ClearFoundation

Hi,

I have recently read some posts about user migration, but nothing for what I want to do. Here is the job:

I have a linux server, with 289 users. All of them are system users, so their information are in flat files in /etc (/etc/passwd, /etc/shadow etc). Is there a way to migrate these users to ClearOS? I have already used padl.com scripts but the problem is that the generated password is in {cyrpt} format and ClearOS uses SHA format.

Thanks in advance.

Hi, (my 2 cents)

I recently did a similar move where I had 100+ users in unix security, and wanted them in ldap.

Unfortunately, I found no way to do this with any tool.

The challenge as you correctly see it, is to move the passwords. Everything else is relatively easy with imports and exports.

The only way I found was to decrypt the existing password and use that password during the import process. This method did not work, I got like 10 passwords out of 100+.

So, we moved a few users at a time, and hand-held them with there new passwords and visited every computer.(Ugh)

I thought long and hard about the migration, and it seems to me that without a tool, you must assign a new password during the import, and then create a process to inform the user of his new password. As well as, a process to allow the user change his password on his own.

The last is easily done by allowing the user access to the GUI console, and the user could login and change their password. My objection to that is the ClearOS branding on the GUI. It is fine for admins, but UNACCEPTABLE for the end user to see. The end user needs to see their local business logo or in my case, my logo.

And lastly, I think you will be asking this next, how do I have multiple servers running a single ldap store? Because as soon as you have all those users in the ldap, it would be nice to have multiple servers for file servers, print servers, backup and load balance

First of all, thanks for the response bdorsey63.

I tried many many things to accomplish this task, but as you said with no success. Finally, I did the same as you said and I sent an email to each of my users with a temporary password. Then, each user was responsible to change that password through webmin control panel.

I have already read that I cant run multiple servers with a single ldap server. It is on the roadmap....

Thanks again.

bdorsey63 wrote:
Hi, (my 2 cents)

I recently did a similar move where I had 100+ users in unix security, and wanted them in ldap.

Unfortunately, I found no way to do this with any tool.

The challenge as you correctly see it, is to move the passwords. Everything else is relatively easy with imports and exports.

The only way I found was to decrypt the existing password and use that password during the import process. This method did not work, I got like 10 passwords out of 100+.

So, we moved a few users at a time, and hand-held them with there new passwords and visited every computer.(Ugh)

I thought long and hard about the migration, and it seems to me that without a tool, you must assign a new password during the import, and then create a process to inform the user of his new password. As well as, a process to allow the user change his password on his own.

The last is easily done by allowing the user access to the GUI console, and the user could login and change their password. My objection to that is the ClearOS branding on the GUI. It is fine for admins, but UNACCEPTABLE for the end user to see. The end user needs to see their local business logo or in my case, my logo.

And lastly, I think you will be asking this next, how do I have multiple servers running a single ldap store? Because as soon as you have all those users in the ldap, it would be nice to have multiple servers for file servers, print servers, backup and load balance

Here is a link to the most helpful tool you will find for this task:
www.padl.com/OSS/MigrationTools.html

Is there a solution to migrate the passwords ??

I have a similar issue where I am moving users from a standard centos 5 box to a ClearOS box,. Have had to put off the implementation of the ClearOS server until I can find a solution to this problem.

Donald Hobbs wrote:
Is there a solution to migrate the passwords ??

I have a similar issue where I am moving users from a standard centos 5 box to a ClearOS box,. Have had to put off the implementation of the ClearOS server until I can find a solution to this problem.

The following link will allow migration of all UNIX account information to LDAP:
www.padl.com/OSS/MigrationTools.html

Do all the following on the original Centos 5 box. The LDAP server can be the ClearOS system.

First migrate all UNIX accounts to LDAP POSIX account format using the above tool.
Next, configure Samba's smb.conf to use:
passdb backend = ldap://ldap_server:389

Do not forget to set the LDAP admin account info into smb.conf _AND_ set the LDAP admin password into the secrets.tdb file by executing:
smbpasswd -w admin_password

If you have Samba accounts in smbpasswd format execute:
pdbedit -i smbpasswd -e ldapsam

If you have the Samba account in tdbsam format execute:
pdbedit -i tdbsam -e ldapsam

That should migrate your accounts. Now you will need to set the same domain SID as your original Centos Samba server.

On Centos execute:
net getlocalsid
net getdomainsid

On ClearOS execute:
net setlocalsid S-1-5-21-xxxxxxxx-xxxxxxx-xxxxxx (from above)
net setdomainsid S-1-5-21-xxxxxxx-xxxxxxx-xxxxxx (also from above)

Next, do not forget to dump the account info into an LDIF file. Edit the user account info into the same structure used by ClearOS, then reimport into LDAP.

This should recover all you old user and machine account info - including the passwords (both POSIX and SambaSAMAccount passwords).

@bdorsey63
ClearOS is skinable and brandable. ClearCenter provides this as a service to OEM partners and other partners who need to have the look and feel of ClearOS be on-brand for your shop.

Consider the comments from Michael Proper during the CompTIA Breakaway event.

Part of the message from ClearCenter is that partners need to be able to develop their own solutions and have their own value provided to customers. Even ClearBOX was designed from day one as brandable.

Lastly, you can set up LDAP replication now but it is not supported yet in the UI. The experimental code for this is located here.

If you need better support and tighter integration with ClearCenter so that you business is properly branded, contact ClearCenter Sales at 801-851-5555

Thanks very much John will give this a go.