We set up some Linux machines to use our company's LDAP server for authentication. We were then acquired by another company, and they want us to use their LDAP server and retire the old one. But the user names are not the same – the old names are now IDs. "asmith" might now be represented by "AS31328", and "asmith" doesn't appear anywhere in the record.
Is there a way I can configure the machine to allow the existing user names but map them to the correct user IDs in the new LDAP server? New users would have to use their ID instead of the old name, but existing users would still be able to use asmith/password and the mapping "asmith <-> AS31328" would point to the AS31328 user in LDAP.
Alternatively, can I rename the existing accounts so that going forward, you'd have to log in using AS31328 instead of asmith but your existing files and permissions would remain?
Best Answer
You should really rename your accounts to conform to your new company's naming convention (whatever that may be). You can rename accounts on unix systems to your heart's content as long as the UID and GID NUMBERS do not change (the name is a convenient label - the numeric ID is what gets used for all internal checks).
Ideally you should migrate to using the new company's LDAP directory, and add the appropriate RFC 2307 attributes to the objects in that directory so your unix systems can authenticate against it.
In terms of migration and renaming,
pam_ldap
defaults to using the RFC 2307 compliantuid
attribute for determining a user's login name.As long as the UID attribute (and other relevant details like
uidNumber
andgidNumber
match your old system's configuration you can switch to the new LDAP server no noticeable impact.If the
uid
attribute is different in the new environment and cannot be changed you can extend your LDAP schema to include some other attribute (likecn
) which does match the old login names and configurepam_ldap
to use that attribute via thepam_login_attribute
configuration directive.If you go this route it is important that the entire merged company standardize on an attribute and naming scheme to use for Unix accounts. Having a mixed environment where some machines use
uid
, others usecn
, and still others useunixUserName
or some other custom attribute will just lead to headaches.