252

Limitations for Importing and Exporting Passwords

When creating or overwriting records, you must reset passwords for user accounts with Open Directory or shadow passwords. Importing passwords generally works if the password is a plain-text string in the import file.

Additionally, you must set the AuthMethod attribute so Workgroup Manager can import the password. Encrypted passwords in hash format in the import file can’t be recovered.

Passwords can’t be exported using Workgroup Manager or any other method. If you import user accounts from an export file, remember to manually set passwords or set default passwords to a known value.

Before exporting user accounts (or after importing them), you can set up a password policy that requires users to change their password at first login. For instructions on configuring password options, see “Choosing a Password Type and Setting Password Options” on page 74.

Maintaining GUIDs When Importing from Earlier Versions of Mac OS X Server

Globally unique identifiers (GUIDs) are used to verify user and group identity for ACL permissions and to manage user membership in groups and hierarchical groups. When you use Workgroup Manager or the dsimport tool to import users and groups created on versions of Mac OS X Server earlier than v10.4, GUIDs are automatically assigned.

After upgrading or migrating your server to Mac OS X Server v10.5, back up your accounts by exporting user and group accounts to ensure that all your accounts have GUIDs.

If you need to restore user or group accounts in the future, the generated export file enables you to import users and groups with their GUIDs (as well as file permissions and group memberships) intact.

If you lose user accounts and create new accounts with the same UID, GID, and short names as the lost accounts, the replacement accounts have new GUIDs assigned. A user’s new GUID won’t match the previous GUID, so the user won’t retain prior ACL permissions or group memberships.

Similarly, if you import users or groups from a file that doesn’t include the GUID attribute, Mac OS X Server assigns new GUIDs to every imported user and group.

To make sure that GUIDs and their relationship to specific users and groups remain the same if you need to re-import users and groups, create a new export file on Mac OS X Server v10.5 and use this file instead of the export file created with an earlier server version.

Appendix Importing and Exporting Account Information

Page 252
Image 252
Apple 10.5 Leapard manual Limitations for Importing and Exporting Passwords