Re: Netinfo LDAP Conversion

Hi,

The NetInfo Migration feature is intended to be used to copy users from a *network* NetInfo domain into an LDAP container. I'm guessing that perhaps your NetInfo users are *local* users, and so the feature has nothing to do.

If your NI users are indeed network (and not local) users, there is probably a way to re-enable the NI migration feature, though I suggest a different method. You may instead want your users passwords to be stored and validated by the Password Server, as opposed to the legacy 'crypt' method, in which crypt hashes are stored in the user record (like with NetInfo). This is discussed in Chapter 3 of the Open Directory Administration guide: http://images.apple.com/server/pdfs/Open_Directory_v10.4.pdf

One important thing to know is that if you do the "NetInfo Migration" with the button in WGM, the LDAP users that get created will not be password server users, and you'll be unable to use many open directory features. Additionally, leaving crypt hashes in a world-readable place (like an NI or LDAP user record) is kind of a bad idea, so it's really good to get everybody over to password server. The password server maintains its own separate database of password records which are linked to LDAP user records via the password server slot ID, which is stored in the AuthenticationAuthority user record attribute (along with some other password server related info).

The bad news is that there's no way to automatically convert a user from the crypt style to the open directory password server style (if there were, the NetInfo migration assistant would do it, and I wouldn't be suggesting that you not use it :). This is because you need to start with the cleartext password when creating an entry in the password server database (this happens when you flip the password type in WGM), and there's no way to get the cleartext password from a crypt hash other than a dictionary attack. Because of this, in order to add the users with password server style passwords (or convert existing crypt users to password server), you'll need to set new passwords on all the accounts. But that's getting ahead things a bit...

You can still use WGM to export the user records from NI; you'll get everything you need except the password. That export file can then be imported into your LDAP container, also using WGM.

If you're up for some scripting, it's not too tough, and there are some resources around to help with much of it (macenterprise, bombich's various script collections...). If it all seems too daunting, check out Passenger: http://macinmind.com/?pid=2&progid=1&subpid=1

As a case study, here's how I did it recently for an active campus of NetInfo users.

Bring up some fresh OD servers along side the existing NI stuff. I wrote a perl script to scrape the data (users, groups, mounts, machines) out of NetInfo (using nicl) and to then add corresponding LDAP objects into the OD servers, using Perl's Net::LDAP module for the LDAP interactions. Then I generated pseudo-random passwords for all the OD accounts, and applied them using dsimport. Then we wrote some web tools that ran on a server which straddled both the old NI and the new OD. This web tool was given knowledge of the pseudo-random passwords used to create the OD users, and its purpose was to let users migrate their own passwords into OD in a self-service fashion. It worked by challenging a user for their NetInfo credentials, and then (if successful) using the NI password as the new password in a password change operation performed in OD.

But that that's all somewhat complicated to avoid disturbing workflow and to let people migrate at their own pace (during a window where NI and OD were maintained in parallel). If you can, just set new passwords for everybody and mail them out, then set the 'requires password change at next login' bit.

Hope this helps,

-Andre

(p.s. sorry if your email client doesn't thread this with the original question; I composed this one from scratch, as I just recently (re)subscribed to this list as I was browsing the archives)