--On Friday, January 29, 2021 11:07 AM +0100 Prunk Dump prunkdump@gmail.com wrote:
Hello !
My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service.
There are a few utilities out there that you could use:
ldapdiff, which does the diff between a running server and an LDIF file: https://linux.die.net/man/1/ldapdiff, https://launchpad.net/ldapdiff
ldifdiff.pl - A perl script that diffs two LDIF files: https://metacpan.org/pod/distribution/perl-ldap/contrib/ldifdiff.pl ldifdiff - A go program that diffs two LDIF files: https://github.com/nxadm/ldifdiff
With any of these, you could generate the diff between your existing DB and the new DB and then apply it with ldapmodify.
Overall, I'd suggest writing a process using python-ldap or similar that writes the modifications directly to the LDAP server rather than doing one-offs like this.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com