2:07 a.m.
Hello !
My network infrastructure uses some special database not compatible
with LDAP. But I need an OpenLDAP server to administer my Web Services
accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF
file. This works pretty well. I've successfully loaded it on my
OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new
generated LDIF files (when users are added, updated or removed)
without disturbing the whole LDAP service (it's not a very good idea
to delete the entire database and recreate it from the new LDIF file
as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ?
-> Updating/deleting the OUs
-> Deleting the objects that are not present.
-> Deleting the attributes removed.
-> Updating the attributes that have changed without deleting the object.
Doing this step by step to disturb as little as possible the OpenLDAP service.
Thanks for the help.
Regards,
Baptiste.
9:20 a.m.
On Fri, Jan 29, 2021 at 11:07:19AM +0100, Prunk Dump wrote:
But now I don't know how to update my OpenLDAP database from the
new
generated LDIF files (when users are added, updated or removed)
without disturbing the whole LDAP service (it's not a very good idea
to delete the entire database and recreate it from the new LDIF file
as it stop the service completely during the operation).
You could import it to a new directory, then stop the DB, move the
new directory into place, and restart the DB. Irrespective of the
import time, a directory rename (assuming old and new are on the
same partition) is fast.
Thanks for the help.
Regards,
Baptiste.
--
Brian Reichert <reichert(a)numachi.com>
BSD admin/developer at large
9:31 a.m.
--On Friday, January 29, 2021 11:07 AM +0100 Prunk Dump
<prunkdump(a)gmail.com> wrote:
Hello !
My network infrastructure uses some special database not compatible
with LDAP. But I need an OpenLDAP server to administer my Web Services
accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF
file. This works pretty well. I've successfully loaded it on my
OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new
generated LDIF files (when users are added, updated or removed)
without disturbing the whole LDAP service (it's not a very good idea
to delete the entire database and recreate it from the new LDIF file
as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF
file ? -> Updating/deleting the OUs
-> Deleting the objects that are not present.
-> Deleting the attributes removed.
-> Updating the attributes that have changed without deleting the object.
Doing this step by step to disturb as little as possible the OpenLDAP
service.
There are a few utilities out there that you could use:
ldapdiff, which does the diff between a running server and an LDIF file:
<https://linux.die.net/man/1/ldapdiff>;, <https://launchpad.net/ldapdiff>
ldifdiff.pl - A perl script that diffs two LDIF files:
<https://metacpan.org/pod/distribution/perl-ldap/contrib/ldifdiff.pl>
ldifdiff - A go program that diffs two LDIF files:
<https://github.com/nxadm/ldifdiff>
With any of these, you could generate the diff between your existing DB and
the new DB and then apply it with ldapmodify.
Overall, I'd suggest writing a process using python-ldap or similar that
writes the modifications directly to the LDAP server rather than doing
one-offs like this.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
10:11 a.m.
On Fri, 29 Jan 2021 at 11:02, Prunk Dump <prunkdump(a)gmail.com> wrote:
-> Deleting the attributes removed.
-> Updating the attributes that have changed without deleting the object.
Doing this step by step to disturb as little as possible the OpenLDAP service.
You could use the addpartial overlay in contrib for these last 2:
https://git.openldap.org/openldap/openldap/-/tree/master/contrib/slapd-mo...
11:02 p.m.
New subject: Antw: [EXT] Best way two update a full OpenLDAP database from LDIF file
>> Prunk Dump <prunkdump(a)gmail.com> schrieb am 29.01.2021
um 11:07 in Nachricht
<CALr0QzGOFoAr+=3-XohtB7GKWfvLtZXO-q5Y3Dp7neNS2eV7mQ(a)mail.gmail.com>:
Hello !
My network infrastructure uses some special database not compatible
with LDAP. But I need an OpenLDAP server to administer my Web Services
accounts on my DMZ.
So I have written a script to export our "special" database to an LDIF
file. This works pretty well. I've successfully loaded it on my
OpenLDAP server.
But now I don't know how to update my OpenLDAP database from the new
generated LDIF files (when users are added, updated or removed)
without disturbing the whole LDAP service (it's not a very good idea
to delete the entire database and recreate it from the new LDIF file
as it stop the service completely during the operation).
Is there a way to update an OpenLDAP database to fit a new given LDIF file ?
-> Updating/deleting the OUs
-> Deleting the objects that are not present.
-> Deleting the attributes removed.
-> Updating the attributes that have changed without deleting the object.
Doing this step by step to disturb as little as possible the OpenLDAP
service.
I think you should think in "deltas" (changes) instead of whole databses.
Then ldapmodify is the tool to use and you'd have to write LDIF files that perform the
changes.
An example for such a file would look similar to this:
dn: uid=t...,ou=...,dc=de
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
dn: uid=o...,ou=...,dc=de
changetype: modify
add: pwdPolicySubentry
pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
dn: uid=m...,ou=...,dc=de
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20201223135924Z
-
replace: userPassword
userPassword: {SSHA}blabla...
-
add: pwdHistory
pwdHistory: 20201223135924Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}blabla...
-
delete: pwdGraceUseTime
pwdGraceUseTime: 20180725081753Z
pwdGraceUseTime: 20180725081756Z
pwdGraceUseTime: 20180725081758Z
pwdGraceUseTime: 20201201095616Z
pwdGraceUseTime: 20201201095619Z
So you get the idea.
Thanks for the help.
Regards,
Baptiste.
2:32 a.m.
New subject: [EXT] Best way two update a full OpenLDAP database from LDIF file
Sorry for my late reply !
I have a so hard week. A lot of work...
Thank you very much Quanah, David and Ulrich.
Sadly ldapdiff is not present anymore in the Debian repositories. I
will check if I can use the other tools or use my own script.
Thank you again for your help !
Baptiste.
Le lun. 1 févr. 2021 à 08:02, Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> a écrit :
>
> >>> Prunk Dump <prunkdump(a)gmail.com> schrieb am 29.01.2021 um 11:07 in
Nachricht
> <CALr0QzGOFoAr+=3-XohtB7GKWfvLtZXO-q5Y3Dp7neNS2eV7mQ(a)mail.gmail.com>:
> > Hello !
> >
> > My network infrastructure uses some special database not compatible
> > with LDAP. But I need an OpenLDAP server to administer my Web Services
> > accounts on my DMZ.
> >
> > So I have written a script to export our "special" database to an
LDIF
> > file. This works pretty well. I've successfully loaded it on my
> > OpenLDAP server.
> >
> > But now I don't know how to update my OpenLDAP database from the new
> > generated LDIF files (when users are added, updated or removed)
> > without disturbing the whole LDAP service (it's not a very good idea
> > to delete the entire database and recreate it from the new LDIF file
> > as it stop the service completely during the operation).
> >
> > Is there a way to update an OpenLDAP database to fit a new given LDIF file ?
> > -> Updating/deleting the OUs
> > -> Deleting the objects that are not present.
> > -> Deleting the attributes removed.
> > -> Updating the attributes that have changed without deleting the object.
> > Doing this step by step to disturb as little as possible the OpenLDAP
> > service.
>
> I think you should think in "deltas" (changes) instead of whole databses.
> Then ldapmodify is the tool to use and you'd have to write LDIF files that
perform the changes.
>
> An example for such a file would look similar to this:
>
> dn: uid=t...,ou=...,dc=de
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
>
> dn: uid=o...,ou=...,dc=de
> changetype: modify
> add: pwdPolicySubentry
> pwdPolicySubentry: cn=PP-Default,dc=policies,dc=...,dc=de
>
> dn: uid=m...,ou=...,dc=de
> changetype: modify
> replace: pwdChangedTime
> pwdChangedTime: 20201223135924Z
> -
> replace: userPassword
> userPassword: {SSHA}blabla...
> -
> add: pwdHistory
> pwdHistory: 20201223135924Z#1.3.6.1.4.1.1466.115.121.1.40#38#{SSHA}blabla...
> -
> delete: pwdGraceUseTime
> pwdGraceUseTime: 20180725081753Z
> pwdGraceUseTime: 20180725081756Z
> pwdGraceUseTime: 20180725081758Z
> pwdGraceUseTime: 20201201095616Z
> pwdGraceUseTime: 20201201095619Z
>
> So you get the idea.
>
> >
> > Thanks for the help.
> >
> > Regards,
> >
> > Baptiste.
>
>
>
>
11:46 a.m.
New subject: [EXT] Best way two update a full OpenLDAP database from LDIF file
--On Saturday, February 6, 2021 11:32 AM +0100 Prunk Dump
<prunkdump(a)gmail.com> wrote:
Sorry for my late reply !
I have a so hard week. A lot of work...
Thank you very much Quanah, David and Ulrich.
Sadly ldapdiff is not present anymore in the Debian repositories. I
will check if I can use the other tools or use my own script.
apt install libnet-ldap-perl
/usr/share/doc/libnet-ldap-perl/examples/ldifdiff.pl -h
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1029
days inactive
1037
days old
openldap-technical@openldap.org
6 comments
5 participants
participants (5)
-
Brian Reichert -
David Hawes -
Prunk Dump -
Quanah Gibson-Mount -
Ulrich Windl