Re: [389-users] Migration from OpenLDAP and PassSync with AD

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 07/09/2009 09:35 AM, Prashanth Sundaram wrote: 
Elaborating the Qs:

Question1:Since we have an existing LDAP server(OpenLDAP) and users were
logging in to other dev, prod and testing servers using the passwords
managed by this OpenLDAP server. I believe the way the member servers
remember the user credentials is by assigning each user with a unique
security ID. (please correct me if I am wrong) If that gets lost in
migration, then my users' permissions will have to be re-assigned from
scratch (pain for sysadmins)

So my question was, will the users be able to login to member servers after
migrating to FDS and still have same permissions and home directory folder
and everything looks the same without panicking about any missing
permissions or files.
I believe you are referring to the uidNumber and gidNumber attributes.  File permissions use these numbers.  These will remain the same when you export from OpenLDAP and import to 389.
Question2.1: What will happen to the passwords that are different on the FDS
and AD before the Sync. I do not want the passwords to be reset on FDS or AD
after 1st sync but only future passwords changes to be Synced to FDS and AD
and vice versa.
A clear-text password is required to sync since different hashing schemes are used on each side.  Passwords will only be synchronized when they are changed, which is what you want.
Question2.1: I was working with windows before and noticed that the Windows
saves users with a unique id. If that is lost or recreated, the previous
permissions will no longer hold true for the user, even though the username
is same. Is it same in Unix environment? Like say I delete a user account
from FDS and a day after I re-create the ID, will the permissions stay
intact?
The uidNumber and gidNumber are used in *nix, not the actual uid.  If you re-create a user using the same uidNumber and gidNumber, the permissions will still have the same net effect as they did with the old user entry.

Thanks,
Prashanth



https://www.redhat.com/archives/fedora-directory-users/2009-July/msg00013.ht
ml



  
On 07/09/2009 07:19 AM, Prashanth Sundaram wrote:
    
Dear fellow Fedora DS users and experts,

I am working on this new project where there is a two step process. We are
currently using a poorly managed OpenLDAP server for over 3 years and
planning to migrate to Fedora DS.

Scenario: OPenLDAP=====Migrate all users and passwords===>  Fedora DS
<----------PassSync------->Windows AD

Question1: Is it possible to migrate current users (around 300users) from
OpenLDAP to Fedora DS along with the UIDs, Security id and passwords. Like
everything looks same in users perspective.
   
      
It depends on the schema that is used, but this should be a case of
exporting from OpenLDAP and importing to 389.
    
Question2: Is is possible to create a password sync between FDS and AD for
all the above users. Yes, the username is same in both the directories.
   
      
Yes, you can sync passwords.  A number of other common attributes are
synchronized as well.  These attributes are listed in the Red Hat
Directory Server Administrator's Guide.
    
                  Question2.1: The users are stored with different Security
IDs in windows environment than in OpenLDAP or FDS. Will that pose a
problem?
   
      
I'm not sure what LDAP attribute you are referring to as the "Security
ID", so I can't say if this will be a problem.
    
                  Question2.2: We have several domain controllers and Active
Directory server which run in sync. Since the PassSync can only run on one
server, will it be a problem that some passwords do not get sync because the
user changed it on XP which redirected to a another server (without
PassSync)?
   
      
You need to run the PassSync service on all domain controllers.  It's
the synchronization agreement that you set up on the 389 side that can
only point to one domain controller.
    
If any of you has gone thru these issues and anything more, please respond
to this thread or give me links.

Thanks for your help and patience.
Prashanth

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
   
      

------------------------------

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


End of Fedora-directory-users Digest, Vol 50, Issue 8
*****************************************************
    

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
  

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux