The LDIF Standard

Let us make a small change in our command file. After the first line (i.e., the line specifying the distinguished name), add the following line:

 changetype: add 

Now you can execute the ldapmodify command without the "-a" switch. You might not consider this to be an elegant solution, but look at Exhibit 11, where we execute ldapmodify without using the -a switch and give it some new instructions. Exhibit 12 shows the command together with the program's output.

 # cat modify.ldif dn: uid=SParker, ou=HR, o=ldap_abc.de changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Sarah Parker sn: Parker givenName: Sarah ou: HR uid: SParker mail: SarahParker@ldap_abc.de dn: uid=RVoglmaier, ou=IT, o=ldap_abc.de changetype: modify replace: mail mail: ReinhardVoglmaier@ldap_abc.de dn: uid=RVoglmaier, ou=IT, o=ldap_abc.de changetype: modify add: mobile mobile: (0049) 89 671 293 dn: uid=TKlein, ou=Mkt, o=ldap_abc.de changetype: modify delete: mail dn: uid=PSmith, ou=HR, o=ldap_abc.de changetype: delete 

 # ldapmodify -D "uid=admin, o=ldap_abc.de" -w "pass1" -f Persons.ldif adding new entry "uid=SParker, ou=HR, o=ldap_abc.de" modifying entry "uid=RVoglmaier, ou=IT, o=ldap_abc.de" modifying entry "uid=RVoglmaier, ou=IT, o=ldap_abc.de" modifying entry "uid=TKlein, ou=Mkt, o=ldap_abc.de" deleting entry "uid=PSmith, ou=HR, o=ldap_abc.de" 

Let us look more closely at the instruction file in Exhibit 11. The first line of each instruction contains, as always, the distinguished name we wish to operate on. The rest is self-explanatory: Next to the distinguished name, we specify the operation we want. First we add an entry, a command we have already seen in action. We specify with "changetype," which allows us to add, modify, or delete an entry. In this case, we want to modify some entries. Specifically, we want to replace the value for the mail attribute <"RVoglmaier@ldap_abc.de>," which we entered in Exhibit 8, into the correct name <"ReinhardVoglmaier@ldap_abc.de."> After the instruction "changetype: modify," we insert a line instructing ldapmodify that we want to replace the value of the mail attribute. In the next line, we simply specify the new value.

Next, we add a new attribute — the mobile phone number — for the qualified entry. Again, we specify what we intend to do: We want to modify an entry, adding a new attribute.

Finally, we instruct ldapmodify to delete an entry. Again, the syntax is straightforward: Identify the distinguished name and carry out the associated action, "delete."

All of these commands are executed with the familiar ldapmodify command, but without the -a switch.

Now you can really play around with your LDAP installation. You can add, delete, and modify entries, and you can see what you have in your directory.

The format of the input file is standardized and is defined in the RFCs, as explained in Chapter 1. The RFC for this standard LDIF format is RFC 2849, "The LDAP Data Interchange Format (LDIF) — Technical Specification."

An LDIF file is an ASCII file containing all instructions to modify the directory. Using a pure ASCII file is enormously helpful. First of all it is easy for you to read and understand. This makes it possible for you to control without great effort the contents of this file. An ASCII file is furthermore very easy to produce using home grown scripts, and debugging is facilitated. Finally, it is self-explaining. The LDIF file has further advantages as a tool for directory migration. You can export your entire directory as an LDIF file and import it to another directory implementation, even if both directories are incompatible with each other. You can also use LDIF to save your directory on a storage medium such as tape or CD. And because the format is standardized, you can produce LDIF files in your preferred programming language. If you want to modify the structure of your directory, you can do it easily using a scripting language such as the powerful Perl language. First you export the directory as an LDIF file, make the conversion, and then delete the obsolete directory and import the new LDIF files.

Rewriting and then destroying the old directory might seem to be an overly aggressive management style. Why destroy the whole directory if you only have to make a few changes? Consider what should be a trivial operation: changing the distinguished name of a single organizational unit. If you wanted to change the distinguished name for "human resources," giving it a more self-explanatory name, you might proceed as follows. The previous name was:

 dn: ou=HR, o=ldap_abc.de 

Now we would like to rename it as:

 dn: ou=Human Resources, o=ldap_abc.de 

The directory server will refuse the name change because the "HR" entry has subentries. The "HR" organizational unit has sibling entries of the objectClass "person." The logical approach would be to change the "person" entries, but this does not solve the problem because the "person" entries would no longer have an ancestor. Using this "logical" approach, the only solution is to create a new entry of the objectClass "organizational unit," move all relevant persons to the new name, and then delete the obsolete organizational unit. A simpler solution is the "aggressive" approach mentioned above: Export the directory in a file, clear the directory, modify the exported file, and re-import it.

Consider this common real-world example. Two companies have merged. Every entry in the LDAP directory has to be changed.

• In the object "organization," you have to change the attributes "distinguished name" and "organization."

• In the object "organizationalUnit," you have to change the attribute "distinguished name."

• In the object "inetOrgPerson," you have to change the attributes "distinguished name" and "mail."

Exhibit 13 shows a Perl script that automates this process. The script may be simplistic, but it effectively illustrates how easy it is to make changes in a running directory while maintaining consistency.

 #!/usr/bin/perl -w # Name:         convert.pl # Version:      1.0 # Author:       Reinhard E. Voglmaier # Description:  Conversion Utility per LDAP repository # Date:         10.09.2002 $in_ldif = "Directory_In.ldif" ; $out_ldif = "Directory_Out.ldif" ; # open the original file open(IN,">$in_ldif") || die "could not open input file: $in_ldif" ; #open the output file open(OUT,"> $out_ldif") || die "could not open output file: $out_ldif" ; # Conversion: while (<IN>) {  # we simply substitute the enterprise name  s/ldap_abc.de/LdapAbc.org/g ;  # here we could change other things, too  s/Mkt/Marketing/g ;  s/HR/Human Resources/g;  print OUT ; } # close INPUT and OUTPUT files close(IN); close(OUT);