hpc-infrastructure-scripts/389/migrate-ldif-389-ds-1.4.awk at master · ilri/hpc-infrastructure-scripts · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
##
#
# SPDX-License-Identifier: GPL-3.0-only
#
# migrate-ldif-389-ds-1.4.awk v1.0.0
#
# Awk script to migrate an LDIF from RFC 2307 schema to RFC 2307bis in addition
# to some other changes to attributes that I found with our particular data when
# upgrading from 389-ds 1.3.x (CentOS 7) to 1.4.x (CentOS Stream 8).
#
# To use this script, stop your 389-ds 1.3.x instance and export an LDIF:
#
#   # systemctl stop dirsrv@instance-name.service
#   # db2ldif -Z instance-name -n userRoot -a /tmp/userRoot.ldif
#   # systemctl start dirsrv@instance-name.service
#
# Then you can migrate the LDIF (note, you need to edit this script to replace
# the hard-coded base DN):
#
#   # awk -f migrate-ldif-389-ds-1.4.awk userRoot.ldif > userRoot-migrated.ldif
#
# And import it into your new directory server according to the Red Hat DS docs.
#
# ― Alan Orth, 2022
#
##

BEGIN {}

/dn: uid=.*,ou=People,dc=ilri,dc=cgiar,dc=org/ {
    print "# User migrated to RFC 2307bis";

    # Keep getting the next line until we have a blank one (which means this
    # user's LDIF entry is finished).
    while ($0 !~ /^$/) {
        # Lines to update or remove. I comment them out by printing a hash and
        # "&", which is a special awk syntax to print the pattern that matched.
        switch($0) {
            case /^objectClass: person/:
                sub(/^objectClass: person/, "objectClass: nsPerson");
                # Print the line as it is after substitution
                print;
                # Break out so we don't process any more cases
                break;
            case /^objectClass: organizationalPerson/:
                sub(/^objectClass: organizationalPerson/, "objectClass: nsAccount");
                print;
                break;
            case /^objectClass: (inetorgperson|inetOrgPerson)/:
                sub(/^objectClass: (inetorgperson|inetOrgPerson)/, "objectClass: nsOrgPerson");
                print;
                break;
            # givenName is not allowed. Note we also check for base64 encoded
            # attributes with a double colon here.
            case /^givenName:+ .*/:
                sub(/^givenName:+ .*/, "#&");
                print;
                break;
            # sn is not allowed. Note we also check for base64 encoded attribu-
            # tes with a double colon here.
            case /^sn:+ .*/:
                sub(/^sn:+ .*/, "#&");
                print;
                break;
            # When we see a cn, copy the value to displayName and then print
            # them both. Note we pay special attention to cn attributes that
            # are base64 encoded and therefore have a double colon.
            case /^cn:+ .*/:
                displayName = gensub(/^cn(:+) (.*)/, "displayName\\1 \\2", "g", $0);
                print;
                print displayName;
                break;
            # facsimileTelephoneNumber is not allowed
            case /^facsimileTelephoneNumber: /:
                break;
            default:
                print;
        }

        # Read the next record (aka line) immediately, which effectively runs the line
        # through the switch cases again. Exit if we have reached the end of the file.
        if (getline <= 0) {
            exit;
        }
    }
}

/dn: cn=.*,ou=Groups,dc=ilri,dc=cgiar,dc=org/ {
    print "# Group migrated to RFC 2307bis";

    # Assume if this is a primary user group unless it matches a handful of
    # known secondary groups. If it is a primary group then we can remove
    # the "memberUid" attribute because it is not necessary. If it is a
    # secondary group then we need to convert the attribute to member with
    # a full DN to the user.
    primaryUserGroup = "true";
    if ($0 ~ /^dn: cn=(beca|beca_web|rmglinuxadm|gisusers|miseqadmin|bcop2018|becabix|sarscov2|bcop2021|nanoseqadmin|nextseqadmin|segoli|segoliadmin|ssh)/) {
        primaryUserGroup = "false";
    }

    while ($0 !~ /^$/) {

        switch($0) {
            case /^objectClass: groupofuniquenames/:
                sub(/^objectClass: groupofuniquenames/, "objectClass: groupOfNames");
                print;
                break;
            case /^memberUid: .*/:
                if (primaryUserGroup == "true") {
                    # Comment out memberUid for primary user groups because it is
                    # not necessary.
                    sub(/^memberUid: .*/, "#&");
                    print;
                }
                else {
                    # For secondary groups we capture the user's name and resolve
                    # it to a DN for the member attribute.
                    member = gensub(/^memberUid: (.*)/, "member: uid=\\1,ou=People,dc=ilri,dc=cgiar,dc=org", "g", $0);
                    print member;
                }

                break;
            case /^objectClass: posixgroup/:
                sub(/^objectClass: posixgroup/, "objectClass: posixGroup");
                print;
                # Not sure why, but it seems 389-ds 1.4.x wants this. I think it
                # enables more complex group membership, like nested groups.
                print "objectClass: nsMemberOf";
                break;
            default:
                print;
        }

        if (getline <= 0) {
            exit;
        }
    }
}

# Match and print all other lines in the LDIF
{ print }

END {}