidNumber: 1202
memberUid: grid
dn: cn=dba,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: dba
userPassword: {crypt}x
gidNumber: 1300
memberUid: jhunter
memberUid: oracle
dn: cn=oper,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: oper
userPassword: {crypt}x
gidNumber: 1301
memberUid: jhunter
memberUid: oracle

Import Users and Groups

Use ldapadd to import the people.ldif and group.ldif files to the LDAP directory.
[root@racnode1 migration]# ldapadd -x -W -h ldapsrv -D
"cn=Manager,dc=idevelopment,dc=info" -f people.ldif
Enter LDAP Password: *********
adding new entry "uid=jhunter,ou=People,dc=idevelopment,dc=info"
adding new entry "uid=grid,ou=People,dc=idevelopment,dc=info"
adding new entry "uid=oracle,ou=People,dc=idevelopment,dc=info"
[root@racnode1 migration]# ldapadd -x -W -h ldapsrv -D
"cn=Manager,dc=idevelopment,dc=info" -f group.ldif
Enter LDAP Password: *********
adding new entry "cn=jhunter,ou=Group,dc=idevelopment,dc=info"
adding new entry "cn=oinstall,ou=Group,dc=idevelopment,dc=info"
adding new entry "cn=asmadmin,ou=Group,dc=idevelopment,dc=info"
adding new entry "cn=asmdba,ou=Group,dc=idevelopment,dc=info"

adding new entry "cn=asmoper,ou=Group,dc=idevelopment,dc=info"

adding new entry "cn=dba,ou=Group,dc=idevelopment,dc=info"
adding new entry "cn=oper,ou=Group,dc=idevelopment,dc=info"

Verify Users and Groups

Verify the users and groups imported into the LDAP directory using ldapsearch.
[root@racnode1 ~]# ldapsearch -x -W -h 'ldapsrv' -D 'cn=Manager,dc=idevelopment,dc=info'
-b 'ou=People,dc=idevelopment,dc=info' dn cn
Enter LDAP Password: *********
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: dn cn
#
# People, idevelopment.info
dn: ou=People,dc=idevelopment,dc=info
# jhunter, People, idevelopment.info
dn: uid=jhunter,ou=People,dc=idevelopment,dc=info
cn: Jeffrey Hunter
# grid, People, idevelopment.info
dn: uid=grid,ou=People,dc=idevelopment,dc=info
cn: Grid Infrastructure Owner
# oracle, People, idevelopment.info
dn: uid=oracle,ou=People,dc=idevelopment,dc=info
cn: Oracle Software Owner
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 4
[root@racnode1 ~]# ldapsearch -x -W -h 'ldapsrv' -D 'cn=Manager,dc=idevelopment,dc=info'
-b 'ou=Group,dc=idevelopment,dc=info' dn cn
Enter LDAP Password: *********
# extended LDIF
#
# LDAPv3
# base with scope subtree
# filter: (objectclass=*)
# requesting: dn cn
#
# Group, idevelopment.info
dn: ou=Group,dc=idevelopment,dc=info

# jhunter, Group, idevelopment.info

dn: cn=jhunter,ou=Group,dc=idevelopment,dc=info
cn: jhunter
# oinstall, Group, idevelopment.info
dn: cn=oinstall,ou=Group,dc=idevelopment,dc=info
cn: oinstall
# asmadmin, Group, idevelopment.info
dn: cn=asmadmin,ou=Group,dc=idevelopment,dc=info
cn: asmadmin
# asmdba, Group, idevelopment.info
dn: cn=asmdba,ou=Group,dc=idevelopment,dc=info
cn: asmdba
# asmoper, Group, idevelopment.info
dn: cn=asmoper,ou=Group,dc=idevelopment,dc=info
cn: asmoper
# dba, Group, idevelopment.info
dn: cn=dba,ou=Group,dc=idevelopment,dc=info
cn: dba
# oper, Group, idevelopment.info
dn: cn=oper,ou=Group,dc=idevelopment,dc=info
cn: oper
# search result
search: 2
result: 0 Success
# numResponses: 9
# numEntries: 8

Test User Authentication Through LDAP

Log in as one of the new directory users to a client machine that can authenticate through the LDAP server. The
client machine should not have any local user accounts or groups defined with the same name as those being
authenticated through the LDAP directory.
[root@racnode1 ~]# ssh oracle@ldaptest
The authenticity of host 'ldaptest (192.168.1.104)' can't be established.
RSA key fingerprint is f8:76:8c:98:62:b0:f0:29:21:19:18:ea:f6:24:23:bc.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ldaptest,192.168.1.104' (RSA) to the list of known hosts.
oracle@ldaptest's password:
Creating directory '/home/oracle'.
Creating directory '/home/oracle/.mozilla'.
Creating directory '/home/oracle/.mozilla/plugins'.
Creating directory '/home/oracle/.mozilla/extensions'.
[oracle@ldaptest ~]$ id
uid=1101(oracle) gid=1000(oinstall)
groups=1000(oinstall),1201(asmdba),1300(dba),1301(oper)
[oracle@ldaptest ~]$ cat /etc/passwd | grep oracle

[oracle@ldaptest ~]$ cat /etc/group | grep oinstall

Notice that oracle was able to authenticate through LDAP and log in to the machine. Since this was the first
time logging in as oracle, the home directory was automatically created. Also notice that the oracle user
account and the associated groups are not listed in /etc/passwd and /etc/group on the local system. This
account was authenticated through LDAP and uses the values from the LDAP server for the account.