Migrating Macs from one OpenLDAP domain to another OpenLDAP domain
A while ago, I needed to script a method for binding Macs running 10.6.x and later to our Linux-based OpenLDAP server. Recently, we needed to move our OpenLDAP domain to a different OpenLDAP domain as part of a larger directory service migration project. A small part of that project was moving the LDAP-bound Macs to the new LDAP domain, preferably with as little disruption as possible.
One enormous advantage I had with this LDAP move was the following:
All UIDs, GIDs, usernames, passwords and group names were going to be identical between the two LDAP domains.
As a consequence, I would not need to do any permissions changes, rebuild accounts, make sure people got new passwords or a host of other things normally associated with a directory service change. My task was essentially to tell the Macs “Stop talking to the OpenLDAP service at that address, start talking to this other OpenLDAP service at this address”
As part of the project, I also wanted to accommodate two separate Active Directory domains differently. I wasn’t binding to AD as part of this process, but if a particular Mac was bound to Domain A, I wanted to unbind. If a Mac was bound to Domain B, I didn’t want to unbind but I did want the new LDAP server to be the primary authentication source.
Using my previous OpenLDAP binding script as a starting point, I was able to build a script to handle moving our Macs without downtime or account changes. See below the jump for details.
This script will allow a Mac to connect to an OpenLDAP server using a simple anonymous bind and can be used to migrate a Mac from one LDAP server to another. It has been tested on Mac OS X 10.6.8, 10.7.5, 10.8.5 and 10.9.0.
If you are adapting this for your own use, run a search and replace for the following:
“dc=replaceme,dc=org” (no quotes)
You’ll need to replace that with your own LDAP search base
“ldap.server.here” (no quotes)
You’ll need to replace that with the fully qualified domain name of your OpenLDAP server.
The script is designed to check for the following:
1. Is the Mac bound to the old LDAP server?
2. Is the Mac bound to one of two AD domains:
Domain A (referred to in the script as OLDDOMAIN or olddomain.com)
Domain B (referred to in the script as NEWDOMAIN or newdomain.com)
The script will then perform the following actions:
If the Mac is bound to the old server and Domain A:
Remove the old LDAP server settings, add the new LDAP server settings, unbind from Domain A, and set the new LDAP server to be the primary authentication source.
If the Mac is bound to the old server and Domain B:
Remove the old LDAP server settings, add the new LDAP server settings, do not unbind from Domain B, and set the new LDAP server to be the primary authentication source
If the Mac is bound to the old server and not bound to AD:
Remove the old LDAP server settings, add the new LDAP server settings, and set the new LDAP server to be the primary authentication source.
If the Mac is bound to neither LDAP or AD:
Add the new LDAP server settings and set the new LDAP server to be the primary authentication source.
For those interested, I’ve made the script available here on my GitHub repo. I’ve also posted the script below.