Posted by John Paul van Helvoort on July 13, 2009
Today is was asked to cleanup an Oracle Internet Directory without removing the orcladmin and some other operational users.
As all accounts are housed under the same context root , being “cn=Users,dc=example,dc=com”. I was forced to use an ldapsearch instead of using bulkdelete to perform the operation.
First we exported all the users :
ldapsearch -h oid.example.com -p 389-L -D “cn=orcladmin” -w “xxx” -b “cn=Users,dc=example,dc=com” -s sub “objectclass=*” > users_oid.ldif
After this a ldif is created with all user and attributes which cannot be used directly by ldapdelete.
Second we filter out only the “dn:” lines :
cat users_oid.ldif | grep dn: > users_delete.ldif
Then we remove the lines
dn: cn=Users, dc=example,dc=com
dn: cn=orcladmin, cn=Users, dc=example,dc=com
…
..
After this we remove the “dn:” from all lines as this would result in an error when kept.
sed s/dn:// users_delete.ldif > new_users_delete.ldif
Now we have created a clean ldif file which can be used by ldapdelete !
ldapdelete -h oid.example.com -p 389 -D “cn=orcladmin” -w xxx -f new_users_delete.ldif
Depending on the number of users in your ldap directory, this could take a while :)
Posted in LDAP, OID | Leave a Comment »
Posted by John Paul van Helvoort on July 10, 2009
When using the DSML (Directory Service Markup Language) standard we create a representation of directory service information in an XML syntax instead of a ldif syntax.
ldapsearch -h source.example.com -p 389 -X -D “cn=orcladmin” -w “xxx” -b “cn=Users,dc=example,dc=com” -s sub “objectclass=*” > /home/oracle/source_users.xml
To prevent this error when importing ;
adding new entry cn=james, cn=Users, dc=example, dc=com
ldap_add: DSA is unwilling to perform
ldap_add: additional info: You cannot add entries containing authpasswords.
We need to process our source_users.xml to not hold this attribute. To accomplish this we used a xsl template created by mgueury.
del_auth_password.xsl
<!--
File : del_authpassword.xsl
Version : 1.0
Author : mgueury
Description:
Remove the authpassword from the DSML files
-->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xml:output method="xml"/>
<xsl:template match="*|@*|node()">
<xsl:copy>
<xsl:apply-templates select="*|@*|node()"/>
</xsl:copy>
</xsl:template>
<xsl:template match="attr">
<xsl:choose>
<xsl:when test="@name='authpassword;oid'">
</xsl:when>
<xsl:when test="@name='authpassword;orclcommonpwd'">
</xsl:when>
<xsl:otherwise>
<xsl:copy>
<xsl:apply-templates select="*|@*|node()"/>
</xsl:copy>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
</xsl:stylesheet>
To use this we executed the following command ;
xml -f -s /home/oracle/del_auth_password.xsl -o /home/oracle/target_users.xml /home/oracle/source_users.xml
After this we can fill our target OID with the clean target_users.xml;
ldapadd -h target.example.com -p 389 -D “cn=orcladmin” -w “xxx” -c -X /home/oracle/target_users.xml
adding new entry cn=james, cn=Users, dc=example, dc=com
adding new entry cn=jake, cn=Users, dc=example, dc=com
adding new entry cn=marly, cn=Users, dc=example, dc=com
adding new entry cn=john, cn=Users, dc=example, dc=com
..
Posted in Identity Manager, LDAP, OID | Leave a Comment »
