Hello,
Does anyone have a ready-made script (e.g. bash) that would do the following:
Loop on all entries in the ou=people branch where ou <> "system" { If attribute DisplayName does not exist{ Set DisplayName to the value of attibute cn } }
I could do it with a bit of work, but it's urgent.
Any help will be appreciated!
Thanks in advance, Nick
Nick Milas wrote:
Does anyone have a ready-made script (e.g. bash) that would do the following:
Loop on all entries in the ou=people branch where ou <> "system" { If attribute DisplayName does not exist{ Set DisplayName to the value of attibute cn } }
You could use this LDAP filter to retrieve all entries you have to modify and their 'cn' attribute:
(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))
Applying this simple LDIF to all the entries found is left as exercise to the reader:
dn: cn=dummy,ou=people,dc=example,dc=com changetype: modify add: displayName displayName: <value taken from 'cn'>
Ciao, Michael.
using michaël's filter, you could try this:
ldapsearch [options] '(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))' cn | awk ' /^dn:/ { print print "changetype: modify" print "replace: displayName" next } /^cn:/ { sub(/^cn/, "displayName") } { print } ' | ldapmodify [options]
we aren't doing your homework, are we? :-)
regards, Jephté
2017-02-01 18:50 GMT+04:00 Michael Ströder michael@stroeder.com:
Nick Milas wrote:
Does anyone have a ready-made script (e.g. bash) that would do the
following:
Loop on all entries in the ou=people branch where ou <> "system" { If attribute DisplayName does not exist{ Set DisplayName to the value of attibute cn } }
You could use this LDAP filter to retrieve all entries you have to modify and their 'cn' attribute:
(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))
Applying this simple LDIF to all the entries found is left as exercise to the reader:
dn: cn=dummy,ou=people,dc=example,dc=com changetype: modify add: displayName displayName: <value taken from 'cn'>
Ciao, Michael.
Am Mittwoch, 01. Februar 2017 16:52 CET, Jephte Clain jephte.clain@univ-reunion.fr schrieb:
using michaël's filter, you could try this:
ldapsearch [options] '(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))' cn | awk ' /^dn:/ { print print "changetype: modify" print "replace: displayName" next } /^cn:/ { sub(/^cn/, "displayName") } { print } ' | ldapmodify [options]
we aren't doing your homework, are we? :-)
Danger, Will Robinson! This will only work for dn values that aren't encoded. That's a trivial job for perl or python (or whatever). AWK operates on character streams and that's a bad fit for LDIF.
Cheers, Ralf Mattes
regards, Jephté
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
regards, Jephté
2017-02-01 20:23 GMT+04:00 Ralf Mattes rm@mh-freiburg.de:
Am Mittwoch, 01. Februar 2017 16:52 CET, Jephte Clain < jephte.clain@univ-reunion.fr> schrieb:
using michaël's filter, you could try this:
ldapsearch [options] '(&(ou:dn:=people)(!(ou=
system))(!(displayName=*)))'
cn | awk ' /^dn:/ { print print "changetype: modify" print "replace: displayName" next } /^cn:/ { sub(/^cn/, "displayName") } { print } ' | ldapmodify [options]
we aren't doing your homework, are we? :-)
Danger, Will Robinson! This will only work for dn values that aren't encoded. That's a trivial job for perl or python (or whatever). AWK operates on character streams and that's a bad fit for LDIF.
Cheers, Ralf Mattes
regards, Jephté
Am Mittwoch, 01. Februar 2017 19:21 CET, Jephte Clain jephte.clain@univ-reunion.fr schrieb:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him.
Sorry, but the OP did _not_ ask for a "quick and dirty" solution, he asked for an existing script. "Quick and dirty" is not what you want as a system administrator.
however, I'm curious: can you give me an example of input my script can't handle?
Yes, of course. - It will fail as soon as the value of the cn attribute doesn't fit in a single line (happens more often than you might expect). - It wil fail for entries with more than one cn attribute, generating more than one displayName attribute per entry.
Cheers, Ralf Mattes
hello, my answers below:
2017-02-02 1:27 GMT+04:00 Ralf Mattes rm@mh-freiburg.de:
Am Mittwoch, 01. Februar 2017 19:21 CET, Jephte Clain < jephte.clain@univ-reunion.fr> schrieb:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him.
Sorry, but the OP did _not_ ask for a "quick and dirty" solution, he asked for an existing script. "Quick and dirty" is not what you want as a system administrator.
I fail to see why "urgently needed" and "bash script" does not qualify as "quick and dirty" but you have a point: "quick and dirty" is not usually what we do as sysadmins
I have to admit I like very much the fact that the knowledgeable people (including you) on this list always give quality answers and resist the urge of "quick and dirty you just have to copy/paste and not think about it"
however, I'm curious: can you give me an example of input my script can't handle?
Yes, of course.
- It will fail as soon as the value of the cn attribute doesn't fit in a
single line (happens more often than you might expect).
try it, it will not fail
- It wil fail for entries with more than one cn attribute, generating more than one displayName attribute per entry.
you are right: I forgot that displayName is monovalued and cn is multivalued. that is a valid point I was mistaked by the fact that we use the SUPANN norm that requires to use cn as a monovalued attribute.
The main point is obviously "avoid quick and dirty", and I want to say thank you for that
regards, Jephté
Cheers, Ralf Mattes
Am Wed, 1 Feb 2017 22:21:31 +0400 schrieb Jephte Clain jephte.clain@univ-reunion.fr:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
Just an example:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl cn:: TWFudWVsIE3DvGhsYmVjaw==
-Dieter
hello,
thanks for your answer. however, I belive that with your input, my quick and dirty script produces:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl changetype: modify replace: displayName displayName:: TWFudWVsIE3DvGhsYmVjaw==
which is valid ldif and works with ldapmodify however, Ralph Mattes raises a valid point. I guess I shouldn't give quick and dirty hacks on a public list :-)
thanks again, regards, Jephté
2017-02-02 1:45 GMT+04:00 Dieter Klünter dieter@dkluenter.de:
Am Wed, 1 Feb 2017 22:21:31 +0400 schrieb Jephte Clain jephte.clain@univ-reunion.fr:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
Just an example:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl cn:: TWFudWVsIE3DvGhsYmVjaw==
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
Jephte Clain jephte.clain@univ-reunion.fr schrieb am 02.02.2017 um 04:32
in Nachricht CAPas2jT=pGRaKrWNpiMfFau5oFtB6XqWUyC59dMHLJnQ6q1NLQ@mail.gmail.com:
hello,
thanks for your answer. however, I belive that with your input, my quick and dirty script produces:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl changetype: modify replace: displayName displayName:: TWFudWVsIE3DvGhsYmVjaw==
which is valid ldif and works with ldapmodify however, Ralph Mattes raises a valid point. I guess I shouldn't give quick and dirty hacks on a public list :-)
Why not? That's the "dirty" part of the quick response: People may be started quickly, but have to fix the dirty details if they are affected.
BTW: If ldapsearch had the same option that slapcat has, namely "ldif-wrap={no|<n>}", the simple script could work.
Ulrich
thanks again, regards, Jephté
2017-02-02 1:45 GMT+04:00 Dieter Klünter dieter@dkluenter.de:
Am Wed, 1 Feb 2017 22:21:31 +0400 schrieb Jephte Clain jephte.clain@univ-reunion.fr:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
Just an example:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl cn:: TWFudWVsIE3DvGhsYmVjaw==
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Jephté CLAIN | Développeur, Intégrateur d'applications Service Système d'Information Direction des Systèmes d'Information Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
Am Montag, 06. Februar 2017 08:34 CET, "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de schrieb:
Why not? That's the "dirty" part of the quick response: People may be started quickly, but have to fix the dirty details if they are affected.
I strongly disagree (note: this is not a comment on the script posted but a general remark). Your standpoit assumes that the person asking for a solution is able to judge the quality/completeness/bugs /corner cases of the solution provided before running the script. But a person with such knowlege would never need to ask for such a solution. And "if they are affected" might translate into "once they've lost valuable data".
BTW: If ldapsearch had the same option that slapcat has, namely "ldif-wrap={no|<n>}", the simple script could work.
It does have such an option.
Cheers, Ralf Mattes
Ulrich
thanks again, regards, Jephté
2017-02-02 1:45 GMT+04:00 Dieter Klünter dieter@dkluenter.de:
Am Wed, 1 Feb 2017 22:21:31 +0400 schrieb Jephte Clain jephte.clain@univ-reunion.fr:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
Just an example:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl cn:: TWFudWVsIE3DvGhsYmVjaw==
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Jephté CLAIN | Développeur, Intégrateur d'applications Service Système d'Information Direction des Systèmes d'Information Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
I wrote a windows based GUI tool to do this a few years ago. If you are interested please ping me offline.
On Mon, Feb 6, 2017 at 11:25 AM, Ralf Mattes rm@mh-freiburg.de wrote:
Am Montag, 06. Februar 2017 08:34 CET, "Ulrich Windl" < Ulrich.Windl@rz.uni-regensburg.de> schrieb:
Why not? That's the "dirty" part of the quick response: People may be
started
quickly, but have to fix the dirty details if they are affected.
I strongly disagree (note: this is not a comment on the script posted but a general remark). Your standpoit assumes that the person asking for a solution is able to judge the quality/completeness/bugs /corner cases of the solution provided before running the script. But a person with such knowlege would never need to ask for such a solution. And "if they are affected" might translate into "once they've lost valuable data".
BTW: If ldapsearch had the same option that slapcat has, namely "ldif-wrap={no|<n>}", the simple script could work.
It does have such an option.
Cheers, Ralf Mattes
Ulrich
thanks again, regards, Jephté
2017-02-02 1:45 GMT+04:00 Dieter Klünter dieter@dkluenter.de:
Am Wed, 1 Feb 2017 22:21:31 +0400 schrieb Jephte Clain jephte.clain@univ-reunion.fr:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
Just an example:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl cn:: TWFudWVsIE3DvGhsYmVjaw==
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Jephté CLAIN | Développeur, Intégrateur d'applications Service Système d'Information Direction des Systèmes d'Information Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
"Ralf Mattes" rm@mh-freiburg.de schrieb am 06.02.2017 um 17:25 in
Nachricht 45d3-5898a380-1c9-2963e90@255445144:
Am Montag, 06. Februar 2017 08:34 CET, "Ulrich Windl" Ulrich.Windl@rz.uni-regensburg.de schrieb:
Why not? That's the "dirty" part of the quick response: People may be
started
quickly, but have to fix the dirty details if they are affected.
I strongly disagree (note: this is not a comment on the script posted but a general remark). Your standpoit assumes that the person asking for a solution is able to judge the quality/completeness/bugs /corner cases of the solution provided before running the script. But a person with such knowlege would never need
to ask for such a solution. And "if they are affected" might translate into "once they've lost valuable data".
I disagree: Even scientists don't reinvent the wheel. First they look what others already did, then try to build on that. People asking for some solution should always be able to test whether the solution proposed is suitable for their needs. Even professional software (if such a thing really exists) claims that the customer is solely responsible to check whether the software fits its needs and works correctly. Of course after having paid for it.
Also, software that may fit perfectly for one's need, may be unsuitable for other people.
Ulrich
BTW: If ldapsearch had the same option that slapcat has, namely "ldif-wrap={no|<n>}", the simple script could work.
It does have such an option.
Cheers, Ralf Mattes
Ulrich
thanks again, regards, Jephté
2017-02-02 1:45 GMT+04:00 Dieter Klünter dieter@dkluenter.de:
Am Wed, 1 Feb 2017 22:21:31 +0400 schrieb Jephte Clain jephte.clain@univ-reunion.fr:
hello,
he asked for a quick and dirty way with bash, so that's what I gave him. however, I'm curious: can you give me an example of input my script can't handle?
Just an example:
dn:: Y249TWFudWVsIE3DvGhsYmVjayxvdT1hZHJlc3NidWNoLG89YXZjaSxjPWRl cn:: TWFudWVsIE3DvGhsYmVjaw==
-Dieter
-- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
-- Jephté CLAIN | Développeur, Intégrateur d'applications Service Système d'Information Direction des Systèmes d'Information Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24
hello,
just a little follow-up:
- this is quick and dirty. it assumes cn is monovalued which may not be true in your DIT - I assume you just wanted a quick script for a oneshot. if you want a script that you can regularly run to "fix" your database, you should take the time to properly write one with perl, python or whatever
I usually use bash+awk for quick & dirty, but I took the time to rewrite the script in python using the python-ldap library:
LDAP_URL = 'ldap://server' USER_DN = 'cn=writer,dc=domain,dc=tld' CREDENTIALS = 'supersecret' BASE_DN = 'dc=domain,dc=tld' FILTER = '(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))'
import ldap l = ldap.initialize(LDAP_URL) l.bind_s(USER_DN, CREDENTIALS, ldap.AUTH_SIMPLE) result = l.search_s(BASE_DN, ldap.SCOPE_SUBTREE, FILTER, ['cn']) for dn, entry in result: l.modify_s(dn, (ldap.MOD_REPLACE, 'displayName', entry['cn'][0])) l.unbind_s()
enjoy, regards, Jephté
2017-02-01 19:52 GMT+04:00 Jephte Clain jephte.clain@univ-reunion.fr:
using michaël's filter, you could try this:
ldapsearch [options] '(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))' cn | awk ' /^dn:/ { print print "changetype: modify" print "replace: displayName" next } /^cn:/ { sub(/^cn/, "displayName") } { print } ' | ldapmodify [options]
we aren't doing your homework, are we? :-)
regards, Jephté
2017-02-01 18:50 GMT+04:00 Michael Ströder michael@stroeder.com:
Nick Milas wrote:
Does anyone have a ready-made script (e.g. bash) that would do the
following:
Loop on all entries in the ou=people branch where ou <> "system" { If attribute DisplayName does not exist{ Set DisplayName to the value of attibute cn } }
You could use this LDAP filter to retrieve all entries you have to modify and their 'cn' attribute:
(&(ou:dn:=people)(!(ou=system))(!(displayName=*)))
Applying this simple LDIF to all the entries found is left as exercise to the reader:
dn: cn=dummy,ou=people,dc=example,dc=com changetype: modify add: displayName displayName: <value taken from 'cn'>
Ciao, Michael.
On 2/2/2017 8:11 πμ, Jephte Clain wrote:
just a little follow-up:
- this is quick and dirty. it assumes cn is monovalued which may not
be true in your DIT
- I assume you just wanted a quick script for a oneshot. if you want a
script that you can regularly run to "fix" your database, you should take the time to properly write one with perl, python or whatever
Thank you very much for your time and effort!
Sorry I didn't reply earlier but I couldn't find time to even respond!
The script will do the job just fine!
However, due to the urgency of the situation, I was already obliged to manually change most of the values I needed. :-(
In the aftermath of this situation, I am also preparing a quick-n-dirty php script for such cases. I might post it here as well, for your reference.
The thing is that quick-n-dirty coded procedures may not be so quick in the end. One needs to prepare, customize and test sufficiently before they are used on the DIT, otherwise unpleasant surprises may occur!
This becomes even more time-consuming if one is not regularly working on programming.
All the best, Nick
openldap-technical@openldap.org
-
Ansar Mohammed -
Dieter Klünter -
Jephte Clain -
Michael Ströder -
Nick Milas -
Ralf Mattes -
Ulrich Windl