The LDAP Data Interchange Format utility is named LDIFDE. You are able to use this utility to manage the directory. You can export directory entries, import new entries, and change existing entries. This section describes how to export and change new entries.
Using LDIFDE, an administrator is able to create script files that can be used to perform maintenance functions. This section takes a detailed look at how to export, import, and modify existing entries.
LDIFDE has a long list of parameters. The first step is to understand some of the parameters and they can be used. For exporting, there are several parameters. They are as follows:
-I is not used for export. Exporting is the default. -I is used for importing into the directory.
-f filename is used to specify the filename to her the exported information is exported. The filename is also used on import to specify the information to be imported and from where.
-s servername is the name of the server from which the directory information should be exported. The default for this field is the Domain Controller (DC) into which the system running the script is logged.
-c FromDN ToDN is used to change the distinguished name (DN) of an object to another DN. The DN of an object is the unique name for the object in the entire active directory. As an example, the DN for a user, Bill Wade in the GPLAB OU in Wadeware's domain could look like - CN=Bill Wade, CN=GPLAB, DC=Wadeware, DC=NET. This is a handy way to export a file and to change where in the tree it is going. Another good use of this is if you are migrating from one domain to another domain.
-v turns on the verbose mode. This is best used when testing a script. You are able to see exactly what is transpiring with the redirection log to a file.
-j is used to specify the log file location. If you want to log the results of an export, you can also use this option.
-t is used to specify the port number for access to the directory service. Port 389 is the default LDAP port.
-d is used to specify the base DN of the search for the data export.
As an example, a simple command to export a single user to the directory is to run ldifde -v -f output.lidf -d "cn=test user, cn=users,dc=Wadeware, DC=net". This command produces an output file called OUTPUT.LIDF. OUTPUT.LIDF contains the complete information for the user. This is depicted in the following listing:
dn: CN=test user,CN=Users,DC=Wadeware,DC=net changetype: add memberOf: CN=Testgroup,CN=Users,DC=Wadeware,DC=net accountExpires: 9223372036854775807 streetAddress: badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: test user countryCode: 0 displayName: test user givenName: test user instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=test user,CN=Users,DC=Wadeware,DC=net objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Wadeware,DC=net objectClass: user objectGUID:: 2UINsf7tD0WL9cl4wKnn4Q== objectSid:: AQUAAAAAAAUVAAAATWRJLufL3X0VJa9HgQQAAA== primaryGroupID: 513 pwdLastSet: 125808936338153952 name: test user sAMAccountName: testuser sAMAccountType: 805306368 telephoneNumber: 425-555-6666 userAccountControl: 66048 userPrincipalName: [email protected] uSNChanged: 130034 uSNCreated: 110608 whenChanged: 19990911215400.0Z whenCreated: 19990904044032.0ZAs an example
Now that you have exported an entry, it is easier to see how directory entries can be changed and modified. There are three typical directory-entry actions that an administrator is interested in performing. The first is to add new users; followed closely by changing and deleting entries. The LDAP Data Interchange Format (LDIF) draft standard provides for each of these capabilities.
The LDIF draft standard is a proposed standard that describes a file format for modifying directory information. This file format is designed to be used for the import and export of directory information between LDAP directory services.
To add an entry into the directory, you need to create a file that has the information that you want to add a user. This type of file can be easily created for a user using a script. The first step is to identify what you typically want in a file. For this example, the file to be used is intentionally simple. You can extrapolate from this to create a more sophisticated file to include the fields that you need filled out for each user.
A simple LDIF file includes the version number, the DN, the surname (SN) , given name (GN) , and the telephone number. The LDIF file also contains the control commands to identify the action that should be taken—add, modify, or delete. The following is an example of the file for adding a user.
version: 1 dn: CN=Doug Hauger,CN=Users,DC=Wadeware,DC=net changetype: add cn: Doug Hauger givenName: Doug sn: Hauger distinguishedName: CN=Doug Hauger,CN=Users,DC=Wadeware,DC=net objectClass: user telephoneNumber: 425-555-9696
This file adds Doug Hauger to the directory under the Users container. The next step is to modify an entry in the directory. Modifying directory entries is a common task for administrators. Every time a user changes locations or phone numbers the directory needs to be changed.
To modify a user, a file is created that identifies the object to be modified and that has the changetype value of modify. After the change timeline, the attribute or attributes that are going to be changed are followed with the new values for those attributes. The following listing shows how to change the telephone number, delete the postal address, and add a new street address for a user.
version: 1 dn: CN=Doug Hauger,CN=Users,DC=Wadeware,DC=net changetype: modify replace: telephonenumber telephoneNumber: 413-555-9696 delete: postaladdress add: streetaddress streetaddress: 1 Pennsylvania Avenue $ Bellevue, WA $ 98004