Hello !
My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service.
Thanks for the help.
Regards,
Baptiste.
On Fri, Jan 29, 2021 at 11:07:19AM +0100, Prunk Dump wrote:
But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation).
You could import it to a new directory, then stop the DB, move the new directory into place, and restart the DB. Irrespective of the import time, a directory rename (assuming old and new are on the same partition) is fast.
Thanks for the help.
Regards,
Baptiste.
--On Friday, January 29, 2021 11:07 AM +0100 Prunk Dump prunkdump@gmail.com wrote:
Hello !
My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service.
There are a few utilities out there that you could use:
ldapdiff, which does the diff between a running server and an LDIF file: https://linux.die.net/man/1/ldapdiff, https://launchpad.net/ldapdiff
ldifdiff.pl - A perl script that diffs two LDIF files: https://metacpan.org/pod/distribution/perl-ldap/contrib/ldifdiff.pl ldifdiff - A go program that diffs two LDIF files: https://github.com/nxadm/ldifdiff
With any of these, you could generate the diff between your existing DB and the new DB and then apply it with ldapmodify.
Overall, I'd suggest writing a process using python-ldap or similar that writes the modifications directly to the LDAP server rather than doing one-offs like this.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On Fri, 29 Jan 2021 at 11:02, Prunk Dump prunkdump@gmail.com wrote:
-> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service.
You could use the addpartial overlay in contrib for these last 2:
https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-modul...
Prunk Dump prunkdump@gmail.com schrieb am 29.01.2021 um 11:07 in Nachricht
CALr0QzGOFoAr+=3-XohtB7GKWfvLtZXO-q5Y3Dp7neNS2eV7mQ@mail.gmail.com:
Hello !
My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service.
I think you should think in "deltas" (changes) instead of whole databses. Then ldapmodify is the tool to use and you'd have to write LDIF files that perform the changes.
An example for such a file would look similar to this:
dn: uid=t...,ou=...,dc=de changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
dn: uid=o...,ou=...,dc=de changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
dn: uid=m...,ou=...,dc=de changetype: modify replace: pwdChangedTime pwdChangedTime: 20201223135924Z - replace: userPassword userPassword: {SSHA}blabla... - add: pwdHistory pwdHistory: 20201223135924Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}blabla... - delete: pwdGraceUseTime pwdGraceUseTime: 20180725081753Z pwdGraceUseTime: 20180725081756Z pwdGraceUseTime: 20180725081758Z pwdGraceUseTime: 20201201095616Z pwdGraceUseTime: 20201201095619Z
So you get the idea.
Thanks for the help.
Regards,
Baptiste.
Sorry for my late reply !
I have a so hard week. A lot of work...
Thank you very much Quanah, David and Ulrich.
Sadly ldapdiff is not present anymore in the Debian repositories. I will check if I can use the other tools or use my own script.
Thank you again for your help !
Baptiste.
Le lun. 1 févr. 2021 à 08:02, Ulrich Windl Ulrich.Windl@rz.uni-regensburg.de a écrit :
Prunk Dump prunkdump@gmail.com schrieb am 29.01.2021 um 11:07 in Nachricht
CALr0QzGOFoAr+=3-XohtB7GKWfvLtZXO-q5Y3Dp7neNS2eV7mQ@mail.gmail.com:
Hello !
My network infrastructure uses some special database not compatible with LDAP. But I need an OpenLDAP server to administer my Web Services accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF file. This works pretty well. I've successfully loaded it on my OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new generated LDIF files (when users are added, updated or removed) without disturbing the whole LDAP service (it's not a very good idea to delete the entire database and recreate it from the new LDIF file as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ? -> Updating/deleting the OUs -> Deleting the objects that are not present. -> Deleting the attributes removed. -> Updating the attributes that have changed without deleting the object. Doing this step by step to disturb as little as possible the OpenLDAP service.
I think you should think in "deltas" (changes) instead of whole databses. Then ldapmodify is the tool to use and you'd have to write LDIF files that perform the changes.
An example for such a file would look similar to this:
dn: uid=t...,ou=...,dc=de changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
dn: uid=o...,ou=...,dc=de changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
dn: uid=m...,ou=...,dc=de changetype: modify replace: pwdChangedTime pwdChangedTime: 20201223135924Z
replace: userPassword userPassword: {SSHA}blabla...
add: pwdHistory pwdHistory: 20201223135924Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}blabla...
delete: pwdGraceUseTime pwdGraceUseTime: 20180725081753Z pwdGraceUseTime: 20180725081756Z pwdGraceUseTime: 20180725081758Z pwdGraceUseTime: 20201201095616Z pwdGraceUseTime: 20201201095619Z
So you get the idea.
Thanks for the help.
Regards,
Baptiste.
--On Saturday, February 6, 2021 11:32 AM +0100 Prunk Dump prunkdump@gmail.com wrote:
Sorry for my late reply !
I have a so hard week. A lot of work...
Thank you very much Quanah, David and Ulrich.
Sadly ldapdiff is not present anymore in the Debian repositories. I will check if I can use the other tools or use my own script.
apt install libnet-ldap-perl
/usr/share/doc/libnet-ldap-perl/examples/ldifdiff.pl -h
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Brian Reichert -
David Hawes -
Prunk Dump -
Quanah Gibson-Mount -
Ulrich Windl