Contribute  :  Advanced Search  :  Directory  :  Forum  :  FAQ's  :  My Downloads  :  Links  :  Polls  
AFP548 Changing the world one server at a time.

advanced search 

Sections

Home
AFP548 Site News (107/2)
Articles (282/26)
Apple (50/2)
Extended KB (3/1)
Ask AFP548 (16/42)
Reviews (5/1)
Security (16/2)
Tips (130/8)
Third Party Applications (53/6)
Odds and Ends (28/1)
Podcasts (2/0)

User Functions

:

:

Don't have an account yet? Sign up as a New User
Lost your password?

Poll

Do you want push services for the iPhone on Mac OS X Server?
Yes! Expand the existing stuff!
Yes! Apple should add EAS support!
No! I just use another service that already has push.
Results
80 votes | 0 comments
Welcome to AFP548
Thursday, July 29 2010 @ 09:23 am MDT
   

Migrating LDAP Users and Passwords to a Clean 10.4 Server

Thursday, August 11 2005 @ 02:00 pm MDT
Contributed by: andrina
Views: 35,977
ArticlesIt was a dark and stormy afternoon when Ian (maccanada) and I sat down to fight the beast that is LDAP migration from an up and running 10.3 Server to a brand new, out of the box, 10.4 server. Lucky for you, the battle was won by us, and the gory details of the fight will lay themselves out for you as you read on...

Revised Password Server details in article Aug 11, 2005

So, here's the deal, We have a production 10.3 server that has previously had a similar trick as we're about to play out done to it to go from 10.2. I'd have to say this round through was considerably easier, but not without its caveats!

The end goal is to have a 10.4 server, with our LDAP users AND passwords, and to have this all running on a nice new shiny install of 10.4, not an upgrade in place from 10.3. After all we all deserve a new server from time to time, don't we?

N.B.Our original server is running 10.3.9 - there was a change in the LDAP schema between 10.3.8 and 10.3.9, for the following instructions to work smoothly, make sure you start with a 10.3.9 server, or upgrade to 10.3.9 and then continue.

First things first, we need to get all the user records from our 10.3 server. This is all going to be done without disturbing our production server. We're going to grab everything into an ldif file.

sudo slapcat -l /path/to/file.ldif
While we're here, we're going to grab our password server database also. In reality you should already have a backup of this database - right?

Make a directory where you want your database files to go to:
sudo mkdir /path/to/backup_directory
Then backup your password server database to that same directory:
sudo mkpassdb -backupdb /path/to/backup_directory
Now, here's the fun part - remember I said earlier that my production server was the previously battled beast that had users and passwords previously migrated to it from 10.2? This left me with anomalies in my LDAP schema, which once found, were remarkably easy to deal with. As some of you may have noticed there was an addition to the schema in 10.3 of the sn attribute, while I won't go into all the details, records without the sn attribute won't import into 10.4.

So, how to get around that - open your ldif backup file in your favourite text editor, I like TextWrangler (not only does it work really well, but it's Free!) and do a find for structuralObjectClass: inetOrgPerson and replace it with sn: 99. Now, you may not have any of these to find and replace, and that will be totally normal if your server has only ever lived it's life as a 10.3 server, and in this case, just carry on with the next steps.

There's one more modification we have to make to this ldif file, we're going to remove the root user account, and the admin user account - in my case this is the user with UID 0 and UID 501. Not removing these causes all sorts of havoc on your 10.4 machine with the diradmin user.

What you're going to be looking for is something like the following to remove:

dn: uid=root,cn=users,dc=example,dc=com
shadowExpire: 0
uidNumber: 0
uid: root
cn: System Administrator
shadowLastChange: 0
loginShell: /bin/bash
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
sn: 99
entryUUID: e8d1a0d0-3fa3-1028-9a37-8b0744a1cd20
creatorsName: uid=root,cn=users,dc=example,dc=com
createTimestamp: 20040521185336Z
homeDirectory: /private/var/root
gidNumber: 100
apple-mcxsettings:: *whole lot of mcx gibberish removed from here*
apple-mcxflags:: *more mcx gibberish removed*
entryCSN: 2004090321:18:39Z#0x0032#0#0000
modifiersName: uid=admin,cn=users,dc=example,dc=com
modifyTimestamp: 20040903211839Z
userPassword:: e0NSUDNEfUp5hYmiDSmQzbTl1iDV=
So, remove that whole lump from your ldif file, as well as a similar lump for your admin user - generally this will be the user with user id 501 - you could to a search in your ldif file for uidNumber: 501 to help narrow it down.

Now, set up your shiny new 10.4 server as an Open Directory Master, make sure kerberos is running - if it's not running, do not pass go, do not collect $200 - you've got to fix this first! I'm putting my money on your DNS server...

It's important at this stage to make sure your search base matches that on your old server or your LDIF file won't import properly - you'll get 'container not configured to hold' errors as slapadd tries to dump stuff into the wrong place in OpenLDAP.

So, you have an Open Directory Master, Kerberos is running, and in Workgroup Manager you have a total of one client - your Directory Administrator. We need to back up our password server database at this point on our new 10.4 server - exactly the same process we went through on the 10.3 server for backing up the database there, we're going to do it again now:

sudo mkdir backup_from_new_server
sudo mkpassdb -backupdb backup_from_new_server
We're interested now in the new RSA key that's been created on our 10.4 server, on the new server do the following:

mkpassdb -dump
Look for the section prefaced with "Public Key:". It will be a string of numbers that probably start with 1024 ended by root:your.server.com. Copy all of this.

Open up your ldif file again, and have a look for any user's "authAuthority" record. After authAuthority the entry should contain ";ApplePasswordServer;" then the slot ID of the user, and then the previous RSA key from the old server. Notice that your old RSA key probably ends with "root@server.example.com:ip address", from the mkpassdb -dump you did earlier, find all of the current RSA keys, and replace them with the new RSA key from your 10.4 server with the new IP address on the end of the key. I did this very easily with find and replace in text edit. Save your ldif file.

Time to move in the new neighbors! Copy over the ldif file and the directory of all your password server data to your 10.4 server. First things first, lets get the ldif file imported:

sudo slapadd -c -l file.ldif
You can open up Workgroup Manager and confirm you've got the right number of accounts in there now. If you run into problems at this step, check things like the base DN you used when you promoted your machine to an OD Master (see above).

Assuming all your expected users now show up in Workgroup Manager, time to match up your users passwords - this is where we're using both password server backups, we're using mergeparent rather than just mergedb to preserve the current identity of the password server:
 sudo mkpassdb -mergeparent backup_authserver_folder backup_from_new_server
Now the moment of truth - has it all worked.... simple check, su to a user (probably yourself) that you know the password of from your 10.3 server, if that same password now works on your 10.4 server you have successfully followed all the steps! If not, you have a few episodes of turning your machine to a standalone server and promoting to an OD master ahead of you - not to worry though, my server has gone through this particular episode several times today and has lived to tell the story.

Last thing, how about some kerberos goodness? If you were to try and get a ticket at the moment you'd have an error along the lines of not knowing who the user was (because it isn't in the database), simple fix, kerberize the passwords in your password server database:
mkpassdb -kerberize
N.B. This is assuming you haven't customized kerberos on your 10.3 server, if you do have customizations there you are going to want to back this up with 'kdb5_util dump' and move it over with 'kdb5_util load', for simplicity we haven't gone into details of this here.

So there you go, fully up and running with no hint of an upgraded server in sight! Course, the next bit of pleasure is going to be filling in all those fields we now have available to us on the info tab of Workgroup Manager... Keep your eyes peeled for a script to that effect coming soon.

 

What's Related

Story Options

Advertising

Migrating LDAP Users and Passwords to a Clean 10.4 Server | 86 comments | Create New Account
The following comments are owned by whomever posted them. This site is not responsible for what they say.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: dsh1705 on Monday, June 20 2005 @ 01:24 pm MDT
I have a few Kerberos stories to add - promotion and demotion of an OD
master will have issues if you have a Windows PDC setup, as well....
maybe more on that later (it still smarts!).

The "pre-populated" LDAP search base when you go to promote to an OD
master is the FQDN of the server - is this correct? Shouldn't the search
base be just the domain name? (e.g dc=example, dc=com - NOT
dc=server, dc=example, dc=com). Just wondering...

A great way to tell if you will be successful in getting Kerberos setup is
whether the Kerberos field is filled in when you attempt to promote to a
OD master. Even if it does, do not believe you have it - restart first.

Now if someone can just figure out why 1/2 of my 10.3.9 clients offer the
choice to be managed by the Workgroup Manager on login and 1/2 do not,
I think I may just take a vacation......
Couldn't have come at a better time...
Authored by: philletourneau on Tuesday, June 21 2005 @ 10:02 am MDT
I'm taking delivery of a shiny new xserve next week and I will need to perform
this very task. I'll let you know how it goes... expect one of two possible
strong emotions (and possibly foul language) in my followup.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: gregg_mllr on Tuesday, July 05 2005 @ 04:17 pm MDT
I see the part of these directions that say that your seach base needs to be
the same, mine isn't. I'm getting the errors you speak of. How do I change
the search base for one of the servers?
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Wednesday, July 06 2005 @ 01:53 pm MDT
This didn't work for me! It worked all the way up to the merge. It seemed like it
worked but I was not able to auth. with any users names and passwords. No
errors, just didn't work.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Friday, July 08 2005 @ 03:25 pm MDT
Can anybody tell me how to change the home directory for all users during
the migration process ?
The original user home directories were in the format :
/Volumes/blah/user_name
The new user home directories would be in the format:
/Users/user_name

Also, the migration process seems to throw errors for users who do not have
home directories. Any way for getting around this?

Thanks,
-J
homeDirectories...
Authored by: Aaron on Friday, July 08 2005 @ 11:02 pm MDT
A note on the LDAP import: Most of my users have no home directory.
However, the import requires a "homeDirectory:" entry in the ldif file. This
should be followed by either the path to the home directory, or a "99" for None.
Without this line, the LDAP importer will reject users.

I did a search for inetOrgPerson to find all the users (as opposed to groups,
configs, etc.), and made sure each user included either a real homeDirectory
entry or a "homeDirectory: 99".
Problem with some (OK, one) user
Authored by: Anonymous on Monday, July 11 2005 @ 10:06 am MDT
Having done such a migration following your example over a weekend, I then
took Monday and Tuesday off. Phoned in on Monday to check that the boss
and others could log in - no problems. A few apps were missing
(hadn't yet set up /Network/Applications - oops!) but otherwise all went well.
Except, when I got back, I found that one user couldn't log in at all. Sit him
at a client, put username and password in, nothing. Check the logs; nothing.
OK, may be a bad password. Set him a new password in WGM and try again,
nothing. Check in the client's logs *and* the OD logs in server admin,
definitely nothing. grep for him user name in /var on both - nothing.

So I exported his user and another (working) user from WGM and compared
the files - identical in everything except UID, username, etc. Both users were
migrated in the same process, so why doesn't one of them work and where
can I find out why it doesn't work? I've heard it said that there are 23 things
which can cause the login window to shake, but nothing to explain *which*
reason was the cause in any particular instance.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: peet1 on Tuesday, July 12 2005 @ 06:48 pm MDT
First a thanks to andrina. Second, I ran into a caviot that I didn't expect. I built
a test server and migrated my settings to that server, then brought up my new
server. The problem? Two of the sam serial numbers on the network. It seems,
but I'm not positive, that a serial number conflict turns of the PWS of the
offending server. In my case it turned off the production server, not the DHCP'd
test box.

And definately watch out for the homedirectory issue.

peet
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Wednesday, July 13 2005 @ 05:26 pm MDT
Hi There,

I am having some difficulties and I am pretty sure I can ignore them but I
would like to know what you think.

I am coming from a 10.3.9 server. Search Base is 'dc=domain,dc=com'
Kerberos realm is 'SERVER.DOMAIN.COM'

I have setup the OD Master on a new server. This server has a different IP
address and a different FQDN. When creating the ODM I changed the search
base from NEWSERVER.DOMAIN.COM to DOMAIN.COM to match the old
search base. The kerberos realm however I left at
NEWSERVER.DOMAIN.COM, which is different from the OLD server.

When I import the users into the new server via the slapadd command I get
the following errors, I am concerned with the first one specifically. If I
complete the rest of the article I do not get any further errors but I am not
able to SU to any of my users. I get the password field, I enter the
password, it sits there for a good 30-40 seconds and then says 'sorry'.

Thanks a bunch

slapadd output:

slapadd: dn="dc=domain,dc=com" (line=10): (64) value of naming
attribute 'dc' is not present in entry
slapadd: could not add entry dn="cn=config,dc=domain,dc=com" (line=20):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="ou=macosxodconfig,cn=config,dc=domain,dc=com" (line=911):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=mcx_cache,cn=config,dc=domain,dc=com" (line=924):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=ldapreplicas,cn=config,dc=domain,dc=com" (line=938):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=passwordserver,cn=config,dc=domain,dc=com" (line=970):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=users,dc=domain,dc=com" (line=980): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=groups,dc=domain,dc=com" (line=990): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=admin,cn=groups,dc=domain,dc=com" (line=1031): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=mounts,dc=domain,dc=com" (line=1041): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=machines,dc=domain,dc=com" (line=1061): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=computers,dc=domain,dc=com" (line=1071): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=computer_lists,dc=domain,dc=com" (line=1081): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=locations,dc=domain,dc=com" (line=1091): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=people,dc=domain,dc=com" (line=1101): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=printers,dc=domain,dc=com" (line=1111): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=presets_users,dc=domain,dc=com" (line=1121): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=presets_groups,dc=domain,dc=com" (line=1131): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=presets_computer_lists,dc=domain,dc=com" (line=1141):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry dn="cn=autoserversetup,dc=domain,dc=com"
(line=1151): txn_aborted! DB_KEYEXIST: Key/data pair already exists
(-30996)
slapadd: could not add entry
dn="cn=neighborhoods,dc=domain,dc=com" (line=1161): txn_aborted!
DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=KerberosKDC,cn=config,dc=domain,dc=com" (line=1185):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
slapadd: could not add entry
dn="cn=KerberosClient,cn=config,dc=domain,dc=com" (line=1213):
txn_aborted! DB_KEYEXIST: Key/data pair already exists (-30996)
dc=domain,dc=com



Users import fine, but no auth?
Authored by: cnicholson on Thursday, July 21 2005 @ 08:15 am MDT
There seems to be several of us having the same problem. Let me give some
history and maybe this can shed some light on it.

After running backups mentioned here, I ran a straight upgrade on my server
from 10.3.9 to 10.4. Upgrade ran fine, smooth, no errors... gave me a BLANK
OD DB when it was done (fair warning to all of you planning a "simple"
upgrade...) So, I thought, I'll do it the hard way from the article. I ran the
backup for current passdb, imported the ldif file (void of root and my admin
user, all users/groups/etc came in), and ran the mkpassdb merge, which ran
fine (alarmingly fast, as someone else reported...) and after this, NO imported
users could auth. I changed the passwd on one user, and STILL could not
auth (rebooting each time I tried a new thing). Finally, I changed the user to
CRYPT password, got an error, changed back to OD passwd, set the passwd,
and can now auth as that user.

Now, for the "more". I figured "must be a 10.4 thing", so I upgraded the box
to 10.4.2, standalone, re-setup ODM, tried again, same thing. After four or
five attempts at this, I thought, "must be a 10.4.x thing" and started with an
existing 10.3.9 server. Same thing, with ODM running, KERBEROS working,
import ldif file, users/groups fine, mergeparent on mkpassdb, and NO auth
from previous password db.

I have about 3700 users.

I'm hoping this info "jogs" someone's memory... ??
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: professor_jc on Saturday, July 30 2005 @ 02:29 pm MDT
First thank you so much for the time you took to helping us and writing the
instructions.
I have two questions about the migration.

1. I did everything as you instructed and I had no errors it looked like it
worked great. But when I went to login in as a user I get an error: (You are
unable to log in to the user account “any user” at this time. Logging in to the
account failed because an error occurred. The home folder for the user
account is located on an AFP or SMB server. Contact your system
administrator for help.) The second error that I am in countering is when I
go to create a network mount for home directories I get Directory Services
error. An unexpected error occurred while writing to directory Services. This
started after I flowed your instructions. Please understand I ma not saying
this is anyone’s fault but my own for not knowing more. But if you or anyone
has any idea I would love to know why is happing. Thanks again for your
time.

Second questions. Not able to add new users Error on type of eDSRecord
found

Thank you
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: jacob on Thursday, August 11 2005 @ 06:46 pm MDT
Thanks for the article, very useful information.

I'm leapfrogging from a 10.2 server to a 10.4 server and I'm trying to figure out
how to export passwords from the old 10.2 box. I have a mixture of crypt and
Open Directory passwords and the mkpassdb utility doesn't offer the option to
dump the password database in 10.2. Is there another way of exporting the
password data under 10.2?

Thanks.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: gw1500se on Friday, August 12 2005 @ 09:12 am MDT
I didn't see this mentioned specifically so I need to ask before I foul things up. Is there going to be a issue with the different realms? The old server has realm of OLDSERVER.MYDOMAIN.COM and the new server has the realm NEWSERVER.MYDOMAIN.COM. When the old KDC database is imported/merged won't that confuse the new KDC? TIA.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Saturday, August 13 2005 @ 04:55 am MDT
Thank you very much for your contribute. i have just migrate my test server
without any password lost. Great.
I have made also made some modification. Since in 10.3 ldap search base
automatically was dc=domain,dc=com and in 10.4 is
dc=host,dc=domain,dc=com, I have also changed this in my ldif file before
importing and every seems to work well.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: aderium on Sunday, August 14 2005 @ 08:58 am MDT
Our concern is that the OD is responsible for SMB for our Windows Clients.

Is there any other work we need to do when moving the OD to a fresh 10.4 server so that the windows user can enjoy their PDC rights?

Thanks
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Saturday, August 20 2005 @ 08:07 am MDT
Is it possible to do this using 10.4 - 10.4? I have a hosed 10.4 server I want to
get the users and groups out then start over?
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: sap on Friday, August 26 2005 @ 06:15 am MDT
Hi,

I try this method to export users without loosing their passwords, but my OsX
server (10.3.9) is configured as a "stand alone machine" and i see in /var/db/
netinfo directory I have only local.nidb file.
No network.nidb at all.

So if I try to send first terminal command (slapcat) I obtain this error:

/etc/openldap/slapd.conf: line 20: could not open datasource "/var/db/
netinfo/network.nidb" flags [00000401]
slapcat: bad configuration file!

How can I solve this thing?

Thank You in advance....
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Sunday, September 18 2005 @ 08:44 pm MDT
Do any of you guys know if it makes any differecen weather the pass of the users
of the 10.3.9 machine is either Crypt Password or Open Directory? This option is
the the Advanced tab of Workgroup manager.

I folowed these steps before and it worked ok on a couple of other servers.
Now, i've done the same but the only difference i see is the way the password is
stored.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Tuesday, October 04 2005 @ 04:48 pm MDT
I am kind of new to the whole world of Open Directory. I have Mac OS X
Server 10.3.9 installed and until this evening I had it configured as a stand
alone server. I have users that log into it remotely to upload new web
pages and php code so this has been fine.

I want to start hosting Subversion on the server and I thought I could
maybe use the mod_auth_ldap for Apache 2.0 so that I could continue to
have all my authentication info in one place.

So I switched my Open Directory from Standalone to Open Directory
Master.

This does start the slapd service and I can access a ldap directory but all of
my previous accounts are not available there. They are in the /netinfo/
root.

It seems like I can recreate accounts in the LDAP side and remove them
out of the /netinfo/root but I really am not sure this is the way to go.

I am have been searching all over to find information to build my
knowledge of Open Directory but I seem to not be getting very far.

You seem to know more than I do about this. Any suggestions? Words of
wisdom? I am sure that much of my problem comes down to a general
lack of understanding of Open Directory. I have a better grasp of
OpenLDAP but that only seems to be a part of Open Directory.

Thanks for any help you may be able to provide.

Doug
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: sterling on Wednesday, October 05 2005 @ 05:28 pm MDT
Once everything is up and running my new server will be switched over to the
IP address/DNS name of the old server. Is there anything I need to worry
about for this switch?
Problems with the Passwords on the New Server not working
Authored by: tripleintegrals on Tuesday, November 22 2005 @ 07:06 am MST
Thank you for you article, it has given me hope. However, I follow all the
steps, but in the end I can't login to the new server with a network user.
Here is my story:

I was able to export all my data from my panther server with slapcat.
However, after following your steps, I was not able to import the data using
slapadd. I would also get an error saying that there was a parse problem on
the last line. I found on the internet that it may be a problem with
something that might have been opened and not closed. I searched my ldif
file for all the characters that open something like ({[<'" but all I found were
things like "O'Dell" as a last name. I took all the apostrophes out of names
just in case, but to no avail. It still had the same error.

I found that if I just left the user entries in my ldif file it would import fine,
but I wanted the computer lists and other goodies. I tried two things:

First, I found that if I connected to my panther server with the tiger version
of Workgroup Manager I could export more of my preferences and then just
import them, including the users. Then I tried to do a merge of the
password databases. I could do a dump using mkpassdb and see that all the
passwords had imported, but when I tried to login I couldn't. I could login if
I reset the password in Workgroup Manager. Moving the users over this way
seemed to be okay, but I questioned whether or not was why the passwords
didn't work.

So then I tried to import an ldif file with just my user record in it, and then
did a merge. I still couldn't log in.

Why is it that the passwords seem to move yet somehow don't let me login?
Thanks for your help.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: smkymtns on Friday, December 30 2005 @ 10:26 pm MST
I am sure I am not the last person to migrate to Tiger, so I thought I would pass along this regular expression I used in TextWrangler to replace the RSA keys. It will find both the ApplePasswordServer and Kerberosv5 keys. Make sure to check the "Use Grep" box in the find and replace dialog. Enter "35\s(.*\r\s)*.*\sroot" as your search string and "35 newkey root" as the replace string (without the quotes!).

Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Wednesday, January 04 2006 @ 04:46 pm MST
I followed your steps with much success. Thanks! However now that I am
finished I noticed in the authAuthority for each record that I correctly switched
to the new RSA key, but not for the Kerberosv5 authAuthority records.

Is there some easy way to change the RSA key in the Kerberosv5 records
without reimporting?

Since it is already working, what are the consequences of leaving the
Kerberorsv5 records the way they are with the old RSA key?
Authentication Solution
Authored by: marcray on Friday, January 06 2006 @ 05:02 pm MST
Hello All,

I was having an authentication issue after having followed these instructions
where everything would go fine except passwords were not working. I could
not update passwords nor su to anyone's account. However I figured out the
issue was one of two things.

1. I had 2 "VPN MPPE Key Access User" accounts after importing my ldap file.
So i deleted one before importing the passwords.

2. On the search and replace of the RSA key I noticed my text editor was not
finding every instance of the key. I think this has something to do with line
breaks but I had to search for the key about 10 time doing about 10 replace
all commands. Rather than search for the whole key i would search for the
first 5 numbers and copy the whole key again each time it found it, and then
doing a replace all. This I think only happened on the kerberos part of a users
record where it lists the RSA key a second time for each record.

After doing both of those I am up and running on a clean install with all my
ldap users, preferences, and passwords working.

AFP548 ROCKS!
busted Homes
Authored by: Anonymous on Wednesday, March 15 2006 @ 10:55 am MST
I had the same thing "professor jc" stated last July... "home folder located on an afp or smb server" error.

The basic instructions worked great: I removed the root/admin entries, made sure everyone had "homeDirectory: 99" or an actual home, fixed the authAuth keys, and it all looked cool. I was very happy.

But then I couldn't log in as anyone with an actual home directory. No matter what goofy permutation of home directory share point and paths and all that in WGM it never worked.

For the time being I've had to roll back to 10.3

The one thing I thought of the next day was that I didn't have my share points set up before I imported my users. Of course I wanted to get the users & passwords over before doing anything, and then I set up the rest of the server.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: atari8472 on Wednesday, June 21 2006 @ 05:01 pm MDT
I have sucessfully completed this operation a couple of months ago ... thanks for the inspiration ... I mean information :-)
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: jonosx on Thursday, June 22 2006 @ 10:57 pm MDT
This just keeps getting wierder.

All instructions followed, and I can su to any user from any user with the correct password, that part is GREAT and thank yoU!!

BUT-

Now the AFP and SMB clients can log in to their client machines just fine, but the Fedora Linux clients (configured using authconfig) cannot.

The error in the clients' logs is:
pam_ldap: error trying to bind as user "uid=username,cn=users,dc=department,dc=university,dc=edu,dc=au" (Invalid Credentials)

I've changed some of the entries there for privacy, not that it really matters here.

The search base is set to: "dc=department,dc=university,dc=edu,dc=au"

The wierd thing is that I can do ldapsearch, finger and id from the client and get exactly the right info, I just can't log in.

I'm beginning to wonder if I shouldn't have Kerberized the server, not that we seem to have a choice with that.

Any clues anybody ?
Make passwords work: drop other authAuthority lines
Authored by: Anonymous on Thursday, July 27 2006 @ 03:06 pm MDT
If you are having trouble getting authentication working, keep an eye out for other authAuthority lines. I had an 'authAuthority: ;Kerberosv5;' line in my backup.ldif. When I loaded with that I couldn't auth, couldn't even reset my password then auth with the new password. The earlier suggestion here of going to crypt then back to OD would let me auth, but I'd have to have had all users reset their passwords. Ick!

Trying again on a hunch, deleting every Kerberos authAuthority line and re-importing, passwords worked just fine from the get-go. Can change them, etc, etc. Now, it should be noted we don't use Kerberos for anything, so losing that password isn't a problem.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Thursday, August 24 2006 @ 10:54 am MDT
Thanks!!! Great.

I used this method to rebuild a failed Kerberos on my live server. This method worked first time and saved me all the hassle of rebuilding the server from scratch.

Just to let you know that my scratch 10.4.2 server still had some of those quirks from early 10.3. I removed them just in case and everything works great now.

Any chance on making this a permanent "How to" guide? including all of our workarounds?

Thanks again.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Friday, January 12 2007 @ 02:39 pm MST
I am in the process of rebuilding a server that someone else setup and there are no notes on the setup. I was guessing that it had been 10.3 server that was upgraded, but it might have been a 10.2 server. So the discussion about the structuralObjectClass: inetOrgPerson and sn: 99 was a bit confusing. I think that after all this machine started out as a 10.3 server, so I didn't need to do that replacement. I did it, and things didn't work, and all of the user accounts had two sn: fields, one with 99 and the other with the user's lastname.
Migrating LDAP Users and Passwords to a Clean 10.4 Server
Authored by: Anonymous on Friday, January 12 2007 @ 03:32 pm MST
Oops, to be more clear, sudo mkpassdb -dump actually looked like this: Public Key: 1024 35 12423160304426714335005716064725220897943491079980773518875 0028412654091980391373656423629496318519960851281206911280101396257153850834518 5426135167600605293531552974235780138406509950019610488671583995521035957594210 4807594638590272480912154090365941288508420064422805512775964087804525278442578 8263537507129 root@bam.idmi.poly.edu
SOME MORE TIPS
Authored by: Anonymous on Thursday, August 09 2007 @ 10:34 am MDT
Thanks a lot for this hint, it works !!

In my case, I have change the IP address and the domain of my clean new 10.4.

Some more tips to help:
- verify that all of your users have a "sn" field. If not, see below.

All searches are made with TextWrangler with "use Grep" option

- to search the password string use this regular expression:
35s(.*\r\s)*.*\s*(your.old_machine.ip.address)
replace with exact string found with a slapcat of the new OD on 10.4. (slapcat -l yourfile.ldif)
For example this is mine:
35\r 1533139438058403541406380596048214441162559245152909584069320131284086549388\r
54608750812474120486433423614620702741799450042961623102985422718129730296962\r
18720246058447279074482498973003979407246680576649890296624722812068024430888\r
64423490314925981703102419661374148438706258935855223599376335315144093540355\r
91 root@host.new.domain:your.new.ip.address

- I have removed the Kerberos string because it has not the same public key for all of my users... so this is the search string:
(authAuthority: ;Kerberosv5;)(.*\r\s)*.*\s*(host.old.domain)\s
to replace with nothing to delete it.

- Because many parameters change with the new homeDirectory, I decided to delete it and recreate the homedir after reimporting.
It's the search string to replace with none:
(apple-user-homeurl)(.*\r\s)*.*\s(homeDirectory)(.*\s)(.*\s)

WARNING ! The importation NEEDS to have a homeDirectory field to import records.
So, I noticed that the user field "userPassword" is fidentical for all accounts, so I can use this to isolate the users for adding fields. The search string is:
userPassword:: KioqKioqKio=
then you can replace with the text below to add the required field such as "homeDirectory" and/or "sn"
userPassword:: KioqKioqKio=\rhomeDirectory: 99
or
userPassword:: KioqKioqKio=\rhomeDirectory: 99\rsn: 99

Be careful ! In case you have extended the LDAP schema in 10.3 (like I did ;), don't forget to remove thoses fields before importing the ldif file in 10.4.
(or extend the 10.4 schema before import).

After that, you can import the ldif file and merge the password db and all works fine :)

Jeko

 Copyright © 2010 AFP548
 All trademarks and copyrights on this page are owned by their respective owners.		 Powered By Geeklog 
Created this page in 0.55 seconds