[Fedora-directory-users] passwd/shadow/group --> fedora-ds HOWTO?

Elliot Foster elliotf at gratuitous.net
Wed Aug 31 16:25:23 UTC 2005 

Bryan K. Wright wrote:
> Hi folks,
> 
> 	I've just started playing with fedora directory server,
> and I'm looking for a straightforward way to import existing
> Linux accounts (passwd/shadow/group files) into fedora-ds.
> 
> 	I've looked at the padl migration tools and tried
> them out, but they don't seem to quite get it right.  First,
> the groups are put into ou=Groups instead of ou=Group (as 
> fedora-ds expects).  Editing the ldif file to change Groups to
> Group allows me to import the group data, but then the objectClasses
> are wrong.  The padl tools create groups as class "posixGroup",
> but fedora-ds seems to use "groupofuniquenames" for groups.

Bryan, the object classes advertise how the entry's data may be used.  The same
entry may be used for multiple purposes.  You may want to use the same posix
groups for email or aci's as well (for example).

> 	Also, the padl migration tools use objectClasses
> "posixAccount","account" and "shadowAccount" for entries in
> the passwd file, but fedora-ds seems to expect "person",
> "organizationalPerson" and "inetorgperson".

Again, 'person', 'organizationalPerson' and 'inetOrgPerson' are generic-ish LDAP
objectclasses.  These are describing the entry and its contents.  These are used
in different ways.  When you specify an objectclass of 'posixAccount' you are
saying that this entry is a posix account (aptly named).  Different
objectClasses allow/require different attributes.

For example, in order to store homeDirectory, gecos, uidNumber, gidNumber (LDAP
attribute equivalents of the /etc/passwd values) in the Directory, you will want
to use posixAccount.

Take a look at 'http://ldap.akbkhome.com/index.php/objectclass.html' to see what
objectClasses allow what attributes.  Specifically:
'http://ldap.akbkhome.com/index.php/objectclass/posixAccount.html'

> 	Has anybody written a simple HOWTO for migrating
> passwd/shadow/group files to fedora-ds?

How are you planning to access the data in the Directory?  libnss-ldap and
pam-ldap?  If so, there is a lot of flexibility in how you store the data.  You
can configure filters in those modules to find the data that you want.  You
might want to look at those, as there is some decent documentation, and then see
what THEY expect.

Hope that helps.

Elliot

More information about the Fedora-directory-users mailing list