Articles,OS X,Server February 7, 2014 at 4:07 pm

Clean Migration of Existing Open Directory Users to a New Mavericks Server

For many reasons, you may find yourself needing to start a new Mavericks Open Directory server from scratch. In this article, I’ll go over how to import your existing users from an older Open Directory server and import them to your new Mavericks server. I will also use a tool called Passenger to import known passwords for your users.

In my environment, I have a Mountain Lion Profile Manager 2 server which also runs Open Directory. This server was originally a Lion Server, with user accounts imported from a Snow Leopard Open Directory server. I imported these users to the Lion server with Workgroup Manager. I had to do this, because Lion Server was so incredibly broken that migrations, archive/restores, simply did NOT work. So Exporting/Importing via Workgroup Manager was my only solution.

However, much to my dismay, because I had imported my users with Workgroup Manager, many Service ACLs were borked. For example, my Open Directory users could not access http://server.com/mydevices. So the time had finally come for me to rectify this with a clean Open Directory server.

Step One: Export users from Workgroup Manager

Connect to your existing Open Directory server with Workgroup Manager. Highlight the users you want to export from your Open Directory, making sure to exclude the original Directory Administrator account. Command-A to select all and command-click to deselect Directory Admin works well.

Under the Server menu, select Export. This creates a colon delimited file that contains all of your user records. Repeat this export for your user groups.

Step Two: Import your users and groups into Server.app

Note: configuring Mavericks server and turning on Open Directory is left as an exercise for the reader.

Open up Server.app and go to Manage > Import Accounts from File

Import in Server.app

Import in Server.app

Select your users export first. This ensures when you import your groups, group membership is preserved. By importing your users with Server.app and NOT workgroup manager, this ensures that all the proper SACLs are set for your users. This seems to be working properly in Mavericks server (Finally!). Repeat the process for your group export file.

Step Three: setting passwords for your users

For some of our users, we set the passwords and do not allow them to make changes. For these users, I used a program called Passenger, an OD account management tool. I created a csv of my users shortnames and the passwords I wanted to assign. I also included two additional fields from my existing Open Directory (Company and Building). For some reason, the WGM export does NOT export these fields, even though they are standard attributes!

Export settings for passenger

Export Settings for Passenger

Passenger creates a colon delimited file that you can then import with Workgroup Manager. When you import this file, make sure to select “Append to existing users” and it will set the password for all of your users (and add those 2 fields in my case).

Passenger can also auto-generate passwords based on a pattern you specify, and then you can set a global password policy to “change password on first login”.

Through this method I was able to export all of my existing users from an old Mountain Lion OD server to a new Mavericks OD server. You can’t save passwords, but you can set them systematically and give users options to reset their password on first login.

About Derick Okihara

Mac and iOS systems integrator for a private K-12 school in Honolulu, Hawaii.

Leave a reply

You must be logged in to post a comment.