November 11th, 2009, 10:24 AM
Ldapsearch, ldapmodify and ldapdelete incompatible due to prefix "dn:"?
Using ldapsearch to pull some entities from LDAP server. The result will be of type:
Now if I want to do ldapdelete on this output it turns out that the "dn: " part on line 1 is causing problems for ldapdelete. So need to do some grep-and-remove first.
Is this really so, that the ldapsearch, ldapmodify and ldapdelete are incompatible when it comes to ldif-format.
This "dn: "-prefix should not cause trouble for ldapdelete really, should it?
The reason for asking is that we want to maintain ldap structure with one ldif-file, using the same file for both ldapadd and ldapdelete. Do not want to introduce changetype either as that would cause two files as well.
November 15th, 2009, 12:24 AM
hm, you can delete them by sed or more convinient way to manipulate LDAP-tree it's a net::ldap::ldif perl module.
November 15th, 2009, 09:15 AM
yes sed, or other search and replace functionality will make an ldapsearch result suitable for ldapdelete.
Originally Posted by umbrella
I was just wondering if this is really so, that ldapsearch and ldapdelete in a way is incompatible, or if I did miss some flag to make a ldapsearch result compatible with ldapdelete.
It is only this tiny dn: addition that is causing ldapdelete to fail, ldapmodify is quite happy with it.
But good to know that perl has a library for it, maybe java has one too?
thanks for the reply
December 20th, 2009, 12:13 PM
The ldapdelete function wants the DN of the entry as input, which does not include the LDIF key 'dn: ' as part of the DN. When you perform an ldapmodify and you want to use a LDIF formatted file to ADD entries then the file must be in LDIF format 'key: value' with a single blank line between each entry you wish to add and 2 or more blank lines at the end of the file to let the ldapmodify commmand know it has reached the end of the file and exit properly.
Example: you use ldapsearch to find a number of accounts that need to be remove because you fired an entire department.
now you have a list of DN's that you can delete
ldapsearch -T -h ldap_host -p ldap_port -D "" -w "" -b ldap_base -s sub "(&(deptid=12345)(objectclass=person))" dn > sed -n 's/dn: //' > delete.out
ldapdelete -T -h ldap_host -p ldap_port -D "cn=directory manager" -w "dm_pwd" -b ldap_base -s sub -f delete.out