|
|
|
Description ldapconvert is a utility program to port from Member mode to MemberOf mode. This is done by searching all specified group/template entries and fetching their Member attribute values.
Each value is the DN of a member entry. The entry identified by this DN will be added the MemberOf attribute value of the group/template DN at hand. In addition, those Member attribute values will be deleted from the group/template unless Both mode is specified.
While running the program, a log file, named ldapconvert.log, is generated in the current directory, logging all modifications done and errors encountered.
Syntax
> ldapconvert -d -h <host> -p <port> -D user_DN -w <secret> [-g group_DN | -f <file>] -m mem_attr -o memberof_attr –c memberobjectclass[<extra options>]
Parameter |
Description |
|---|---|
|
Debug flag. |
|
LDAP server IP address. |
|
LDAP server port number. |
|
LDAP bind DN. |
|
LDAP bind password. |
|
Group or template DN to perform the conversion on. May appear multiple times for multiple entries. |
|
File containing a list of group DNs each separated by a new line. |
|
LDAP attribute name when fetching and (possibly) deleting a Member attribute value. |
|
LDAP attribute name when adding a "MemberOf" attribute value. |
|
LDAP objectclass attribute value that filters which type of member entries to modify. May appear multiple times creating a compound filter. |
|
See below |
The ldapcomvert extra options are as follows:
-M -Maximum number of member LDAP updated simultaneously (default is 20).-B -Convert to Both mode.-p <port> -LDAP port (default is 389).-T <timeout> -Client side timeout for LDAP operations, in milliseconds: default is "never".-l <time limit> -Server side time limit for LDAP operations, in seconds: default is "never".-s -Server side size limit for LDAP operations (in entries) (default is "none").-z -Use SSL.Comments It is recommended to make a backup of the LDAP server before running the conversion program in case unrecoverable errors are encountered.
There are two GroupMembership modes: template-to-groups and user-to-groups. It is imperative to keep these modes consistent. For instance, if you apply conversion on LDAP users to include 'MemberOf' attributes for their groups, then this conversion should also be applied on LDAP defined templates for their groups.
Why does a command run with the option –M fail?
The program terminates with an error message stating the connection terminated unexpectedly.
This means that the LDAP server could not handle so many LDAP requests simultaneously and closed the connection. The solution is to run the program again with a lower value for the –M option (the default value should be adequate but could also cause a connection failure in extreme situation). Continue to reduce the value until the program exits normally. Each time you run the program with the same set of groups the program will pick up where it left off.
Example A group is defined with the DN: cn=cpGroup,ou=groups, ou=cp, c=il and the following attributes:
... cn=cpGroup uniquemember="cn=member1,ou=people, ou=cp,c=il" uniquemember=" cn=member2, ou=people, ou=cp,c=il" ... |
For the 2 member entries:
... cn=member1 objectclass=fw1Person ... |
and:
... cn=member2 objectclass=fw1Person ... |
Run ldapconvert with the following arguments:
ldapconvert -g cn=cpGroup,ou=groups, ou=cp, c=il -h myhost -d cn=admin -w secret |
The result for the group DN will be as follows:
... cn=cpGroup ... |
The result for the 2 member entries will be as follows:
... cn=member1 objectclass=fw1Person memberof="cn=cpGroup,ou=groups, ou=cp, c=il" ... |
and
... cn=member2 objectclass=fw1Person memberof=" cn=cpGroup,ou=groups, ou=cp, c=il" ... |
Running the same command with the –B options, will produce the same result but the group entry will not be modified.
If there is another member attribute value for the same group entry:
uniquemember="cn=template1,ou=people, ou=cp,c=il" |
and the template is:
cn=member1 objectclass=fw1Template |
After running the same command line the template entry will stay intact because the command line specified the option –c fw1Person but the object class of template1 is fw1Template.