Hi everyone,
I want to change our LDAP Service from OpenLDAP to freeIPA and with it the structure of the LDAP-tree, so we have another DN as before.
Goal:
Every user should keep his account with his files, rights (etc.) after the migration of the LDAP-server.
Starting Point:
- Nextcloud version 18
- LDAP with old DN works fine
- The owncloud-name is the uid-LDAP-Attribute
- the DN changes, but the LDAP attributes uid, uidNumber, gid, gidNumber, cn, mail and much more stays the same
- Connecting the new LDAP-Server will create new NC-accounts (uid + suffix-number)
What I have successfully tried on a test-instance:
- Connect old LDAP-Server to generate NC-accounts and LDAP-NC-Accounts mapping
- Load up some test files
- Connect new LDAP-Server to NC
- Disconnect old LDAP-Server
- Manually edit the database table oc_ldap_user_mapping:
- Delete mapping generated by old LDAP-Connection
- Update entry of the new LDAP-Mapping with the values of the entry of the old connection
- Now the Mapping points from the new LDAP-entry to the old NC-account
Example of DB-table oc_ldap_user_mapping:
- Line: old LDAP-Mapping
- Line: new LDAP-Mapping
#before
+-----------------------------------------------------------+------------------+--------------------------------------+
| ldap_dn | owncloud_name | directory_uuid |
+-----------------------------------------------------------+------------------+--------------------------------------+
| cn=john smith,cn=emplyees,ou=internal,dc=mycompany,dc=de | jsmith | bfc5d132-aa24-1039-963d-35b47debe530 |
| uid=jsmith,cn=users,cn=accounts,dc=mycompany,dc=de | jsmith_8890 | edadbf0e-c120-11ea-b61f-960000423aa7 |
+-----------------------------------------------------------+------------------+--------------------------------------+
# after
+-----------------------------------------------------------+------------------+--------------------------------------+
| ldap_dn | owncloud_name | directory_uuid |
+-----------------------------------------------------------+------------------+--------------------------------------+
| uid=jsmith,cn=users,cn=accounts,dc=mycompany,dc=de | jsmith | bfc5d132-aa24-1039-963d-35b47debe530 |
+-----------------------------------------------------------+------------------+--------------------------------------+
Questions:
- Is there a better way or tool to reach the goal?
- Is this “update-save”? (Updating NC)
- I have read somewhere a while ago, that it will work well and without manipulation, if it would be the same DN. Means: This would generate the “same” mapping again and again (idempotent). Is that true?
Thanks & stay healthy!
wieland
P.S: My attempt ist heavily inspired by the post Migration to LDAP keeping users and data