Antw: [EXT] Best way two update a full OpenLDAP database from LDIF file

Mon, 01 Feb 2021 07:59:24 -0800 

>>> Prunk Dump <[email protected]> schrieb am 29.01.2021 um 11:07 in Nachricht
<CALr0QzGOFoAr+=3-xohtb7gkwfvltzxo-q5y3dp7nens2ev...@mail.gmail.com>:
> Hello !
> 
> My network infrastructure uses some special database not compatible
> with LDAP. But I need an OpenLDAP server to administer my Web Services
> accounts on my DMZ.
> 
> So I have written a script to export our "special" database to an LDIF
> file. This works pretty well. I've successfully loaded it on my
> OpenLDAP server.
> 
> But now I don't know how to update my OpenLDAP database from the new
> generated LDIF files (when users are added, updated or removed)
> without disturbing the whole LDAP service (it's not a very good idea
> to delete the entire database and recreate it from the new LDIF file
> as it stop the service completely during the operation).
> 
> Is there a way to update an OpenLDAP database to fit a new given LDIF file ?
> -> Updating/deleting the OUs
> -> Deleting the objects that are not present.
> -> Deleting the attributes removed.
> -> Updating the attributes that have changed without deleting the object.
> Doing this step by step to disturb as little as possible the OpenLDAP 
> service.

I think you should think in "deltas" (changes) instead of whole databses.
Then ldapmodify is the tool to use and you'd have to write LDIF files that 
perform the changes.

An example for such a file would look similar to this:

dn: uid=t...,ou=...,dc=de
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de

dn: uid=o...,ou=...,dc=de
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de

dn: uid=m...,ou=...,dc=de
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20201223135924Z
-
replace: userPassword
userPassword: {SSHA}blabla...
-
add: pwdHistory
pwdHistory: 20201223135924Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}blabla...
-
delete: pwdGraceUseTime
pwdGraceUseTime: 20180725081753Z
pwdGraceUseTime: 20180725081756Z
pwdGraceUseTime: 20180725081758Z
pwdGraceUseTime: 20201201095616Z
pwdGraceUseTime: 20201201095619Z

So you get the idea.

> 
> Thanks for the help.
> 
> Regards,
> 
> Baptiste.

Reply via email to