Linux – How to map existing LDAP users to users in a different LDAP server

authenticationldaplinux

We set up some Linux machines to use our company's LDAP server for authentication. We were then acquired by another company, and they want us to use their LDAP server and retire the old one. But the user names are not the same – the old names are now IDs. "asmith" might now be represented by "AS31328", and "asmith" doesn't appear anywhere in the record.

Is there a way I can configure the machine to allow the existing user names but map them to the correct user IDs in the new LDAP server? New users would have to use their ID instead of the old name, but existing users would still be able to use asmith/password and the mapping "asmith <-> AS31328" would point to the AS31328 user in LDAP.

Alternatively, can I rename the existing accounts so that going forward, you'd have to log in using AS31328 instead of asmith but your existing files and permissions would remain?

Best Answer

You should really rename your accounts to conform to your new company's naming convention (whatever that may be). You can rename accounts on unix systems to your heart's content as long as the UID and GID NUMBERS do not change (the name is a convenient label - the numeric ID is what gets used for all internal checks).

Ideally you should migrate to using the new company's LDAP directory, and add the appropriate RFC 2307 attributes to the objects in that directory so your unix systems can authenticate against it.

In terms of migration and renaming, pam_ldap defaults to using the RFC 2307 compliant uid attribute for determining a user's login name.
As long as the UID attribute (and other relevant details like uidNumber and gidNumber match your old system's configuration you can switch to the new LDAP server no noticeable impact.

If the uid attribute is different in the new environment and cannot be changed you can extend your LDAP schema to include some other attribute (like cn) which does match the old login names and configure pam_ldap to use that attribute via the pam_login_attribute configuration directive.

If you go this route it is important that the entire merged company standardize on an attribute and naming scheme to use for Unix accounts. Having a mixed environment where some machines use uid, others use cn, and still others use unixUserName or some other custom attribute will just lead to headaches.

Related Solutions

Linux Bash – How to Sort du -h Output by Size

As of GNU coreutils 7.5 released in August 2009, sort allows a -h parameter, which allows numeric suffixes of the kind produced by du -h:

du -hs * | sort -h

If you are using a sort that does not support -h, you can install GNU Coreutils. E.g. on an older Mac OS X:

brew install coreutils
du -hs * | gsort -h

From sort manual:

-h, --human-numeric-sort compare human readable numbers (e.g., 2K 1G)

Linux – Find users currently logged in using ldap

AFAIK LDAP does not implement session management - it just provides a directory service - and its data can be cached heavily elsewhere. Also it can provide information other than authentication. So there's no such thing as "logged into LDAP" and no way to practically measure it.

Presumably you maintain your LDAP implementation so that your users can access applications - you'd need to look at these applications to determine who currently has an open session (assuming the applications are stateful - HTTP is not).

Best Answer

Related Solutions

Linux Bash – How to Sort du -h Output by Size

Linux – Find users currently logged in using ldap

Related Topic