Migrating existing users to LDAP

Hi,

I followed the instructions found at http://www.virtualmin.com/documentation/id,combining_virtualmin_and_ldap/ and was successfully able to set up LDAP on my server. However, I have a lot of existing virtual servers on this server, and am therefore wondering how to migrate my existing user accounts, mail aliases, virtual domains, etc. to LDAP.

Is this possible?

Thanks, -Logan

Status: 
Active

Comments

We don't have any automation setup for user migration. However, one thing that should work is backing up your domains, deleting them, and then restoring on the same Virtualmin system. This should re-create the users and aliases in LDAP.

Try this one domain at a time though, to make sure it works!

Hi Jamie,

Thanks for your response. After following the documentation linked to in my original post, I have the DN for users set to dc=clients,dc=airshock,dc=net and the DN for groups set to dc=groups,dc=airshock,dc=net.

My question is, when restoring virtual servers as you mentioned in your post, how can I tell Virtualmin to create users and groups in these respective DNs?

Thanks!

You need to configure this in the LDAP Users and Groups module, which is in Webmin under the System category. You can verify that the correct DN base is being used by creating a user and group in that module.

So once I do this I just backup all virtual servers, delete them, and then re-create them and I should have LDAP users imported? Is there anything else I need to do, or any special options to check when backing up or restoring virtual servers?

Yes, that should work - assuming that your system is already configured to use LDAP for new domains.

But please try this one domain at a time though, in case it doesn't work.

Just to be sure, when I try this on just one domain, how can I check to see if everything worked as it should? e.g. what are the steps to take to confirm LDAP is working after deleting and re-creating one domain?

I guess check if the domain's website still works, if you can login as the domain owner, and ensure that the user and group aren't in /etc/passwd and /etc/group respectively.

So I've run into a little problem with LDAP. I went to the LDAP Client module in Webmin and hit Validate Configuration to test that everything works, and it is fine until it gets to the "Looking for Unix user example" step, where it says the user does not exist. But the LDAP Browser shows me that there is a user named example and it does exist in the right DN and etc. And when I created my DN for users, I did check the "Create Unix user object" box or whatever as indicated in the "Combining Virtualmin and LDAP" article. What could be the problem?

Make sure that your system is configured to fetch Unix users from the LDAP server - this can be done in the LDAP Client module, under "Services using LDAP"

Already done, as per the documentation article. Here is the output from the validator:

Validating LDAP Configuration
Finding LDAP base for users .. .. found base dc=clients,dc=airshock,dc=net.

Connecting to LDAP server .. .. connected to 127.0.0.1

Searching for users .. .. found 1 users.

Checking Unix users service .. .. service is setup to query LDAP.

Looking for Unix user example .. . user does not exist.

I found a thread about creating /etc/nslcd.conf and I did that as per the comments in the file, and then started NSLCD with /etc/init.d/nslcd start, and it started OK but the validation is still failing.

If you'd like, Jamie, I can send you login details for my server if you want to take a look at things. I am very new to LDAP and it seems the documentation on the Virtualmin site doesn't take into account CentOS 6 and its use of NSLCD, slap.conf, etc. (the article was apparently written in 2009). Thanks!

Hi Jamie, I just sent login details. Thanks for taking a look at this. :)

Thanks, I see the problem and was able to fix it on your system.

Basically, in your /etc/nslcd.conf file the line scope base had to be changed to scope sub so that LDAP users in sub-"directories" could be found. Also, I had to run /etc/init.d/nslcd restart .

The deeper issue is that Virtualmin doesn't properly automatically configure LDAP on CentOS 6. I'll also work on fixing that.

Thanks so much for fixing the issue, Jamie! I edited nslcd.conf manually yesterday following the comments in the file and didn't know what to do with the sub lines. But now the configuration validator works perfectly.

The only problem I am facing now is that when I go to restore my virtual servers, it throws an error because it's trying to create a Unix group but one with the same name already exists. I know how to fix it--just delete the group with the same name--but my concern is, why is it wanting to create Unix users and groups? It should be creating LDAP users and groups, right? I mean now that LDAP is set up properly.

Thanks, -Logan

Another issue that I run into when restoring virtual servers is that the alias cannot be created because the error "no structural object class provided" shows up. I followed the instructions in the documentation about changing the LDAP schema for Postfix and etc. but that still doesn't fix the problem.

When you say the group already exists, do you mean that it exists in /etc/group on the system?

Or that it already exists in LDAP?

It already existed in /etc/group. I went in and deleted all the stray users and groups left behind from when I used Virtualmin to backup the servers and then delete them, and now when I restore the servers it doesn't create users and groups in LDAP, but rather in /etc/passwd and /etc/group, and when it tries to create aliases and add domain mailboxes it fails with the "no structural object class provided" error mentioned above.

I can login to your system again and look into this - just let me know where the backups you are trying to restore are located.

Good news - I was finally able to get LDAP support working after spending over a week on this. I ended up setting up LDAP on a new Ubuntu 14.04 cloud server instance because I kept getting stuck with problem after problem on my main CentOS dedicated server, plus I figured it would be a good idea to have LDAP off-site so that if the primary server goes down, the LDAP machine, which is on a popular cloud provider's network, will remain active. It was a lot easier to get LDAP running on Ubuntu, even by following the outdated documentation on the Virtualmin site, and my guess as to why is that CentOS and Ubuntu probably handle LDAP differently. Anyway, it would be nice to be able to get to the bottom of why I couldn't get LDAP support working on CentOS, so that if I ever want to get it going on CentOS, or if any other Virtualmin users wish to do so, it can be done cleanly. It would also help if the Virtualmin documentation on LDAP was updated as it seems like it hasn't been touched since 2009.

Jamie, thank you for all of your help on this issue. I appreciate all of the work you've done and suggestions/comments/tips/answers you've given. If you'd like to work with me to get LDAP running on CentOS and fix the remaining problems that were there I would be happy to try this with you.

Thanks!

A very interesting thread. I too am about to set up LDAP on my fresh Ubuntu 14.04 LTS, but was worried that the how-to was a bit out of date..

Do you have any notes about issues you encountered with setting this up.

Hi Ashley,

I apologize for not getting back to this thread sooner. Anyway, I am writing up a blog post now that details the steps I took to get LDAP working and should have that done in just a little bit, so I'll post a link here when done.

Thanks!

airshock

Thanks in advance, i have been putting this one off till all the other bits are in place, will try and wait till you have it up as i do not want to go down any blind alleys.

Here is a link to the blog post I just wrote up on this: https://blog.airshock.net/ah-ubuntuldap/

Please feel free to post in the comments of that blog or here in this issue if you have any problems or questions, or need me to walk you through something in more fine-grained detail (which I will be happy to do).

Thanks!

Airshock.

Just wanted to say thanks as with the help of your blog and the various posts, i got it up and running very well.

Are you planning to set up replication to other LDAP servers at some point?

My apologies for not getting back to your message in a timely manner. I'm glad that I and others were able to help you get your system configured.

I haven't thought about LDAP replication but now that you mention it I may want to replicate my user base to another server in the future. I don't know how to configure replication at this point though and would have to do research in order to figure out just how it's done.

Thanks, -Logan

Re replication - There is a good write up in the Ubuntu 14.04LTS docs... the docs were very helpful in getting the schemas i wanted installed - would be good to have several copies of the main Ldap DB

However, i think i have to sort out my certs before i try the replication.

FYI, the upcoming 1.700 Webmin release will better support LDAP client setup on CentOS 7.