Author Topic: LDAP export and import -the easy way  (Read 33407 times)

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
LDAP export and import -the easy way
« on: March 02, 2011, 12:02:35 pm »
I've see so many posts regarding importing LDAP records from previous servers, and there's even a tutorial in the How-tos relating to it. But, why do things the hard way when you can do the easy way?

For those of you who don't know there is a great piece of Open Source software called Apache Directory Studio. Its available for Win, Mac, Linux.  With the software you can connect to your existing LDAP database, export to LDIF, then connect to the new LDAP on your new Zentyal box, and import the LDIF file. The only thing you will need to do before import is use a text editor (I suggest Notepad++) to rename the DN info in the LDIF file, which typically is repeated for each user, group, computer etc.
Anyway I managed to import all users groups and computers from my old ebox 1.4 server (Ubuntu 8.04), into a new zentyal 2 server (Ubuntu 10.04).

All domain logons are working perfectly on the new server just as they used to. The only additional thing I needed to do for that was to edit the Samba SID using Apache Directory Studio to match the Samba SID on the old server.  

All in all Apache Directory Studio is a very powerful and easy to use tool, offering you full editing of your entire LDAP directory if you need.

Hope this is useful info for someone.
« Last Edit: March 02, 2011, 12:13:05 pm by philmills »

chunk.one

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #1 on: March 03, 2011, 09:40:17 pm »
Another great tool for this and other tasks is phpldapadmin.

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #2 on: March 04, 2011, 08:17:15 am »
Agreed, but that assumes you have a php/mysql server handy.

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #3 on: March 04, 2011, 03:46:47 pm »
A word of warning...

In Ebox 1.4 and earlier, the path to the users home folder was:
/home/samba/users/[username]
In Zentyal 2.0 the path changed to:
/home/[username]

This path needs to be edited in your imported LDAP user records in order for your users to be able to access their Home shares (default H:\ )

chunk.one

  • Zen Apprentice
  • *
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #4 on: March 04, 2011, 10:45:08 pm »
Agreed, but that assumes you have a php/mysql server handy.
No mysql, only php. And no client app need, only a browser. But I have looked into Apache Directory Studio. It's more powerful (and complicated). And I can't figure out how to configure the cn=config db  :(

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #5 on: March 07, 2011, 05:26:00 pm »
for zentyal 2 and above just enter the cn and dc exactly as they appear in LDAP under users and groups.

for older ebox versions enter cn=ebox,[dc's as they appear in LDAP settings in ebox]

Make sure to paste the LDAP password into notepad before pasting it into Directory Stiudio, as sometimes the copy/paste process adds a space at the end where there shouldn't be one, and you won't be able to connect.

Its also worth noting that with Ebox i was able to connect using StartTLS encryption, but with Zentyal i had to use "no encryption".
« Last Edit: March 14, 2011, 08:38:16 am by philmills »

Josir

  • Zen Monk
  • **
  • Posts: 50
  • Karma: +0/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #6 on: March 11, 2011, 08:13:51 pm »
Thank you very much phil.
I've been looking for this tip for more than 3 months...

I was using LUMA to navigate thru the LDAP database but I didn't know that the simple export LDIF was enough to do the migration.

Some questions:
- the linux users are created with same uid ?
- the password and the gid/uid was migrated too ?
- what about the groups that already exists in the destination LDAP (like "User Domain", "Administrators"). Did they remain untouched?

Thanks in advance,
Josir

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #7 on: March 14, 2011, 08:33:39 am »
- linux users are created with the same uid
- password and gid/uid is migrated too
- when i imported I didn't pay any attention to this, and they imported fine without being duplicated. But if you're worried you can do a group by group export to LDIF from the old LDAP database, or export the entire Groups database and edit out the unwanted groups using Notepad++ or some similar text editor. The LDIF file is just plain text.
« Last Edit: March 14, 2011, 08:37:20 am by philmills »

brucemallord

  • Zen Apprentice
  • *
  • Posts: 21
  • Karma: +0/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #8 on: June 07, 2011, 07:05:18 am »
Regarding home directories.

Do you create and restore the files manually, then connect with the LDAP import, or will it create the folders for you and then you can put back the files in individual folders?


philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #9 on: June 07, 2011, 08:45:31 am »
I think (if i remember correctly) that you need to create those, or import them from your backup source along with permissions.
If you don't have a backup source, then after creating the folders you'll need to CHOWN them for each user, so that access to them is restricted to that user only.

robb

  • Guest
Re: LDAP export and import -the easy way
« Reply #10 on: June 07, 2011, 03:33:28 pm »
Hi Phill,

There will be a community WIKI available sooon: http://forum.zentyal.org/index.php/topic,5304.msg28319.html#msg28319

Would you be so kind to make a document of your method of restoring LDAP?

thnx and regards,
Rob

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #11 on: June 08, 2011, 11:20:43 am »
I can't promise, but I will try.
Thing is that a detailed wiki requires me to go through the entire process, and that does take some time (something I don't have much of right now).

3dge14

  • Zen Apprentice
  • *
  • Posts: 15
  • Karma: +0/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #12 on: September 22, 2011, 08:08:28 pm »
Hi Phil,

I have a Zentyal 2.2 test setup and tried using the recommended software to export from my running 2.0 server. I edited the LDIF file and changed the dn info to the new test server's dn info. For the most part the user info/groups/permissions imported correctly, however I am confused about the SID part. You said you went in to edit the SID number to make it match the old domain. When I look at my test 2.2 sambaSID info it already matches the original sambaSID, do I need to change anything else? I can't test logging on to the domain with current users at the moment because I still have the production server in use on the network.

Thanks

philmills

  • Zen Warrior
  • ***
  • Posts: 161
  • Karma: +8/-0
    • View Profile
Re: LDAP export and import -the easy way
« Reply #13 on: September 23, 2011, 08:22:33 am »
If the sambaSID is correct, I think it should be OK.
Why not test it in a separate network?  All you need is a LAN switch, and borrow a PC from the existing domain.
Definitely don't try to go live with it until you've tested fully, and when you're testing be sure to check that you can still add new PCs to the new domain, as this is something I've had a few problems with.
« Last Edit: September 23, 2011, 08:31:22 am by philmills »