ASCII Smiley Face Daniel Dickinson Mini Headshot
The C Shore
Daniel Dickinson's Website - Experimental

Debian LDAP Migration Tools

Migrating /etc Flat File Databases to LDAP (Authentication and Name Services) using migrationtools package in Debian 3.1 (Sarge)

i. Install the LDAP migration tools

Do 'apt-get install migrationtools' (at least for 'Sarge'). This will install a collection of scripts in /usr/share/migrationtools

ii. Edit migrationtools configuration file

Edit /etc/migrationtools/ by changing the lines show below. The DEFAULT_ changes are customisations for your site, while the UID/GID lines ignore system users (that is those users created and modified by debian package scripts), and the nobody user and group (65534:65534)


 # Default DNS domain
 $DEFAULT_MAIL_DOMAIN = "your.domain";

 # Default base
 $DEFAULT_BASE = "[BaseDN]";


 # Uncomment these to exclude Debian-managed system users and groups

 # And here's the opposite for completeness


 # Default DNS domain

 # Default base
 $DEFAULT_BASE = "dc=example,dc=com";


 # Uncomment these to exclude Debian-managed system users and groups

 # And here's the opposite for completeness

For Samba LDAP Users

The default subtrees used for user and group information are not compatible with the smbldap-tools package which is recommended when using LDAP for Samba authentication and mapping. For that reason, if you are using Samba with LDAP you should make the following additional changes to /etc/migrationtools/

 $NAMINGCONTEXT{'passwd'}            = "ou=Users";
 $NAMINGCONTEXT{'group'}             = "ou=Groups";

Optional: Use different subtrees based on function

If you are doing more than LDAP Authentication with your server you may wish to divide the various functions of the LDAP server into different subtrees. This can also be important if you are using different servers for different LDAP functions but still want the tree to look like it is coming from a single source (it can be done but is not discussed here).

In my examples, I have 'ou=dns,[BaseDN] for the DNS server, 'ou=auth,[BaseDN]' for users and groups (authentication/authorization), 'ou=mail,[BaseDN]' for email related information, 'ou=syscfg,[BaseDN]' for system configuration information (like /etc/fstab), and 'ou=net,[BaseDN]' for networking configuration info handled by NSS.

The following assumes you also need to make the changes above for smbldap-tools,

 } else {
         $NAMINGCONTEXT{'aliases'}           = "ou=Aliases,ou=mail";
         $NAMINGCONTEXT{'fstab'}             = "ou=Mounts,ou=syscfg";
         $NAMINGCONTEXT{'passwd'}            = "ou=Users,ou=auth";
         $NAMINGCONTEXT{'netgroup_byuser'}   = "nisMapName=netgroup.byuser,ou=auth";
         $NAMINGCONTEXT{'netgroup_byhost'}   = "nisMapName=netgroup.byhost,ou=auth";
         $NAMINGCONTEXT{'group'}             = "ou=Groups,ou=auth";
         $NAMINGCONTEXT{'netgroup'}          = "ou=Netgroup,ou=auth";
         $NAMINGCONTEXT{'hosts'}             = "ou=Hosts,ou=net";
         $NAMINGCONTEXT{'networks'}          = "ou=Networks,ou=net";
         $NAMINGCONTEXT{'protocols'}         = "ou=Protocols,ou=net";
         $NAMINGCONTEXT{'rpc'}               = "ou=Rpc,ou=net";
         $NAMINGCONTEXT{'services'}          = "ou=Services,ou=net";

You will also need to makes the following changes to the 'sub ldif_entry' function in the same file /etc/migrationtools/

 sub ldif_entry
 # remove leading, trailing whitespace
         local ($HANDLE, $lhs, $rhs) = @_;
         local ($type, $val) = split(/\=/, $lhs);
         local ($dn);
         local (@newval);
         if ($val =~ /\,/) {
                 @newval = split(/\,/, $val);
                 $val = $newval[0];


Apparently EXTENDED_SCHEMA is set to '1' in many other documents. This probably will not work without modification under Debian 3.1 'Sarge'. I haven't tried going all the way, however I have looked at the ldif that would be used and appears the following note applies.

Note: Debian doesn't include a kerberos.schema, so one must manually edit passwd.ldif to remove the two lines refering to kerberos for every user. That is, the following two lines:

 objectClass: kerberosSecurityObject
 krbName: user@YOUR.DOMAIN

Where user@YOUR.DOMAIN is the username with @YOUR.DOMAIN appended.

iii. Perform the Migration

If you just want LDAPAuthentication you probably want option 3, migrating only the /etc/passwd and /etc/group databases (but first using



 # node, [BaseDN]
 dn: ou=node,[BaseDN]
 objectClass: top
 objectClass: organizationalUnit
 objectClass: domainRelatedObject
 associatedDomain: your.domain
 ou: node


 # auth, example, com
 dn: ou=auth,dc=example,dc=com
 objectClass: top
 objectClass: organizationUnit
 objectClass: domainRelatedObject
 ou: auth

Option 1: Just migrate everything

  1. Make sure the slapd service is started
  2. Confirm that /etc/ldap/ldap.conf is correctly configured
  3. cd /usr/share/migrationtools.
  4. Execute './migrate_all_online', answering the following questions: normally you can just accept the defaults
    1. Enter the X.500 naming context you wish to import into: dc=your,dc=domain
      • Here you should enter the BaseDN for your LDAP tree
    2. Enter the hostname of your LDAP server [ldap]:
    3. Enter the manager DN: [cn=admin,[BaseDN]]:
    4. (e.g. cn=admin,dc=example,dc=com)
      • And this should the LdapDn for the LDAP administrative user.
    5. Enter the credentials to bind with:
      • This should be the password for the LDAP administrative user.
    6. Do you wish to generate a DUAConfigProfile [yes|no]?
      • For most the safe answer is no as DUAConfigProfile depends on schema not included in stock Debian. The profile speeds up searching for the various flat file databases imported into LDAP in the instructions you are now reading.
      • If you are using a single LDAP server you don't really need this.
      • If you are using multiple servers for different subtrees this can help the resolution process by directing the query to the appropriate server. Describing how that works is beyond the scope of this document.
  5. If it worked, great, otherwise you may need to generate an LDIF and modify as described below.

Option 2: Migrate everything by way of a single LDIF

As Option 1, above, except,

Synchronize the password encoding

It is not clear whether migrationtools detects the password encoding (e.g. crypt vs. md5). If it doesn't you may need to edit the ldif to use the appropriate format (e.g. if {crypt}ad$/ddd234.2s appears in the ldif but you were using md5 you may need to change the format to {md5}ad$/ddd234.2s)

This author started fresh with LDAP so he has never had to convert old /etc/passwd users, however you may be interested in the notes on PAMLDAPSetup which provides a way to convert passwords to md5 format when the password is changed (so root could elect to change all the passwords, thus getting md5 on all passwords).

Option 3: Migrate by way of an LDIF for each /etc database you want

See LDAPMigrationExamples for examples of each of the following imports.

You can migrate in a single step

You can pipe the output of migrate into ldapadd instead of redirecting to a file and using ldapadd -f filename. For example,

 ./ >base.ldif
 ldapadd -h localhost -x -W -D "cn=admin,dc=example,dc=com" -c -f base.ldif
would become
 ./ | ldapadd -h localhost -x -W -D "cn=admin,dc=example,dc=com" -c 

In all cases you will need to migrate some base settings

Migrateable Settings and How To Import Them

Local email aliases (e.g. root mail sent to a regular user)
Filesystem Table (/etc/fstab)

The author doesn't use the automounter daemon so he doesn't know what is needed for this.


The author doesn't use netgroups so he doesn't know what is needed to migrate netgroup_byhost and netgroup_byuser

TCP/IP Hosts
TCP/IP Networks
TCP/IP Protocols
TCP/IP Services
Authentication: /etc/passwd
Authentication: /etc/group

iv. Verify Data Import


 ldapsearch -x -h localhost

This should return everything in your LDAP tree except hashed passwords. If you want to see the hashed passwords as well, try

 ldapsearch -x -W -D "cn=admin,[BaseDN]" -h localhost
 ldapsearch -x -W -D "cn=admin,dc=example,dc=com" -h localhost

v. Configure System to Use LDAP

See NSSLDAPSetup.html, and PAMLDAPSetup

Previous: OpenLDAPSetup Top: LDAP Next: LDAPMigrationExamples