Beruflich Dokumente
Kultur Dokumente
Contents
Introduction
Introduction
This guide demonstrates how to extract information from local OS user accounts and groups on the Linux
platform and then export those users and objects to a readable LDIF file that can be modified (if necessary) and
imported into an LDAP directory. This provides a nice shortcut for setting up users and groups in a newly
initialized directory that can be used to authenticate through LDAP.
The Linux machine used in this example is running the latest version of Oracle which at the time of this writing
is Oracle Database 11g Release 2 (11.2.0.3.0). The machine name for the database server is
racnode1.idevelopment.info and contains user accounts and groups that best define the conventions that I
would want to centralize for all Oracle database servers. The local user accounts and groups will be exported
from the database server and imported to an LDAP directory on ldapsrv.idevelopment.info.
The example used in this tutorial is based on a clean installation of OpenLDAP Software on the CentOS 5
platform. This tutorial will also work for Red Hat Enterprise Linux 5 and Oracle Linux 5. The LDAP directory
used in this guide has been initialized with a base DN of dc=idevelopment,dc=info and organization units
People, Group, and Hosts. Obviously, the name of your LDAP server and the base DN will differ and the
examples presented in this guide will need to be modified accordingly for you environment.
Refer to the following two tutorials on how to install OpenLDAP Software and initialize the LDAP directory on
the server (ldapsrv.idevelopment.info in this guide) on the CentOS 5 platform.
gidNumber
1000
1200
1201
1202
1300
1301
Users
Groups
loginShe homeDirecto
ll
ry
100 1000(oinstall),1200(asmadmin),1201(asmdba),1202(a
/bin/bash /home/grid
0 smoper)
100
1000(oinstall),1201(asmdba),1300(dba),1301(oper) /bin/bash /home/oracle
0
500 500(jhunter),1300(dba),1301(oper)
/bin/bash /home/jhunter
In the end, we will also be able to create additional LDAP users based on a template LDIF record for a user and
group developed in the migration phase of this guide.
Perl must be installed on the system to use the scripts described in this section.
Migration Scripts
The OpenLDAP server package installed in the previous step includes a set of shell and Perl scripts that can be
used to migrate user data and authentication information on the local system into an LDAP format. Those
scripts can be found in the /usr/share/openldap/migration directory.
[root@racnode1 ~]# ls -l /usr/share/openldap/migration
total 140
-rwxr-xr-x 1 root root 2656 Jul 12 04:07 migrate_aliases.pl
-rwxr-xr-x 1 root root 2954 Jul 12 04:07 migrate_all_netinfo_offline.sh
-rwxr-xr-x 1 root root 2950 Jul 12 04:07 migrate_all_netinfo_online.sh
-rwxr-xr-x 1 root root 3008 Jul 12 04:07 migrate_all_nis_offline.sh
-rwxr-xr-x 1 root root 3003 Jul 12 04:07 migrate_all_nis_online.sh
-rwxr-xr-x 1 root root 3168 Jul 12 04:07 migrate_all_nisplus_offline.sh
-rwxr-xr-x 1 root root 3150 Jul 12 04:07 migrate_all_nisplus_online.sh
-rwxr-xr-x 1 root root 5274 Jul 12 04:07 migrate_all_offline.sh
-rwxr-xr-x 1 root root 7472 Jul 12 04:07 migrate_all_online.sh
-rwxr-xr-x 1 root root 3224 Jul 12 04:07 migrate_automount.pl
-rwxr-xr-x 1 root root 2612 Jul 12 04:07 migrate_base.pl
-rw-r--r-- 1 root root 8880 Jul 12 04:07 migrate_common.ph
-rwxr-xr-x 1 root root 2956 Jul 12 04:07 migrate_fstab.pl
-rwxr-xr-x 1 root root 2718 Jul 12 04:07 migrate_group.pl
-rwxr-xr-x 1 root root 2755 Jul 12 04:07 migrate_hosts.pl
-rwxr-xr-x 1 root root 2860 Jul 12 04:07 migrate_netgroup_byhost.pl
-rwxr-xr-x 1 root root 2860 Jul 12 04:07 migrate_netgroup_byuser.pl
-rwxr-xr-x 1 root root 3883 Jul 12 04:07 migrate_netgroup.pl
-rwxr-xr-x 1 root root 2844 Jul 12 04:07 migrate_networks.pl
-rwxr-xr-x 1 root root 5639 Jul 12 04:07 migrate_passwd.pl
-rwxr-xr-x 1 root root 2432 Jul 12 04:07 migrate_profile.pl
-rwxr-xr-x 1 root root 2877 Jul 12 04:07 migrate_protocols.pl
-rwxr-xr-x 1 root root 2858 Jul 12 04:07 migrate_rpc.pl
-rwxr-xr-x 1 root root 10020 Jul 12 04:07 migrate_services.pl
-rwxr-xr-x 1 root root 3423 Jul 12 04:07 migrate_slapd_conf.pl
-rw-r--r-- 1 root root 8060 Jul 12 04:07 migration-tools.txt
-rw-r--r-- 1 root root 1855 Jul 12 04:07 README
Export Base
Exporting the LDIF entries for the base DN on the machine you are extracting the local users and groups from
is not necessary in this guide. This optional step can be performed to view which organizationalUnit
definitions and other objects are present on the local system. I run it mostly for interest in seeing what type of
entries it would try to create and import to the LDAP directory.
[root@racnode1 ~]# cd /usr/share/openldap/migration
[root@racnode1 migration]# ./migrate_base.pl > base.ldif
Exporting the base configuration is optional and will not be imported into the LDAP directory in this
section.
Users
First, we need to tell the script where to find password information. We do this by setting the shell variable
ETC_SHADOW to be /etc/shadow.
Remove extraneous people by modifying the people.ldif file to extract only those users that you want to
import into the LDAP directory.
[root@racnode1 migration]# vi people.ldif
dn: uid=jhunter,ou=People,dc=idevelopment,dc=info
uid: jhunter
cn: Jeffrey Hunter
givenName: Jeffrey
sn: Hunter
mail: jhunter@idevelopment.info
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$ZxO.cXOx$tiZQStYEF2sYN0TFtQFZx0
shadowLastChange: 15360
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/jhunter
gecos: Jeffrey Hunter
dn: uid=grid,ou=People,dc=idevelopment,dc=info
uid: grid
cn: Grid Infrastructure Owner
givenName: Grid Infrastructure
sn: Owner
mail: grid@idevelopment.info
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$prDmL5Ft$R3myzLbAjxzXO/7ycR6HU0
shadowLastChange: 15360
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1100
gidNumber: 1000
homeDirectory: /home/grid
gecos: Grid Infrastructure Owner
dn: uid=oracle,ou=People,dc=idevelopment,dc=info
uid: oracle
cn: Oracle Software Owner
givenName: Oracle Software
sn: Owner
mail: oracle@idevelopment.info
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$FWY0gU.9$aJMPBkM/JsvdMTwa3ZO2N0
shadowLastChange: 15360
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1101
gidNumber: 1000
homeDirectory: /home/oracle
gecos: Oracle Software Owner
Groups
Export all local groups to an LDIF file named group.ldif.
[root@racnode1 migration]# ./migrate_group.pl /etc/group group.ldif
Again, remove extraneous entries by modifying the group.ldif file to extract only those groups that you want
to import into the LDAP directory.
[root@racnode1 migration]# vi group.ldif
dn: cn=jhunter,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: jhunter
userPassword: {crypt}x
gidNumber: 500
dn: cn=oinstall,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: oinstall
userPassword: {crypt}x
gidNumber: 1000
dn: cn=asmadmin,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: asmadmin
userPassword: {crypt}x
gidNumber: 1200
memberUid: grid
dn: cn=asmdba,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: asmdba
userPassword: {crypt}x
gidNumber: 1201
memberUid: grid
memberUid: oracle
dn: cn=asmoper,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: asmoper
userPassword: {crypt}x
gidNumber: 1202
memberUid: grid
dn: cn=dba,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: dba
userPassword: {crypt}x
gidNumber: 1300
memberUid: jhunter
memberUid: oracle
dn: cn=oper,ou=Group,dc=idevelopment,dc=info
objectClass: posixGroup
objectClass: top
cn: oper
userPassword: {crypt}x
gidNumber: 1301
memberUid: jhunter
memberUid: oracle
Notice that oracle was able to authenticate through LDAP and log in to the machine. Since this was the first
time logging in as oracle, the home directory was automatically created. Also notice that the oracle user
account and the associated groups are not listed in /etc/passwd and /etc/group on the local system. This
account was authenticated through LDAP and uses the values from the LDAP server for the account.