In my last post, Meeting Maker to Leopard Migration, Part 1, I gave some of the background information regarding the problems I was experiencing with upgrading our Mac OS X Server 10.4 environment to Leopard. Most of the issues revolve around Meeting Maker and the neccessity for extended attributes in Open Directory for Meeting Maker to work. In this post, I will cover the nitty gritty, down and dirty steps I took to get my Open Directory over to a new server running 10.5.
Export 10.4 Data
In the last post I mentioned how I was using an article from NetMojo and the stream editor sed to get the users and groups out of the 10.4 Open Directory and into the 10.5 Open Directory. Specifically, the way I did this was to utilize the ldapsearch utility the way that Brent mentioned at NetMojo, but with a twist. This is what Brent had suggested:
ldapsearch -v -x -D 'uid=dirmanager,cn=users,dc=netmojo,dc=ca' -W -b "dc=netmojo,dc=ca" -s sub "(objectclass=apple-user)" > users.ldif
Well, I took it a step further and incorporated sed into the mix. I knew that I had to remove the MM attributes, so why not do it in the stream. Hence the following was born:
ldapsearch -v -x -D "uid=diradmin,cn=users,dc=yourdomain,dc=com" -W -b "dc=yourdomain,dc=com" -s sub "(objectclass=apple-user)" | sed '/comMeetingMakerSignInName/d' | sed '/comMeetingMakerCurrentServer/d' > newldap.ldif
As you can see, I piped the output from ldapsearch thru sed two times to get rid of the two attributes we use. I now had a clean ldif file to work with and could use this to test on 10.5
Import LDIF into 10.5
So now that we have our ldif data, we have to get it into the 10.5 directory. Two hurdles that I was going to have to jump were the Search Base and the Kerberos Realm. You see, you should be naming these two items the same so that your data flows in nice and smooth. However, since I had inherited this installation, I wanted to make it more generic by dropping server names from the Search Base and Kerberos Realm. You see, the default for Open Directory is to create your search base like this:
dc=servername,dc=yourdomain,dc=comAnd your Kerberos realm is like this:
SERVERNAME.YOURDOMAIN.COMAs I stated, I wanted these to be generic so I could move to a different server later, if need be. Well that introduced a little complication to the mix, just meaning I had to force the import into the new OD. We accomplish this with the following:
ldapadd -v -x -D 'uid=diradmin,cn=users,dc=yourdomain,dc=com' -W -f /tmp/new-users.ldif
So, now that I have the data in, I needed to check to make sure it was working. Guess what, all of the users showed up in WGM, and even after a restart they were all still there! Awesome! Now we’re cooking with gas.
The Monkey Wrench
Everything was looking groovy, and I really thought I had this beast tackled. Then the monkey wrench dropped in my lap. I started testing authentication to the directory and couldn’t get it to work. Okay, I thought, the password server didn’t move over so it was just a password issue. Wrong. None of the user accounts, except those that were already there, would authenticate. Yep, something was wrong.
I figured out that because the Password Server did not come over, and probably because of some Kerberos issues as well, authentication was not going to work. So I re-imaged the server (you do have an image of the fresh server, right?), set it up as a 10.5 OD Master again, and then I went back to the 10.4 server.
This time, I decided I would incorporate sed in a different manner.
To Archive and To Restore
I went back to the 10.4 Server and this time used the Archive feature inside of Server Manager to get the data out. Once I had the archive, I mounted the disk image and used the sed commands to strip out the Meeting Maker crap, I mean attributes.
First thing to do is mount the sparse image that is the backup. With the image mounted, open Terminal and navigate onto the root of the image. Now that we are there, we just need to list the ldif file and sed it:
cat users.ldif | sed '/comMeetingMakerSignInName/d' | sed '/comMeetingMakerCurrentServer/d' > newusers.ldif
Make sure you verify the name of the LDIF file. Once this command is finished, verify the newusers.ldif file, then delete the users.ldif file and rename newusers.ldif to users.ldif. Make sense?
Now we can take this over to the 10.5 server and restore it there. And guess what? Once we do that, it works. I tested with a restart (several restarts in fact) and sure enough, I could authenticate to the directory.
Now, finally, I have a directory without Meeting Maker in it, which means I can now move forward with getting iCal server up and operational so I can get rid of Meeting Maker all together.
I hope these two articles have helped you out of a bind with Meeting Maker and given you the commands necessary to get up to 10.5.
