使用 OpenLDAP 集中管理用户帐号
Fedora 9下安装Fedora Directory Server
2008/10/05 19:30 | by http://www.padl.com/OSS/MigrationTools.html
The MigrationTools are a set of Perl scripts for migrating users, groups, aliases, hosts, netgroups, networks, protocols, RPCs, and services from existing nameservices (flat files, NIS, and NetInfo) to LDAP.
The tools require the ldapadd and ldif2dbm commands, which are distributed with most LDAP servers derived from the University of Michigan LDAP distribution. The source code for these is available with OpenLDAP. Additionally, Netscape provide an implementation of ldapmodify which subsumes the functionality of ldapadd. If you are using Netscape's Directory Server, you should set the $NSHOME and $serverId environment variables to assist the MigrationTools in locating your LDAP database and LDIF tools; they will use ldapmodify instead of ldapadd.
These tools are freely redistributable according to the license included with the source files. They may be bundled with NIS/LDAP migration products. See RFC 2307 for more information on the schema used by these scripts. THIS SOFTWARE IS PROVIDED "AS IS" WITHOUT EXPRESS OR IMPLIED WARRANTY AND WITHOUT SUPPORT.
Scripts
- migrate_base.pl creates naming context entries, including subordinate contexts such as ou=people and ou=devices.
- migrate_aliases.pl migrates aliases in /etc/aliases to entries conforming to the rfc822MailGroup schema. Organizations who have deployed LDAP-based messaging solutions, such as Netscape's Messaging Server, may wish to use a different schema for representing mail aliases. Ypldapd does not use X.500 groups (such as groupOfUniqueNames) for mail alias expansion because flattening an arbitrarily nested group at runtime may be expensive. (It is possible to write a ypldapd plug-in to support such a schema, however.)
- migrate_group.pl migrates groups in /etc/group
- migrate_hosts.pl migrates hosts in /etc/hosts
- migrate_networks.pl migrates networks in /etc/networks
- migrate_passwd.pl migrates users in /etc/passwd. Note that if users are allowed read the userPassword attribute, and your LDAP server doesn't support authenticating against hashed passwords then anyone may read the userPassword attribute's value and authenticate as that user. Modern LDAP servers, such as Netscape Directory Server, support authenticating against hashed passwords, so this is not an issue. The OpenLDAP LDAP server also supports such authentication.
- migrate_protocols.pl migrates protocols in /etc/protocols
- migrate_services.pl migrates services in /etc/services
- migrate_netgroup.pl migrates netgroups in /etc/netgroup
- migrate_netgroup_byuser.pl migrates the netgroup.byuser map. It requires revnetgroup.
- migrate_netgroup_byhost.pl migrates the netgroup.byhost map. It requires revnetgroup.
- migrate_rpc.pl migrates RPCs in /etc/rpc
Configuration
The configuration for these Perl scripts is contained at the head of migrate_common.ph:
| Perl variable | Description |
| $DEFAULT_MAIL_DOMAIN | The mail domain used for the mail attribute in migrate_passwd.pl when extended schema support is enabled. You may override this with the DEFAULT_MAIL_DOMAIN environment variable. |
| $DEFAULT_BASE | The naming suffix to use in entries' distinguished names. If undefined, this will be constructed by mapping the mail domain name into a distinguished name (eg aceindustry.com becomes dc=aceindustry,dc=com). You may override this with the LDAP_BASEDN environment variable. |
| $EXTENDED_SCHEMA | Enables extended schema support. This adds the organizationalPerson and inetOrgPerson object classes, amongst others, to users migrated by the migrate_passwd.pl script. |
| NAMINGCONTEXT | Determines the LDAP/X.500 naming context to use for a migration tool. The dictionary is keyed by tool (as in migrate_tool.pl). Values are concatenated with $DEFAULT_BASE by the &getsuffix() subroutine. |
The following environment variables control the behavior of the migration shell scripts:
| Environment variable | Description |
| DEFAULT_MAIL_DOMAIN | See above |
| LDAPADD | Path the ldapadd executable, for online migration (if not in the path or /usr/local/bin or /usr/bin) |
| LDIF2LDBM | Path the ldif2ldbm executable, for offline migration (if not in the path or /usr/local/bin or /usr/bin) |
| PERL | Path to the Perl interpreter (if not /usr/bin or /usr/local/bin) |
| LDAPHOST | Your LDAP server, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
| LDAP_BASEDN | See above ($DEFAULT_BASE). This is optional; you'll be prompted if the environment variable is not set. |
| LDAP_BINDDN | The distinguished name to bind to the LDAP server as, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
| LDAP_BINDCRED | The password to bind to the LDAP server with, for online migration. This is optional; you'll be prompted if the environment variable is not set. |
You will probably wish to use a shell script or makefile to automate population of your LDAP database, either off-lien (with ldif2ldbm) or on-line (with ldapadd). The migrate_all_*.sh shell scripts do this, but you may wish to customize their behaviour. The following table explains which migration scripts to use:
| Shell script | Existing nameservice | LDAP running? |
| migrate_all_online.sh | /etc flat files | Yes |
| migrate_all_offline.sh | /etc flat files | No |
| migrate_all_netinfo_online.sh | NetInfo | Yes |
| migrate_all_netinfo_offline.sh | NetInfo | No |
| migrate_all_nis_online.sh | NIS/YP | Yes |
| migrate_all_nis_offline.sh | NIS/YP | No |
