LDAP User merging/migration

ldap
9.1.x

#1

Posted this on the mailing list, then figured out that it should have been here. Sorry.

I’ve got an old AD setup linked via LDAP, and a new LDAP server set up and configured. The uid and cn are not the same between the systems, because, well, Microsoft. How messed up am I going to make things by changing the new LDAP user’s owncloud_name and directory_uuid match the AD user’s owncloud_name and directory_uuid and keeping both users? At some point, hopefully in the very near future, I’d ideally delete the old AD users from the table, but the existing UUID and owncloud_name, (which seem to be the same down the line), are what it seems be that I’m interested in keeping in.

I've read about the hints to do something similar, but I've not seen anything about having separate LDAP directories linked to the same OC user for a span of time.


#2

(Chirp. Chirp, chirp. Awfully quiet!)
Is this something that those that care already feel is answered somewhere else, or is this something that nobody has tried? Some direction one way or another by those more experienced in LDAP would be helpful, please.


#3

Most people keep their LDAP/AD around, so changing UIDs is not very common ... how many users are we talking about?


#4

I think it's around 30 active on this site, and maybe up to 60 total possible, so not tremendous numbers. Looking around the forums and the mailing list, this doesn't seem to be an out of the ordinary scenario. LDAP has a robust design that enables migration and fluidity. Unfortunately, sometimes the fluidity makes for some turbulence on the back side.


#5

I'm not sure if I understand this clearly: You have 2 Servers, one (AD->LDAP) and one LDAP. Both have the same users but with different UUIDs?

About the link between AD->LDAP, can you explain with more detail how you did it? because you should o load the rwm module and remap the attribute sAMMAcountName to UID (not UUID) and then use it

You are having same user in both system? could you provide your occ ldap:show-config to see how you configure both servers?

if you remove the old AD, you could transfer the ownership to the new user and then delete the one from AD, probably you have to add the remnant list per hand.

What do you want to archive here? I guess transferring the ownership could be do the job.


#6

Yes, that's the basics. It probably could have been more cleanly done in the past, but that's where we are at.

Load the rwm module in OC, or in the OS? I'm not familiar with that module. However, that would also assume that the new LDAP server has a sAMAccountName attribute, correct? (Hint: It doesn't, and I'm not currently looking to add it.)

I could, but it feels like it would muddy the waters at this point.

Sounds like this is the better plan, though not as potentially "painless" as I had hoped. I'll just have to block out some maintenance time and make it happen.

Yes, it sounds like it. I was just hoping there was a way to do a slow transition, rather than a mass "everybody close your eyes for a while" type of transition.

Thanks for the thoughts! I appreciate the time.