Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: philmills on March 02, 2011, 12:02:35 pm

Title: LDAP export and import -the easy way
Post by: philmills on March 02, 2011, 12:02:35 pm
I've see so many posts regarding importing LDAP records from previous servers, and there's even a tutorial in the How-tos relating to it. But, why do things the hard way when you can do the easy way?

For those of you who don't know there is a great piece of Open Source software called Apache Directory Studio (http://directory.apache.org/studio/). Its available for Win, Mac, Linux.  With the software you can connect to your existing LDAP database, export to LDIF, then connect to the new LDAP on your new Zentyal box, and import the LDIF file. The only thing you will need to do before import is use a text editor (I suggest Notepad++) to rename the DN info in the LDIF file, which typically is repeated for each user, group, computer etc.
Anyway I managed to import all users groups and computers from my old ebox 1.4 server (Ubuntu 8.04), into a new zentyal 2 server (Ubuntu 10.04).

All domain logons are working perfectly on the new server just as they used to. The only additional thing I needed to do for that was to edit the Samba SID using Apache Directory Studio (http://directory.apache.org/studio/) to match the Samba SID on the old server.  

All in all Apache Directory Studio (http://directory.apache.org/studio/) is a very powerful and easy to use tool, offering you full editing of your entire LDAP directory if you need.

Hope this is useful info for someone.
Title: Re: LDAP export and import -the easy way
Post by: chunk.one on March 03, 2011, 09:40:17 pm
Another great tool for this and other tasks is phpldapadmin.
Title: Re: LDAP export and import -the easy way
Post by: philmills on March 04, 2011, 08:17:15 am
Agreed, but that assumes you have a php/mysql server handy.
Title: Re: LDAP export and import -the easy way
Post by: philmills on March 04, 2011, 03:46:47 pm
A word of warning...

In Ebox 1.4 and earlier, the path to the users home folder was:
/home/samba/users/[username]
In Zentyal 2.0 the path changed to:
/home/[username]

This path needs to be edited in your imported LDAP user records in order for your users to be able to access their Home shares (default H:\ )
Title: Re: LDAP export and import -the easy way
Post by: chunk.one on March 04, 2011, 10:45:08 pm
Agreed, but that assumes you have a php/mysql server handy.
No mysql, only php. And no client app need, only a browser. But I have looked into Apache Directory Studio. It's more powerful (and complicated). And I can't figure out how to configure the cn=config db  :(
Title: Re: LDAP export and import -the easy way
Post by: philmills on March 07, 2011, 05:26:00 pm
for zentyal 2 and above just enter the cn and dc exactly as they appear in LDAP under users and groups.

for older ebox versions enter cn=ebox,[dc's as they appear in LDAP settings in ebox]

Make sure to paste the LDAP password into notepad before pasting it into Directory Stiudio, as sometimes the copy/paste process adds a space at the end where there shouldn't be one, and you won't be able to connect.

Its also worth noting that with Ebox i was able to connect using StartTLS encryption, but with Zentyal i had to use "no encryption".
Title: Re: LDAP export and import -the easy way
Post by: Josir on March 11, 2011, 08:13:51 pm
Thank you very much phil.
I've been looking for this tip for more than 3 months...

I was using LUMA to navigate thru the LDAP database but I didn't know that the simple export LDIF was enough to do the migration.

Some questions:
- the linux users are created with same uid ?
- the password and the gid/uid was migrated too ?
- what about the groups that already exists in the destination LDAP (like "User Domain", "Administrators"). Did they remain untouched?

Thanks in advance,
Josir
Title: Re: LDAP export and import -the easy way
Post by: philmills on March 14, 2011, 08:33:39 am
- linux users are created with the same uid
- password and gid/uid is migrated too
- when i imported I didn't pay any attention to this, and they imported fine without being duplicated. But if you're worried you can do a group by group export to LDIF from the old LDAP database, or export the entire Groups database and edit out the unwanted groups using Notepad++ or some similar text editor. The LDIF file is just plain text.
Title: Re: LDAP export and import -the easy way
Post by: brucemallord on June 07, 2011, 07:05:18 am
Regarding home directories.

Do you create and restore the files manually, then connect with the LDAP import, or will it create the folders for you and then you can put back the files in individual folders?

Title: Re: LDAP export and import -the easy way
Post by: philmills on June 07, 2011, 08:45:31 am
I think (if i remember correctly) that you need to create those, or import them from your backup source along with permissions.
If you don't have a backup source, then after creating the folders you'll need to CHOWN them for each user, so that access to them is restricted to that user only.
Title: Re: LDAP export and import -the easy way
Post by: robb on June 07, 2011, 03:33:28 pm
Hi Phill,

There will be a community WIKI available sooon: http://forum.zentyal.org/index.php/topic,5304.msg28319.html#msg28319

Would you be so kind to make a document of your method of restoring LDAP?

thnx and regards,
Rob
Title: Re: LDAP export and import -the easy way
Post by: philmills on June 08, 2011, 11:20:43 am
I can't promise, but I will try.
Thing is that a detailed wiki requires me to go through the entire process, and that does take some time (something I don't have much of right now).
Title: Re: LDAP export and import -the easy way
Post by: 3dge14 on September 22, 2011, 08:08:28 pm
Hi Phil,

I have a Zentyal 2.2 test setup and tried using the recommended software to export from my running 2.0 server. I edited the LDIF file and changed the dn info to the new test server's dn info. For the most part the user info/groups/permissions imported correctly, however I am confused about the SID part. You said you went in to edit the SID number to make it match the old domain. When I look at my test 2.2 sambaSID info it already matches the original sambaSID, do I need to change anything else? I can't test logging on to the domain with current users at the moment because I still have the production server in use on the network.

Thanks
Title: Re: LDAP export and import -the easy way
Post by: philmills on September 23, 2011, 08:22:33 am
If the sambaSID is correct, I think it should be OK.
Why not test it in a separate network?  All you need is a LAN switch, and borrow a PC from the existing domain.
Definitely don't try to go live with it until you've tested fully, and when you're testing be sure to check that you can still add new PCs to the new domain, as this is something I've had a few problems with.