[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] LDAP Migration Question

To: Sean Kelly <smkelly@creighton.edu>
Subject: Re: [SAGE] LDAP Migration Question
From: Richard Chycoski <rskiadmin@chycoski.com>
Date: Sat, 30 Jun 2007 00:41:28 -0700
Authentication-Results: rtp-dkim-2; header.From=rskiadmin@chycoski.com; dkim=neutral
CC: "Chris St. Pierre" <stpierre@NebrWesleyan.edu>, Nick Brockner <nbrockne@hamilton.edu>, sage-members <sage-members@sage.org>
In-Reply-To: <20070629173714.GA31853@rooster.creighton.edu>
References: <4685207B.9090904@hamilton.edu> <Pine.LNX.4.64.0706291136470.6164@zaphod.NebrWesleyan.edu> <20070629173714.GA31853@rooster.creighton.edu>
Reply-To: rskiadmin@chycoski.com
Sender: owner-sage-members@usenix.org
User-Agent: Thunderbird 2.0.0.0 (Windows/20070326)

This is a very real problem. When we integrate a nonstandard system (say, 
from an acquisition), our script first extracts all of the existing files' 
uid and gid data, then the script can rationally flip uids and gids for all 
files, including those with conflicts.

There are other issues in mixed environments - default GIDs, default shells, 
and home directory locations may not be cross-compatible (or only somewhat 
compatible). You also need to ensure that user 'jsmith' really means the 
same person on every machine. If no one has been controlling username 
creation centrally, you're in for a very large task indeed.

For generic accounts (e.g. 'oracle' or other vendor-specific accounts) you 
need to decide if you're going to allow direct signon to the ID, and whether 
having access to a facility like Oracle on one machine should necessarily 
give access to Oracle everywhere.  If you're not using sudo for access to 
such generics now, you should really consider doing it now to give you finer 
grained control over generic user accounts.

- Richard

Sean Kelly wrote:
> On Fri, Jun 29, 2007 at 11:43:51AM -0500, Chris St. Pierre wrote:
> ...
>> #!/bin/bash
>> # invoke as fixerator.sh username new-uid
>> # this is untested, and probably won't work, but you get the idea
>> old_uid=`getent passwd $1 | awk -F: '{print $3}'
>> usermod -u $2 $1
>> find / -owner $old_uid | xargs chown $2
> 
> This is the approach I'd use as well, however be very careful. Lets say
> you've got something like this:
> 
> Old UID   New UID
> --------- ---------
>   1000      2000
>   2000      2001
> 
> WHen you use the template script above, you could potentially end up with
> all files being owned by uid 2001. To be more clear (maybe), be careful you
> don't map old to new where the new is equal to other old that havne't yet
> been remapped.
> 
> If you have a backup of the entire system and you've got a long enough
> chunk of downtime, it might be better to make a script that makes a list of
> all files with their uid and gid, then make changes based on that stored
> list rather than doing another `find` for every iteration. Going further,
> it might be best to do it all at once instead of incrementally assuming
> you're fairly sure you've got it right and can fairly easily roll back.
>

References:
- [SAGE] LDAP Migration Question
  - From: Nick Brockner <nbrockne@hamilton.edu>
- Re: [SAGE] LDAP Migration Question
  - From: "Chris St. Pierre" <stpierre@NebrWesleyan.edu>
- Re: [SAGE] LDAP Migration Question
  - From: Sean Kelly <smkelly@creighton.edu>

Prev by Date: Re: [SAGE] LDAP Migration Question
Next by Date: Re: [SAGE] Skype in the workplace
Prev by thread: Re: [SAGE] LDAP Migration Question
Next by thread: Re: [SAGE] LDAP Migration Question
Index(es):
- Date
- Thread