Transfer accounts from Linux to Linux
Top  Previous  Next


The below script copies user account properties and passwords from one Linux OpenLDAP server to another, thus enabling users to log on to a new Linux server with their old user name and password.

·Properties transferred in the example are first name, last name, account name and password hash.  
·It is easy to transfer other properties by minor modifications to the script, the "ListOfProperties" parameter in the "Data.Get.LD.Find" command contains source properties and each "Lin.DS.Op.SetProperty" command contains a property to be written.  
·Extract accounts from a single container, a container including subcontainers, or all accounts in a group, by modifying parameters for the "Data.Get.LD.Find" command.  
·Write accounts to any destination container.  
·A new uidNumber is automatically generated for each account in the example, but it is also possible to transfer the old uid number, just like any other property.  

Requirements
Local machine (where AdmWin executable runs)
·A locally installed SSL certificate for each Linux server  

Both servers
·Linux server with OpenLDAP 2.0 or higher, configured to accept SSL connections on port 636.  
·Full administrative privileges, superuser "rootdn" enabled in slapd.conf  

Source server
·User name and password for LDAP superuser "rootdn" in SrcLDAdminAccount and SrcLDAdminPW variables in [Settings]  

Destination server
·User name and password for LDAP superuser "rootdn" in DstLDAdminAccount and DstLDAdminPW variables in [Settings]  

Script
Tip

[Settings_Begin]
BatchSettings.Delimiter=TAB
BatchSettings.MarkerCol=6
SET NameChars=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890

// Linux source LDAP server, SSL enabled on port 636, SSL certificate installed locally
SET SrcLDServer=ldap3.my-domain.com
// Linux source LDAP root path
SET SrcLDDomainPath=dc=com/dc=my-domain
// Linux source LDAP superuser admin account (declared in the OpenLDAP server configuration file slapd.conf on the row that begins with "rootdn")
// You may need to re-enable the rootdn user since this user normally is disabled due to security reasons
SET SrcLDAdminAccount=%SrcLDDomainPath%/cn=ldapman
SET SrcLDAdminPW=SrcPassword
// Linux source LDAP path
SET SrcLDOUPath=%SrcLDDomainPath%/ou=People
// Linux source properties, format: Attrname§DataSectDstCol§[Attrname§DataSectDstCol§]
SET SrcLDprop=givenName§1§sn§2§uid§3§cn§4§userPassword§5§   

// [Data] section columns, must match above LDprop, (notice MarkerCol reserved)
SET FirstName=%col1%
SET LastName=%col2%
SET FullName=%col1% %col2%
SET AccountName=%col3%
SET CN=%col4%
SET Password=%col5%

// Linux destination LDAP server, SSL enabled on port 636, SSL certificate installed locally
SET DstLDServer=slapd.site2.com
// Linux destination LDAP root path
SET DstLDDomainPath=dc=site
// Linux LDAP superuser admin account (declared in the OpenLDAP server configuration file slapd.conf on the row that begins with "rootdn")
// You may need to re-enable the rootdn user since this user normally is disabled due to security reasons
SET DstLDAdminAccount=%DstLDDomainPath%/cn=administrator
SET DstLDAdminPW=DstPassword
// Linux destination paths
SET DstLDOUPath=%DstLDDomainPath%/ou=People
SET DstLDAccountPath=%DstLDOUPath%/uid=%AccountName%
// Linux destination group must be created before running script or create with Lin.DS.Group.Create
SET DstLDGroup=MyGroup
SET DstLDGroupPath=%DstLDOUPath%/cn=%DstLDGroup%
[Settings_End]

[Init_Batch_Begin]
// Logon to Source Linux server, fill [Data] section with properties and passwords   
Lin.DS.Logon %SrcLDServer%, %SrcLDAdminAccount%, %SrcLDAdminPW%   
Data.Get.LD.Find %SrcLDOUPath%, (objectClass=posixAccount), yes, %SrcLDprop%   
// Delete rows from [Data] section without valid password   
Data.Loop   
 If Copy (%Password%, 10, 1)= Then   
  LogWindow.Write "%CN%" row deleted, no password.   
  Data.Row.Delete   
 EndIf   
 If %AccountName%=root Then   
  LogWindow.Write "%CN%" row deleted, root.   
  Data.Row.Delete   
 EndIf   
Data.EndLoop   
Data.Column.Check 1, User_ChrLen, %NameChars%, 1, 30   
Data.Column.Check 2, User_ChrLen, %NameChars%, 1, 30   
Data.Show Transfer all these accounts?   
[Init_Batch_End]

[Batch_Begin]
// Logon to Destination Linux LDAP server   
Lin.DS.Logon %DstLDServer%, %DstLDAdminAccount%, %DstLDAdminPW%   
Lin.DS.Group.Create %DstLDGroupPath%   
// Get gidNumber number to use for account gidNumber   
SET gidNumber=LDValue (%DstLDGroupPath%, gidNumber)   
If %gidNumber%= Then   
 RaiseError 1, Please create group %DstLDGroupPath% and restart the script.   
 QuitBatch   
Endif   
Data.Loop   
 // Create account   
 Lin.DS.Op.Init Create, %DstLDAccountPath%   
 Lin.DS.Op.SetProperty objectClass, inetOrgPerson§posixAccount§   
 // inetOrgPerson attrs   
 Lin.DS.Op.SetProperty givenName, %FirstName%   
 Lin.DS.Op.SetProperty sn, %LastName%   
 // posixAccount attrs   
 Lin.DS.Op.SetProperty uid, %AccountName%   
 Lin.DS.Op.SetProperty cn, %FullName%   
 Lin.DS.Op.SetProperty userPasswordHash, %Password%   
 Lin.DS.Op.SetProperty gidNumber, %gidNumber%   
 Lin.DS.Op.SetProperty uidNumber, Auto   
 Lin.DS.Op.SetProperty homeDirectory, /home/%AccountName%   
 Lin.DS.Op.SetProperty loginShell, /bin/bash      
 Lin.DS.Op.SetProperty gecos, %FullName%   
 Lin.DS.Op.Commit   
Data.EndLoop   
[Batch_End]

[Data_Begin]
[Data_End]