Friday, July 29, 2011

Migrating AD into eDirectory, using OpenLDAP on OES

Preparing the LDAP Server

First, you need to configure slapd to get ready for the AD dump.
1. Edit /etc/openldap/slapd.conf
2. Find the following line:
include /etc/openldap/schema/core.schema
3. Add this after:
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
4. Go to the line that starts with "suffix" and change to your AD structure:
suffix "dc=[basedn],dc=com"
5. Change the line that starts "rootdn" to your AD structure:
rootdn "cn=Manager,dc=[basedn],dc=com"
6. Save the file and exit.
7. Start slapd.

Building the Base LDAP Structure

1. Place the following into a file called base.ldif, and modify to your organization's needs.
dn: dc=[basedn],dc=com
objectclass: dcObject
objectclass: organization
o: [Your  Company]
dc: basedn
NOTE: The above line value for ?basedn? should match the first line's value for ?basedn?.
dn: cn=Manager,dc=[basedn],dc=com
objectclass: organizationalRole
cn: Manager
2. Import the file into LDAP.
ldapadd -x -D "cn=Manager,dc=[basedn],dc=com" -W -f base.ldif

Exporting Active Directory Data and Importing it into the LDAP Server

1. On a Windows domain controller, login as administrator.
2. Copy the Perl script samdump.pl and pwdump2 files to a temp directory.
3. Open a cmd window and change to the c:/temp directory.
4. Enter the following commands to extract the AD Users:
c:\temp\pwdump2.exe > passwd.txt
samdump.pl ?b dc=[basedn],dc=com passwd.txt users.ldif
You should now have a file (users.ldif) with all of your users in it.
5. Copy this file to your SLES server in the /root/ directory (for security).
6. Go back to your SLES server and import the AD users into the LDAP directory by entering the following command:
ldapadd -x -D "cn=Manager,dc=[basedn],dc=com" -W -f /root/users.ldif
At this point, all of your AD users, including their password hash, are in LDAP. Now you need to secure LDAP for eDirectory communication.

Securing LDAP for Import into eDirectory

1. Secure LDAP by encrypting your "rootpw" in your slapd.conf. We'll use "slappasswd" to do this.
slappasswd -s yourpassword
Here's the output:
{SSHA}i+RR9IAmrGDC0+RogacHrKNqUHVP1w7p
2. Copy that line and insert it into your slapd.conf (see the example).
3. Restart slapd.
If you do not have a CA, OES Linux creates one by default; or, you can create one as shown below.
4. Change directories to where you want to maintain these certificates - e.g., /etc/apache2/ssl.crt/
5. Create the certificates. We'll use the commands below:
openssl genrsa -des3 -out ca.key 1024
openssl req -new -x509 -days 999 -key ca.key -out ca.crt
openssl genrsa -des3 -out serverldap.key 1024
openssl req -new -key serverldap.key -out serverldap.csr
6. Move the certificates into their own directory:
mkdir -p ldapca/private
cp ca.key ldapca/private/cakey.pem
cp ca.crt ldapca/cacert.pem
mkdir ldapca/newcerts
touch ldapca/index.txt
echo "01" > ldapca/serial 
openssl ca -policy policy_anything -in serverldap.csr -out / server.cert
7. To allow TLS-enabled connections add the following lines to /etc/openldap/slapd.conf, making sure to use the path to your new certificates:
TLSCertificateFile /path_to_your_certificates/serverldap.crt
TLSCertificateKeyFile /path_to_your_certificates/serverldap.key
TLS_REQCERT allow
Restart slapd
8. Add the following lines to /etc/openldap/ldap.conf ...
URI ldap://127.0.0.1
TLS_CACERT /path_to_your_certificates/serverldap.cert
TLS_KEY /path_to_your_certificates/serverldap.key
TLS_REQCERT allow

Importing LDAP data into eDirectory

1. Log in to iManager.

Figure 1 - iManager login
2. Expand eDirectory Maintenance and select the Import Convert Export Wizard.

Figure 2 - Running the ICE wizard
3. Select Migrate Data Between Servers.
4. Check "Run in Verbose Mode" and "Log Failed Records" (nothing's perfect ...)
5. Click Next.
6. Enter the IP/DNS name of the LDAP server and specify the secure LDAP port (636).

Figure 3 - Server data for ICE
7. Check Authenticated login and enter root and the password you set up earlier.
8. Click Next.
9. Specify the Base DN to search in the source tree and the extent of depth you want the search to go.

Figure 4 - Specifying the Base DN
10. Click Next.
11. Enter the IP/DNS name of the destination tree (eDirectory) and secure LDAP port of that server.
12. Check Authenticated Login and specify the FDN admin equivalent account and password.

Figure 5 - Destination tree data
13. Click Next.
14. Specify the container you want the objects placed.
15. Click Start to begin.
Verifying that Users were Imported
1. At the top of the iManager screen, next to Roles and Tasks, click View Objects and browse to the container you imported your users.
2. Click one of those users and select Modify Object.

Figure 6 - Modifying the user object
There it is - just like we had it in Active Directory.

Figure 7 - Modify Object screen
Note that this method does not migrate ACL's or user groups.

Example Scripts and .conf Files

Below are the scripts and example conf files you need.
# Start of /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
TLSCertificateFile /path/to/server.cert
TLSCertificateKeyFile /path/to/server.key
TLS_REQCERT allow
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

database mydb
suffix "dc=myorg,dc=com"
rootdn "cn=Manager,dc=myorg,dc=com"
rootpw {SSHA}i+RR9IAmrGDC0+RogacHrKNqUHVP1w7p
# The database directory MUST exist prior to running slapd AND 
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /usr/share/openldap/ldapdata
# Indices to maintain
index objectClass eq
use strict;
use Getopt::Std;
use vars qw/ $opt_u $opt_g $opt_d $opt_s $opt_b $gidNumber $homeDirectoryBase $loginShell $basedn/;
# End of /etc/openldap/slapd.conf
samdump.pl
#!/usr/bin/perl
#samdump.pl

if (!getopts('uig:d:s:b:'))
{
 print "samdump: converts Win SAM dump to ldif\n";
 print "usage: [-b  basedn] pwdump-file\n";
  
 exit;
}
 $gidNumber = 100;
 $homeDirectoryBase = "/home/";
 $loginShell = "/bin/bash";

if ( $opt_b ) {
 $basedn = $opt_b;
} else {
 $basedn = "dc=Users,dc=net";
}

while ( <> ) {
 my ($name, $uidNumber, $lanmgr_hash, $nt_hash, $account_flags,  $lchange_time, $remainder) = split /:/, $_;
 next if $name =~ /\$$/; 
 print "dn: uid=$name,$basedn\n";
 print "objectclass: top\n"; 
 print "objectclass: account\n"; 
 print "objectclass: posixAccount\n"; 
 #posixAccount MUST
 print "cn: $name\n";
 print "uid: $name\n";
 print "uidNumber: $uidNumber\n";
 print "gidNumber: $gidNumber\n";
 #print "homeDirectory: $homeDirectoryBase$name\n";
 #posixAccount MAY
 print "userPassword: {lanman}$lanmgr_hash\n";
 #print "loginShell: $loginShell\n";
 print "\n";
}
# End of samdump.pl
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)