In a previous post I mentioned that we’ve been testing a new mail server solution. So far so good! I really like Kerio.

Only problem is that our internal authentication setup wasn’t really up to snuff, so I migrated everything over from our current Tiger server to a clean Leopard server. It was kind of a muddled process, and I figure other people might want to do the same thing, so here we go! steps!

What we’ll have at the end of this is a clean Leopard server running as an OD master, with kerberos rockin’ and all of our old users AND their passwords.

First things first, get you Leopard server box up and running, update it, get Open Directory running and set it to Open Directory Master. BE CAREFUL HERE. If you set your search base wrong or your kerberos realm wrong YOU WILL HAVE PROBLEMS LATER. Search base really could be anything, but I highly suggest you keep it as simple as possible, or if you can keep it the same as the search base on your old Tiger server.

Once you have Open Directory running, make damn sure that kerberos is also running before you do ANYTHING else. If its not, check your DNS, you should be able to resolve your server from its hostname AND ip address. If you need help, email me.

Now we need to export our users with their passwords, cause they are important and stuff. So on your old Tiger box get terminal buzzing cause everything we need to do is done there. Oh yeah, and this won’t harm your production server at all, so you can keep everything running live.

Lets export your users into an ldif file, like so:

While we’re here lets make a directory to put our passwords in and then grab our password db, like so:

Now you’ve got a flat file with all of your users and a folder with your password database files, but wait, you can’t just go and import this stuff whilly nilly into your clean install. The install is clean, and your old user db is DIRTY.

So lets clean it up! The first thing you’ll want to remove from the ldif file is anything that already exists in your clean Leopard install, so things like the root user and the old diradmin account need to get trashed. These entries will look similar to this:

dn: uid=diradmin,cn=users,dc=barbariangroup,dc=com
uid: diradmin
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: apple-user
objectClass: extensibleObject
objectClass: organizationalPerson
objectClass: top
objectClass: person
sn: 99
structuralObjectClass: inetOrgPerson
entryUUID: 5355461a-cb28-102b-8468-c17ea9eda937
creatorsName: uid=root,cn=users,dc=barbariangroup,dc=com
createTimestamp: 20070720161633Z
gidNumber: 20
uidNumber: 1000
authAuthority: (bunch of junk here)
userPassword::(bunch of junk here)
loginShell: /bin/bash
apple-generateduid: (blahblah more junk)
homeDirectory: /Users/diradmin
cn: Directory Administrator
entryCSN: 20070720161633Z#00000e#00#000000
modifiersName: uid=diradmin,cn=users,dc=barbariangroup,dc=com
modifyTimestamp: 20070720161633Z

Now hopefully you’re asking yourself, “how the hell do i know what to get rid of?” What I did was go to my Leopard server and exported the user database to an ldif file just like I did to the Tiger server and then compared the two, anything that already existed in the Leopard ldif file, I trashed from the Tiger ldif file.

But wait! Still not done cleaning that file up. You’ll need to search and replace your old LDAP search base with the new one for the Leopard server because this gets written to every user record. Annoying right? So for instance, on your Tiger server your search base was dc=server,dc=domain,dc=com and on your new Leopard server you’ve simplified things to just dc=domain,dc=com you’ll need to find/replace the dc=server in the Tiger ldif to match the NEW search string.

Cool, so that’s done, now you’re got a (nearly) perfect ldif file will all of your old user data. hooray! Lets get the Leopard server ready for the transition. Now since you’ve already set up Open Directory and made it the master, you will have already created a diradmin account. Since we don’t want to lose that password, we’ll first export your Leopard password database then import all your Tiger users, and then merge the two password databases.

So lets export that Leopard password database, open up terminal and run:

You’ll notice that’s exactly what we did before to export our passwords from Tiger. Now we need the public key from the Leopard server, grab that by running:

You’re looking for a section titled “Public Key.” It’ll start with a 1024 and end with root@yourdomain.com. Hang onto that and head back to your Tiger ldif file, we’ve got some more find/replace-ing to do. The part you’re looking for is the “authAuthority” its a part of every user section of your ldif file and will look something like this:

authAuthority: ;ApplePasswordServer;0×46a0rewe95q184c10000000a0000000a,1024 35
1656695931665909934885529650807878698902444799687544911514204277892750444560
40005936512372916582789463659890238498589238402348023840210107069530617774018
50577252081327366279005303145695496695847004346878374632327359789719986361946
35779287349872349872349872349872347676758484746738357768598768767876313084048
91 root@server.com:ipaddress

You need to replace the string that starts with 1024 and ends with root@server.com:ipaddress with the string from the leopard server that starts and ends similarly. Make sense? good.

Now you’re done with that good ol’ ldif file, it should be perfect. Phew! That was a lot of finding and replacing eh? Take a break and get yourself a soda, you deserve it.

Alright lets get those users imported now! Send that Tiger ldif file over to your Leopard server. Since you’ve got Open Directory running already you’ve gotta kill slapd before you can import anything. Like so:

Then import the Tiger ldif file:

and then reload slapd

Now you can launch Workgroup Manager on your Leopard server and make sure all your users made it over, lovely they’re all there! Now time for the passwords, send that whole directory we created earlier from the Tiger server over to the leopard server. Then merge the databases:

And now for the moment of truth, try and authenticate yourself against the new server with the same password you had on the old server. If that goes well, hooray! If not, you’ll need to demote the server to stand-alone and then back to master and repeat everything, mega burn.

If all went well though, and you’re able to authenticate your users just fine, you’ll wanna go ahead and kerberize your server, like so:

and you’re done! you now have a fresh clean Leopard server that is running Kerberos fine, and has all your old user data and passwords imported. Sit back, relax, then get back to work sorting out the rest of your network!