Here’s a script that worked for me to migrate form one LDAP Server (Microsoft Active Directory) to another LDAP Server (Samba Active Directory), where the DN and UUID of the users changed, but not the login name. If other people find it useful…
#! /bin/bash
## file P contains the password for authentication to the LDAP / AD
new_ldap="ldapsearch -y P -x -H ldap://new_ldap_hostname/ -D newldapuser@newdomain -W -b dc=domain,dc=company,dc=tld"
old_ldap="ldapsearch -y P -x -H ldap://old_ldap_hostname/ -D oldldapuser@newdomain -W -b dc=domain,dc=company,dc=tld"
get_old_attr () {
${old_ldap} "(sAMAccountName=$1)" $2 | egrep "^$2:" | while read label value; do
printf '%s' "${value}"
done
}
get_new_attr () {
${new_ldap} "(sAMAccountName=$1)" $2 | egrep "^$2:" | while read label value; do
printf '%s' "${value}"
done
}
format_guid () {
echo $1 | base64 --decode|hexdump -X -v| head -n1 |while read pos b0 b1 b2 b3 b4 b5 b6 b7 b8 b9 b10 b11 b12 b13 b14 b15; do echo $b3$b2$b1$b0-$b5$b4-$b7$b6-$b8$b9-$b10$b11$b12$b13$b14$b15 | tr a-z A-Z; done
}
${new_ldap} '(&(objectclass=person)(memberof=CN=NextCloudUsers,OU=Groups,OU=CompanyName,DC=domain,DC=company,DC=tld))' sAMAccountName | egrep '^(sAMAccountName)' | while read label accountname; do
newdn=$(get_new_attr "${accountname}" "dn" | tr A-Z a-z)
newdnhash=$(echo -n "${newdn}" | sha256sum | awk '{ print $1 }')
newguid=$(get_new_attr "${accountname}" "objectGUID")
olddn=$(get_old_attr "${accountname}" "dn" | tr A-Z a-z)
oldguid=$(get_old_attr "${accountname}" "objectGUID")
echo "UPDATE oc_ldap_user_mapping SET ldap_dn='${newdn}', ldap_dn_hash='${newdnhash}', directory_uuid='$(format_guid $newguid)' WHERE owncloud_name='$(format_guid $oldguid)';"
done