4

I need to transfer my machine-based accounts to a directory service, namingly OpenLDAP, run behind a Mac OS X server. The idea is that I have to make sure that the settings, the programs installed and their configuration, and pretty much "everything" follows through on the server. How would I achieve that? Where is the profile information stored? To where will I copy it?

[Edit] It doesn't matter if, after the move, the documents and everything else is stored on the local computer. What I want to achieve, on a user standpoint, is that before the move they have their configured software and everything (mail accounts, background image, god knows what else), and after the move, they just login on the OpenLDAP account to find that their settings are still the same.

Another information notable of mention is that I will be integrating Mac OS X workstations in that directory service, and I don't know how all of that will play together, and/or how will OS X play with the accounts.... Much reading to be expected soon.

Olivier Tremblay
  • 347
  • 3
  • 16
  • Are you actually wanting to store the profiles (my documents etc) on the server, or just have them use OpenLDAP accounts to login and store profile data locally? – Sam Cogan Nov 16 '09 at 13:14
  • Authentication to LDAP shouldn't be *too* hard (except what LDAP causes for problems)...but for all the settings normally used on a system? I'd personally see fewer issues if you consider homebrewing local profiles and batch files to deal with it or virtualize an AD server to deal with it. Depends on how mobile your users are. Just my .02 – Bart Silverstrim Nov 16 '09 at 13:40
  • They are almost absolutely static, except for the occasionnal "hey I need to go to X's workstation to look up Y's file that Z was telling me about", which I intend to kill with proper shares, but I want the move to be as smooth as possible, and lose as less time as I can by copying the profiles and configurations so they don't have to be done again. – Olivier Tremblay Nov 16 '09 at 13:44
  • Sounds like you just need to verify login credentials then... – Bart Silverstrim Nov 16 '09 at 13:56
  • From experience, if I just create the logins in the directory service, the newly created account won't contain any of the configuration of the local account that corresponds to it. Which is, in part, one of the issues I'm trying to circumvent to prevent my users from feeling lost. – Olivier Tremblay Nov 16 '09 at 14:02

2 Answers2

4

Are you saying you're migrating from Active Directory to an OpenLDAP server? Without an AD guru who happens to be well versed in LDAP on staff you may be asking for issues, depending on the size of your infrastructure. Also if you're running Exchange you will most definitely want to reconsider dumping AD, or if you're using AD for DNS integration.

Basically MS made AD to work with Windows and Windows integrates with AD, so any deviation is like fitting a round peg into a square hole. I've heard stories of certain aspects of authentication that work with LDAP like password and username verification to work but other things are left hanging.

Plus there's no guarantee that MS won't revise their authentication code so that your LDAP integration won't break.

The closest I found to trying to get alternative authentication on Windows to work with minimum headache was the PGINA project, and I don't know how well that works anymore or how active it is.

Depending on your staffing and headache tolerance, if I were having to use Windows mixed with Mac/UNIX, I'd look at virtualizing AD servers (or maintaining AD servers) and creating a Mac OpenDirectory server to handle the other systems or integrating the Macs and UNIX systems with Active Directory. Really depends on your current situation though as to how well it works, but if your head people rely on Windows or "only know" windows or your primary use on the network is Windows based, I've heard plenty of headaches stemming from trying to use something other than AD for a primarily Windows-centric network.

Bart Silverstrim
  • 31,172
  • 9
  • 67
  • 87
  • His question says about transferring his accounts from machine based to directory service, so I don't think he has any directory currently – Sam Cogan Nov 16 '09 at 13:33
  • Sorry, just got into the habit of assuming questions are "say one thing but I meant another" from user questions we've been getting. I didn't know if he meant he has a bunch of systems working with AD or local machine accounts. For dealing with Windows configuration, though, I'd still be hesitant to move to anything other than AD to make Windows play nice. – Bart Silverstrim Nov 16 '09 at 13:42
  • Depending on the version of Windows he's using, PGINA might still be a good alternative...let me look for some other info... – Bart Silverstrim Nov 16 '09 at 13:43
  • Precisely, no current directory whatsoever. – Olivier Tremblay Nov 16 '09 at 13:46
  • Mostly finding that OS X can act as a PDC or BDC, which might be good enough for his needs. Without details about his client situation I'm not sure what would be good advice. He might be just as well off looking at SAMBA, as with version 4 it is supposed to be able to handle Active Directory configurations and OS X uses SAMBA to handle Windows interoperatibility. – Bart Silverstrim Nov 16 '09 at 13:51
  • Let me clarify that the "user questions we've been getting" isn't SF. It's IT department questions in real life :-) – Bart Silverstrim Nov 16 '09 at 13:51
  • If you're using OS X Server (and not OS X client as a server) you should be able to configure it to run as a domain controller, like at the link http://www.docstoc.com/docs/12998442/Using-Samba-Technology-as-Primary-Domain-Controller-for-Mac-OSX-and-Windows-based-SSO-Identity-Management or looking at www.samba.org for information on setting up a Linux server to handle the authentication. Sorry for the misunderstand, MrZombie! – Bart Silverstrim Nov 16 '09 at 13:55
  • No problem at all, I find the discussion most enlightening. Plus you push me towards the good direction which is a big +1 to me. I need all the info I can get! – Olivier Tremblay Nov 16 '09 at 14:07
  • @MrZombie: I'm just thinking that when it comes to Windows authentication, in my experiences it is possible to do what you're asking, but the more you deviate from the "expected" from MS the more likely you're going to run into issues down the road. That's why the most I ever deviated from the expected...for headaches' sake...was SAMBA. Anything else and inevitably the business eventually ends up needing to move again to AD or they have problems with new people coming in and not knowing how you did it first, so they rip apart what you put in place. – Bart Silverstrim Nov 16 '09 at 14:10
  • I don't mind the headache, as long as it's documented. I'm technically running a one-man show, although I'll be required to document whatever I do thoroughly, to make sur to eventual future dudes of the trade to understand what I did, why, and where. I have one of these rare cool job where your boss tells you "okay so document yourself profusely for the next 3-4 weeks, write a report, and then we'll decide on what to do." – Olivier Tremblay Nov 16 '09 at 14:58
  • @MrZombie: As long as you know what you're getting yourself into... :-o Maybe others have better stories that turn out better than mine did. – Bart Silverstrim Nov 16 '09 at 15:58
3

OK, if you currently have no Directory service architecture, then your going to need to create accounts in OpenLDAP for each of your users.

Dependant on your OS, your profile data will either be in c:\Documents and settings or C:\Users. When you logon with the Open LDAP account it will create a new profile for that user in this directory. You will then need to copy the profile data you want (My Documents, Local App data etc) from their old account to the new one.

You will want to try this with some test accounts first to make sure everything works as you expect, you may have some custom applications which don't work properly after the move or other issues.

This document explains the process for copying a users profile. It refers to corrupted profiles, but works for non-corrupted ones too!

You could also look at using the file and settings transfer wizard to move the data, which essentially does the same thing, but in a wizard.

Sam Cogan
  • 38,736
  • 6
  • 78
  • 114
  • That's the kind of answer I'm looking for. Point me to relevant document regarding the copy of the accounts and/or best practices and you're in for an accepted answer. – Olivier Tremblay Nov 16 '09 at 14:03