ldapmemberconvert

Description

This is an LDAP utility that ports from the "Member" attribute values in LDAP group entries to the "MemberOf" attribute values in LDAP member (User or Template) entries.

This utility converts the LDAP server data to work in either the "MemberOf" mode, or "Both" mode. The utility searches through all specified group or template entries that hold one or more "Member" attribute values and modifies each value. The utility searches through all specified group/template entries and fetches their "Member" attribute values.

Each value is the DN of a member entry. The entry identified by this DN is added to the "MemberOf" attribute value of the group/template DN at hand. In addition, the utility delete those "Member" attribute values from the group/template, unless you run the command in the "Both" mode.

When your run the command, it creates a log file ldapmemberconvert.log in the current working directory. The command logs all modifications done and errors encountered in that log file.

Important - Back up the LDAP server database before you run this conversion utility.

Notes:

  • You can run this command only in the Expert mode.

  • On a Multi-Domain Server, you must run this command in the context of the applicable Domain Management Server:

    mdsenv <IP Address or Name of Domain Management Server>

Syntax

ldapmemberconvert [-d <Debug Level>] -h <LDAP Server> -p <LDAP Server Port> -D <LDAP Admin DN> -w <LDAP Admin Password> -m <Member Attribute Name> -o <MemberOf Attribute Name> -c <Member ObjectClass Value> [-B] [-f <File> | -g <Group DN>] [-L <LDAP Server Timeout>] [-M <Number of Updates>] [-S <Size>] [-T <LDAP Client Timeout>] [-Z]

Parameters

Parameter

Description

-d <Debug Level>

Runs the command in debug mode with the specified TDERROR debug level.

Valid values are from 0 (disabled) to 5 (maximal level, recommended).

-h <LDAP Server>

Specifies the LDAP Server computer by its IP address or resolvable hostname.

If you do not specify the LDAP Server explicitly, the command connects to localhost.

-p <LDAP Server Port>

Specifies the LDAP Server port. Default is 389.

-D <LDAP Admin DN>

Specifies the LDAP Server administrator Distinguished Name.

-w <LDAP Admin Password>

Specifies the LDAP Server administrator password.

-m <Member Attribute Name>

Specifies the LDAP attribute name when fetching and (possibly) deleting a group Member attribute value.

-o <MemberOf Attribute Name>

Specifies the LDAP attribute name for adding an LDAP "MemberOf" attribute value.

-c <Member ObjectClass Value>

Specifies the LDAP "ObjectClass" attribute value that defines, which type of member to modify.

You can specify multiple attribute values with this syntax:

-c <Member Object Class 1> -c <Member Object Class 2> ... -c <Member Object Class N>

-B

Specifies to run in "Both" mode.

-f <File>

Specifies the file that contains a list of Group DNs separated by a new line:

<Group DN 1>
<Group DN 2>
...
<Group DN N>

Length of each line is limited to 256 characters.

-g <Group DN>

Specifies the Group or Template Distinguished Name, on which to perform the conversion.

You can specify multiple Group DNs with this syntax:

-g <Group DN 1> -g <Group DN 2> ... -g <Group DN N>

-L <LDAP Server Timeout>

Specifies the Server side time limit for LDAP operations, in seconds.

Default is "never".

-M <Number of Updates>

Specifies the maximal number of simultaneous member LDAP updates.

Default is 20.

-S <Size>

Specifies the Server side size limit for LDAP operations, in number of entries.

Default is "none".

-T <LDAP Client Timeout>

Specifies the Client side timeout for LDAP operations, in milliseconds.

Default is "never".

-Z

Specifies to use SSL connection.

Notes

There are two "GroupMembership" modes. You must keep these modes consistent:

  • template-to-groups

  • user-to-groups

For example, if you apply conversion on LDAP users to include the "MemberOf" attributes for their groups, then this conversion has to be applied on LDAP defined templates for their groups.

Troubleshooting

Symptom:

A command fails with an error message stating the connection stopped unexpectedly when you run it with the parameter -M <Number of Updates>.

Root Cause:

The LDAP server could not handle that many LDAP requests simultaneously and closed the connection.

Solution:

Run the command again with a lower value for the "-M" parameter. The default value should be adequate, but can also cause a connection failure in extreme situations. Continue to reduce the value until the command runs normally. Each time you run the command with the same set of groups, the command continues from where it left off.

Examples

A group is defined with the DN "cn=cpGroup,ou=groups,ou=cp,c=us" and these attributes:

...
cn=cpGroup
uniquemember="cn=member1,ou=people,ou=cp,c=us"
uniquemember="cn=member2,ou=people,ou=cp,c=us"
...

For the two member entries:

...
cn=member1
objectclass=fw1Person
...

and:

...
cn=member2
objectclass=fw1Person
...

Run:

[Expert@MGMT:0]# ldapconvert -g cn=cpGroup,ou=groups,ou=cp,c=us -h MyLdapServer -d cn=admin -w secret -m uniquemember -o memberof -c fw1Person

The result for the group DN is:

...
cn=cpGroup
...

The result for the two member entries is:

...
cn=member1
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

and:

...
cn=member2
objectclass=fw1Person
memberof="cn=cpGroup,ou=groups,ou=cp,c=us"
...

If you run the same command with the "-B" parameter, it produces the same result, but the group entry is not modified.

If there is another member attribute value for the same group entry:

uniquemember="cn=template1,ou=people, ou=cp,c=us"

and the template is:

cn=member1
objectclass=fw1Template

Then after running the same command, the template entry stays intact, because of the parameter "-c fw1Person", but the object class of "template1" is "fw1Template".