Hi All.
I have had a question come down from our Enterprise information team -
We currently create a separate identity in oldap for students vs faculty/staff, but want to start creating only one identity going forward.
The DN in the ldif is unique for these two identities, but they do share a common attribute.
Is there a way in the ldapmodify add process to query the whole directory for an attribute coming from the ldif file, and then if it doesn't exist reject the add for that identity, and then of course go on processing the rest of the file?
My gut says no, or at least not without some scripting that I am not familiar with.
Thanks for your time.
Norman Singley Directory Services / IT University of Montana 406 243 6799 Norman.singley@umontana.edu
--On Wednesday, May 1, 2024 10:56 PM +0000 "Singley, Norman" norman.singley@mso.umt.edu wrote:
Hi All.
I have had a question come down from our Enterprise information team –
We currently create a separate identity in oldap for students vs faculty/staff, but want to start creating only one identity going forward.
The DN in the ldif is unique for these two identities, but they do share a common attribute.
Is there a way in the ldapmodify add process to query the whole directory for an attribute coming from the ldif file, and then if it doesn't exist reject the add for that identity, and then of course go on processing the rest of the file?
My gut says no, or at least not without some scripting that I am not familiar with.
There's not a lot of detail here that makes it easy to answer, but in general I'd suggest using something like python-ldap, and then:
query for attribute exists? reject doesn't exist? modify or add
It even has an LDIF parser, so you could theoretically give it your LDIF file and have it process per-entry as noted above. You could do something similar with Perl's perl-ldap module as well.
--Quanah
On May 1, 2024, at 5:31 PM, Quanah Gibson-Mount quanah@fast-mail.org wrote:
--On Wednesday, May 1, 2024 10:56 PM +0000 "Singley, Norman" norman.singley@mso.umt.edu wrote:
Hi All.
I have had a question come down from our Enterprise information team –
We currently create a separate identity in oldap for students vs faculty/staff, but want to start creating only one identity going forward.
The DN in the ldif is unique for these two identities, but they do share a common attribute.
Is there a way in the ldapmodify add process to query the whole directory for an attribute coming from the ldif file, and then if it doesn't exist reject the add for that identity, and then of course go on processing the rest of the file?
My gut says no, or at least not without some scripting that I am not familiar with.
There's not a lot of detail here that makes it easy to answer, but in general I'd suggest using something like python-ldap, and then:
query for attribute exists? reject doesn't exist? modify or add
It even has an LDIF parser, so you could theoretically give it your LDIF file and have it process per-entry as noted above. You could do something similar with Perl's perl-ldap module as well.
How about the slapo-unique overlay to enforce uniqueness across the DIT on the shared attribute and ldapmodify -c to continue on errors?
Or, what am I missing here about the req’s?
--Quanah
--On Wednesday, May 1, 2024 6:39 PM -0500 Shawn McKinney smckinney@symas.com wrote:
How about the slapo-unique overlay to enforce uniqueness across the DIT on the shared attribute and ldapmodify -c to continue on errors?
Or, what am I missing here about the req's?
That might be a solution? There's not enough detail in the requirements to say either way.
--Quanah
Thank you, and sorry for the late response.
I can ask around if anyone on staff would have experience with Python or the slapo-unique overlay you mention. I don't have the scripting talent I don't' think to do anything like this. I was just wondering if anyone has any direct experience with checking if an attribute exists before adding a new identity to the directory.
Thanks for replying, it gives me some into to take back to the team.
Norman Singley Directory Services / IT 406 243 6799 Norman.singley@umontana.edu
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Wednesday, May 1, 2024 4:52 PM To: Shawn McKinney smckinney@symas.com Cc: Singley, Norman norman.singley@mso.umt.edu; openldap-technical@openldap.org Subject: Re: Query for attribute before adding new entry.
--On Wednesday, May 1, 2024 6:39 PM -0500 Shawn McKinney smckinney@symas.com wrote:
How about the slapo-unique overlay to enforce uniqueness across the DIT on the shared attribute and ldapmodify -c to continue on errors?
Or, what am I missing here about the req's?
That might be a solution? There's not enough detail in the requirements to say either way.
--Quanah
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Shawn McKinney -
Singley, Norman