ldapmemberconvert

Description

This is an LDAP utility that ports from Member attribute values in LDAP group entries to MemberOf attribute values in LDAP member (User or Template) entries.

This utility converts the LDAP server data to work in MemberOf mode or Both mode. This means finding all specified group or template entries that hold one or more Member attribute values. The utility searches and modifies each value. The utility searches all specified group/template entries and fetches their Member attribute values.

Each value is the DN of a member entry. The entry identified by this DN is added to the MemberOf attribute value of the group/template DN at hand. In addition, those Member attribute values are deleted from the group/template unless you run the command in the Both mode.

When your run the command, it creates a log file, ldapmemberconvert.log in the current working directory. It logs all modifications done and errors encountered.

Important - Back up the LDAP server database before running this conversion utility.

Syntax

[Expert@MGMT:0]# ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m <Member Attribute Name> -o <MemberOf Attribute Name> -c <Member ObjectClass Value> [-B] [-f <File> | -g <Group DN>] [-L <LDAP Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T <LDAP Client Timeout>] [-Z]

Note - You must run this command from the Expert mode.

Parameters

Parameter	Description
`-d <`Debug Level`>`	Runs the command in debug mode with the specified TDERROR debug level. Valid values are from 0 (disabled) to 5 (maximal level, recommended).
`-h <`LDAP Server`>`	Specifies the LDAP Server computer by its IP address or resolvable hostname. If you do not specify the LDAP Server explicitly, the command connects to `localhost`.
`-p <`LDAP Server Port`>`	Specifies the LDAP Server port. Default is 389.
`-D <`LDAP Admin DN`>`	Specifies the LDAP Server administrator Distinguished Name.
`-w <`LDAP Admin Password`>`	Specifies the LDAP Server administrator password.
`-m <`Member Attribute Name`>`	Specifies the LDAP attribute name when fetching and (possibly) deleting a group `Member` attribute value.
`-o <`MemberOf Attribute Name`>`	Specifies the LDAP attribute name for adding an LDAP `MemberOf` attribute value.
`-c <`Member ObjectClass Value`>`	Specifies the LDAP `ObjectClass` attribute value that defines, which type of member to modify. You can specify multiple attribute values with this syntax: `-c <Member Object Class 1> -c <Member Object Class 2> ... -c <Member Object Class X>`
`-B`	Specifies to run in `Both` mode.
`-f <`File`>`	Specifies the file that contains a list of Group DNs separated by a new line: `<Group DN 1>` `<Group DN 2>` `...` `<Group DN X>` Length of each line is limited to 256 characters.
`-g <`Group DN`>`	Specifies the Group or Template Distinguished Name, on which to perform the conversion. You can specify multiple Group DNs with this syntax: `-g <Group DN 1> -g <Group DN 2> ... -g <Group DN X>`
`-L <`LDAP Server Timeout`>`	Specifies the Server side time limit for LDAP operations, in seconds. Default is `never`.
`-M <`Number of Updates`>`	Specifies the maximal number of simultaneous member LDAP updates. Default is 20.
`-S <`Size`>`	Specifies the Server side size limit for LDAP operations, in number of entries. Default is `none`.
`-T <`LDAP Client Timeout`>`	Specifies the Client side timeout for LDAP operations, in milliseconds. Default is `never`.
`-Z`	Specifies to use SSL connection.

Notes

There are two GroupMembership modes. You must keep these modes consistent:

template-to-groups
user-to-groups

For example, if you apply conversion on LDAP users to include MemberOf attributes for their groups, then this conversion has to be applied on LDAP defined templates for their groups.

Troubleshooting

Symptom:

A command fails with an error message stating the connection stopped unexpectedly when you run it with the parameter –M <Number of Updates>.

Root Cause:

The LDAP server could not handle that many LDAP requests simultaneously and closed the connection.

Solution:

Run the command again with a lower value for the –M parameter. The default value should be adequate, but can also cause a connection failure in extreme situations. Continue to reduce the value until the command runs normally. Each time you run the command with the same set of groups, the command continues from where it left off.

Example 1

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these attributes:

...

cn=cpGroup

uniquemember="cn=member1,ou=people,ou=cp,c=us"

uniquemember="cn=member2,ou=people,ou=cp,c=us"

...

For the two member entries:

...

cn=member1

objectclass=fw1Person

...

and:

...

cn=member2

objectclass=fw1Person

...

Run:

[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret –m uniquemember -o memberof -c fw1Person

The result for the group DN is:

...

cn=cpGroup

...

The result for the two member entries is:

...

cn=member1

objectclass=fw1Person

memberof="cn=cpGroup,ou=groups,ou=cp,c=us"

...

and:

...

cn=member2

objectclass=fw1Person

memberof="cn=cpGroup,ou=groups,ou=cp,c=us"

...

If you run the same command with the –B parameter, it produces the same result, but the group entry is not modified.

Example 2

If there is another member attribute value for the same group entry:

uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1

objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the parameter "-c fw1Person", but the object class of template1 is fw1Template.