[Scottish] LDAP migration help

Gavin Henry ghenry at suretecsystems.com
Wed Jun 13 15:19:39 BST 2007

<quote who="Phillip Bennett">
> Hi everyone,
> I am trying to migrate our NIS services (users, autofs etc) to an LDAP
> server. I have found the Migration Tools from PADL (www.padl.com) and I am
> having a few weird problems.

Hi Phillip,

> When running the "migrate_all_nis_online.sh" script, I recieve the
> following
> error:
> adding new entry "uid=clare,ou=People,dc=mve,dc=com"
> ldap_add: Invalid syntax (21)
>         additional info: objectClass: value #6 invalid per syntax


> objectClass: inetLocalMailRecipient
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: top
> objectClass: kerberosSecurityObject

ObjectClasses start from #0, so value #6 in your LDIF is

This will be included for the attribute 'krbName'.

This attribute isn't part of any of the schema files you have included in

> All the howtos I have read so far indicate that the "USE_EXTENDED_SCHEMA"
> VALUE SHOULD BE SET TO 1.  However, if I set it to 0, the LDIF file gives
> the following data:

Which Howto? Howtos are bad ;-)

> dn: uid=clare,ou=People,dc=mve,dc=com
> uid: clare
> cn: Clare Bond
> objectClass: account
> objectClass: posixAccount
> objectClass: top
> userPassword: {crypt}<snip!>
> loginShell: /bin/tcsh
> uidNumber: 2049
> gidNumber: 20
> homeDirectory: /homes/clare
> gecos: Clare Bond
> Then, the resulting LDIF file works properly (after a bout of deleting
> duplicate service informatoin) and I have an LDAP database.  So the
> question
> becomes, "Do I need the extended schema?"

* mailRoutingAddress
* mailHost
* inetLocalMailRecipient
* kerberosSecurityObject
* krbName

If all you want to do is import the user accounts, you definitely don't
need these.

If you really want krbName, see:


Who's version of OpenLDAP are you using btw?

In the Red Hat rpms you'll notice:

"* Wed Apr 30 2003 Nalin Dahyabhai <nalin at redhat.com>
  - update to 2.1.17
  - disable the shell backend, not expected to work well with threads
  - drop the kerberosSecurityObject schema, the krbName attribute it
    contains is only used if slapd is built with v2 kbind support"

> The relevant includes from the slapd.conf file are: core.schema,
> cosine.schema, inetorgperson.schema, nis.schemfa, samba.schema,
> autofs.schema and misc.schema.  I am hoping to be able to use the LDAP
> server for samba authentication later on (If it ever works!) and
> authenticate the windows clients to the samba server., thus giving linux
> and
> windows a single user database for everything.

You'll then need to either migrate an existing tdb backend Samba setup
with pdbedit to import from tdb to LDAP:

pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host

(man pdbedit)

Or use the smbldap-tools to add the samba attributes. See the main Samba
docs for this.



Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry at suretecsystems.com

Open Source. Open Solutions(tm).


More information about the Scottish mailing list