Thursday, May 12, 2022

[389-users] Re: Migrating passwd, group, & shadow to 389-ds

Hi Felipe,
We have a nice library called lib389. It's a part of the 389 DS repo and packaged in Fedora as python3-lib389. I'd recommend using the latest Fedora version available to you.

Generally, if you need more control and fine-grained settings, I recommend writing a simple Python script.
But also, you can use our CLI tools - dsconf and dsidm - and write a shell script with them. dsidm is relatively new, though, depending on what package version you use.
It's pretty straightforward and uses lib389 as a base.

I'm not aware of any existing account data migration tools. I remember worked on that some time ago, so maybe he can direct you here with these other questions. :)


On Thu, May 12, 2022 at 7:24 AM Felipe Gasper <> wrote:

        I'm planning a migration of Linux account data from /etc/ files to 389-ds (or OpenLDAP/slapd, but for now I'm leaning toward 389-ds). 

        I have a few questions that I hoped folks here might help with?

- What kinds of automation tools do folks use for creating/updating/removing dirsrv entries? I'm assuming there is something that abstracts over all of the actual schema details?

- What tools have folks used for migration of existing account data? I see a package of Perl scripts that some distros provide; is that about it?

- When creating a new posixAccount & posixGroup, how are UIDs and GIDs to be chosen? If I have 10,000 users, do I have to grab all 10,000 posixAccount and posixGroup entries to determine which is the next unused UID & GID, or is there some cleaner solution?

- Are there tools to facilitate race safety if, e.g., two concurrent queries try to create an account at  the same time?

- I see that OpenLDAP/slapd can embed a Perl interpreter or exec arbitrary commands to fulfill queries. Can 389-ds do something similar to implement dynamic query results?

        Thank you in advance!

-Felipe Gasper
389-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam on the list, report it:

No comments:

Post a Comment