Migrating users with imapsync... without passwords?

[misleb]

I am looking to migrate users from an OS X server using the default cyrus mail store. I've read that imapsync is the way to go, but I don't have the passwords for all 700+ accounts. Frankly, I'm surprised that this method is so popular as it is not common practice to track user passwords.

Only option I can think of is to reset everyone's password and do the migration then. I suppose if this were a regular unix server I might simply make a backup of the shadow file, reset all passwords, do the migration, and then put the passwords back, but this is OS X with a password server. Can I backup and restore the password server? How can I make a mass password change like that?

-matthew

[peng1can]

Three methods that we used...

1) A "migration page" where users had to login to have their accounts relocated. We simply cached the password, passed to imapsync, and ran it right there on the spot.

2) We use LDAP, so we simply copied the LDAP entry, changed the password, then copied the password back when we were done.

3) This caused problems, but might work for you... just alter the pam definitions for IMAP such that any password works. This of course requires downtime and an all-at-once move, lest you open a major security problem.

DC

[dkarp]

I'm not sure about this, but you may be able to use AUTHENTICATE PLAIN on your OS X server using the admin login to gain access to all the user accounts.

[misleb]

Now that you mention it, I was able to give access to users' mailboxes to the admin user (or anyone, really). The problem is that they show up as folders in the admin's account. You can't (AFAIK) log directly into the other accounts.

Or is there something I'm missing?

[dkarp]

AUTHENTICATE PLAIN would allow you to use the admin username/password credentials to log in as a different user. You should check out your IMAP server to see if it supports this.

[misleb]

How does that work, exactly? I tried it (from telnet) and it just logs me in to the admin's mailbox. How do you then switch to the user you want to sync? It looks like you can use either AUTHENTICATE PLAIN or LOGIN, but not both.

[dkarp]

Right. LOGIN adminname adminpass will log you into the admin account. If you instead used AUTHENTICATE PLAIN, then a base64-encoded string including the account you want to login, the admin name, and the admin pass delimited by NUL bytes, the server will use the admin credentials to log you into the target user. imapsync knows how to do this...