Example: The ldapsync Tool: One-Way Synchronization with Join
Example: The ldapsync Tool: One-Way Synchronization with JoinThe ldapsync tool presented in this example may be used to implement periodic one-way synchronization into an LDAP server from any system whose data can be expressed as a delimited text file. Many data sources provide tools that make it easy to generate this kind of data extract. Some systems provide the ability to extract only those changes that have occurred since the previous extract, in which case the ldapsync tool presented here runs more efficiently . Our tool is a homegrown tool that is written in the Perl 5 language. Perl allows for rapid prototyping, provides good portability of the code, performs acceptably, and may be easily modified by the thousands of system administrators who have learned to program in it. How It WorksThe ldapsync tool connects to an LDAP directory server that holds a writable copy of people data. It authenticates using a distinguished name (DN) and password and then reads a series of comma-delimited lines from standard input. Within the ldapsync input stream, all lines that begin with a pound sign ( # ) are treated as comments and ignored. The first noncomment line must look like this: join-attribute-name , update-attribute-name1 , update-attribute-name2 ... One or more update attribute names may be listed. For example, here's the input line to specify telephoneNumber as the join attribute and to support updates to the full name ( cn ) and surname ( sn ) attributes: telephoneNumber,cn,sn The remaining input lines must look like this: join-attribute-value , update-attribute-value1 , update-attribute-value2 ... The number of comma-separated values on each of these lines should match the number of attribute names listed on the first noncomment line, although the ldapsync tool is smart enough to ignore extra values and treat missing ones as absent (no update needed). Here's an example of an input line that specifies a join value of +1 650 555-1234 and updates the cn attribute with Babs Jensen and the sn attribute with Jensen : +1 650 555-1234,Babs Jensen,Jensen And here's an example of an input line that specifies a join value of +1 650 555-4567 , no cn update, and an sn update of Jones : +1 650 555-4567,,Jones The synchronization process is driven entirely from the input data. For each line that includes values, the ldapsync tool issues an LDAP search to locate an entry. The LDAP search filter is constructed on the basis of the join attribute value. For example, if the join attribute is user ID ( uid ) and the join value provided is mcs , then a search filter like this is used: (&(objectClass=person)(uid=mcs)) . If one entry is found, the ldapsync tool checks each new value provided to see if that value is already present in the entry. If any values are missing, updates are required and the ldapsync tool uses an LDAP modify operation to replace the values that need to be updated. As it processes the input data, the ldapsync tool logs error and informational messages to standard output. Usage ExamplesSuppose that you want the telephone numbers for people in your directory service to come from a human resources database and that both the HR database and the directory store a user ID value (the uid attribute in the directory). Listing 23.1 shows a sample ldapsync input file whose purpose is to update many people's telephoneNumber attribute values in your directory. Telephone number changes were extracted from the HR database to create the input file. Some lines have been omitted and replaced with " ... " to reduce the length of the listing; in all there are 150 telephoneNumber changes. Listing 23.1 An ldapsync Input File That Contains telephoneNumber Updates# join attribute name,attribute name uid,telephoneNumber # # uid value, telephoneNumber value scarter,+1 650 555 4798 tmorris,+1 650 555 9187 kvaughan,+1 650 555 5625 ... elott,+1 650 555 0932 cnewport,+1 650 555 0066 jvedder,+1 650 555 4668 If the data in Listing 23.1 were stored in a file called changes-from-hr , the ldapsync tool could be invoked like this: ldapsync.pl < changes-from-hr Listing 23.2 shows the output of this command when run against a directory server that contains the contents of the Example.ldif file that Netscape bundles with its Directory Server product. Listing 23.2 Output from the First ldapsync Sample RunINFO.: Mon Jul 15 11:40:38 2002 - ldapsync started INFO.: Found one entry with uid scarter. Checking for updates... INFO.: - replace telephoneNumber with +1 650 555 4798 INFO.: Modifying entry with uid scarter INFO.: Modify done. INFO.: Found one entry with uid tmorris. Checking for updates... INFO.: - replace telephoneNumber with +1 650 555 9187 INFO.: Modifying entry with uid tmorris INFO.: Modify done. INFO.: Found one entry with uid kvaughan. Checking for updates... INFO.: - replace telephoneNumber with +1 650 555 5625 INFO.: Modifying entry with uid kvaughan INFO.: Modify done. ... INFO.: Found one entry with uid elott. Checking for updates... INFO.: - replace telephoneNumber with +1 650 555 0932 INFO.: Modifying entry with uid elott INFO.: Modify done. INFO.: Found one entry with uid cnewport. Checking for updates... INFO.: - replace telephoneNumber with +1 650 555 0066 INFO.: Modifying entry with uid cnewport INFO.: Modify done. INFO.: Found one entry with uid jvedder. Checking for updates... INFO.: - replace telephoneNumber with +1 650 555 4668 INFO.: Modifying entry with uid jvedder INFO.: Modify done. INFO.: -------------------------------------- INFO.: Summary: INFO.: 150 change records were processed. INFO.: 150 entries were updated. INFO.: Mon Jul 15 11:40:53 2002 - ldapsync finished. Again, some lines have been omitted and replaced with " ... " to reduce the length of the listing. Notice the summary at the end: "150 entries were updated." If the same ldapsync.pl command is executed a second time, no changes are made to the LDAP directory (because all of the values provided in the input file are now present in the directory server). Listing 23.3 shows the resulting output. Listing 23.3 Output from the Second ldapsync Sample RunINFO.: Mon Jul 15 11:40:55 2002 - ldapsync started INFO.: Found one entry with uid scarter. Checking for updates... INFO.: Found one entry with uid tmorris. Checking for updates... INFO.: Found one entry with uid kvaughan. Checking for updates... ... INFO.: Found one entry with uid elott. Checking for updates... INFO.: Found one entry with uid cnewport. Checking for updates... INFO.: Found one entry with uid jvedder. Checking for updates... INFO.: -------------------------------------- INFO.: Summary: INFO.: 150 change records were processed. INFO.: No entries were updated. INFO.: Mon Jul 15 11:40:58 2002 - ldapsync finished. Listing 23.4 shows another sample input file. This file also uses uid as the join attribute, but it specifies an assortment of changes to the cn , sn , and telephoneNumber directory attributes. Listing 23.4 An ldapsync Input File That Contains Updates to Three Different Attribute Types# Sample ldapsync input file # # the first noncomment line lists the attribute names (key first): uid,cn,sn,telephoneNumber # # updates: bjensen,B Jensen,Jones,+1 408 555 4321 scarter,S Carter kwinters,,,+1 408 555 1234 For the bjensen entry, cn , sn , and telephoneNumber are all to be updated. For the scarter entry, only cn is to be updated. For the kwinters entry, only telephoneNumber is to be updated. Listing 23.5 shows the output produced by the ldapsync tool when it is driven from the data in Listing 23.4. Listing 23.5 Output from the Third ldapsync Sample RunINFO.: Mon Jul 15 11:49:31 2002 - ldapsync started INFO.: Found one entry with uid bjensen. Checking for updates... INFO.: - replace cn with B Jensen INFO.: - replace sn with Jones INFO.: - replace telephoneNumber with +1 408 555 4321 INFO.: Modifying entry with uid bjensen INFO.: Modify done. INFO.: Found one entry with uid scarter. Checking for updates... INFO.: - replace cn with S Carter INFO.: Modifying entry with uid scarter INFO.: Modify done. INFO.: Found one entry with uid kwinters. Checking for updates... INFO.: - replace telephoneNumber with +1 408 555 1234 INFO.: Modifying entry with uid kwinters INFO.: Modify done. INFO.: -------------------------------------- INFO.: Summary: INFO.: 3 change records were processed. INFO.: 3 entries were updated. INFO.: Mon Jul 15 11:49:32 2002 - ldapsync finished. As these examples show, ldapsync is a simple but versatile tool. The Source CodeThe ldapsync tool uses the PerLDAP object-oriented LDAP access module available from the Mozilla Web site at http://mozilla.org/directory/perldap. The Perl source code for ldapsync is all in one file, named, logically enough, ldapsync.pl . Listing 23.6 shows the first portion of the ldapsync code. Listing 23.6 The ldapsync Code (Part 1 of 5) 1. #!/usr/local/bin/perl 2. # 3. # ldapsync -- Perl 5 script that synchronizes a 4. # comma-separated text file of attribute values. 5. # 6. # From the 2nd Edition of the book: 7. # "Understanding and Deploying LDAP Directory Services" 8. # by Timothy A. Howes, Mark C. Smith, and Gordon S. Good. 9. # 10. # usage: ldapsync.pl < file 11. # 12. # Where the contents of file are of the form: 13. # joinAttrName,attrname1,attrname2... 14. # joinAttrValue,attrvalue1,attrvalue2... 15. # joinAttrValue,attrvalue1,attrvalue2... 16. # ... 17. # 18. # For example: 19. # uid,cn,telephoneNumber 20. # bjensen,Barbara Jensen,+1 650 555-1212 21. # cms,Christina Smith 22. # jjones,John Jones,+1 734 555-1212 23. # ajackson,,+1 810 555-1212 24. # 25. # Requires: PerLDAP 26. # 27. 28. use Mozilla::LDAP::Conn; 29. 30. # LDAP server information: 31. $ldapSearchBase = "dc=example,dc=com"; 32. $ldapHost = "ldap.example.com"; 33. $ldapPort = "389"; 34. $ldapBindDN = "cn=LDAP Sync Tool,ou=Special Users," 35. . $ldapSearchBase; 36. $ldapBindPW = "Tb58-#Wxza"; 37. 38. # Start of main: 39. 40. logInfo( (scalar localtime) . " - ldapsync started" ); 41. 42. # Open an authenticated connection to the LDAP server. 43. $ldap = new Mozilla::LDAP::Conn( $ldapHost, $ldapPort, 44. $ldapBindDN, $ldapBindPW ); 45. if ( ! $ldap ) { 46. logError( "Unable to connect to server at " 47. . "ldap://$ldapHost:$ldapPort" ); 48. exit 1; 49. } 50. The Perl interpreter identified on line 1 must be one that has the PerLDAP module installed (the copy of Perl that Netscape bundles with its Directory Server 6 product was used in testing this script). A set of variables that holds the LDAP server information is set by the code on lines 30 “36. A subroutine is called on line 40 to log a startup message (the code for logInfo() is shown later in this section, in Listing 23.10). An LDAP connection is opened by the code on lines 42 to 49, and the synchronization tool authenticates itself as a special directory entry that presumably has been given permission to update the desired attributes in the LDAP server. Listing 23.7 shows the code that reads and parses the ldapsync input. The while loop that begins on line 54 encloses the main body of the ldapsync.pl program. The loop is executed as long as there is more input to be read. Listing 23.7 The ldapsync Code (Part 2 of 5): Reading and Parsing Input 51. # For each line of input, search for the directory entry 52. # corresponding to the first field, and see if its value 53. # for the second field needs to be updated 54. while ( <STDIN> ) { 55. # Read one line. 56. $line = $_; 57. 58. # Skip lines that begin with '#' (comments) 59. if ( $line =~ /^#/ ) { 60. next; 61. } 62. 63. # Discard newline and return characters; break at commas 64. chop $line; 65. if ( $line =~ /\r$/ ) { 66. chop $line; 67. } 68. @args = split( /,/, $line ); 69. 70. # If this is the first line, read attribute names 71. if ( ! $joinAttrName ) { 72. $joinAttrName = @args[0]; 73. @attrNameList = @args; 74. next; 75. } 76. 77. ++$changeCount; 78. 79. # Parse join attribute and attribute values to update 80. $joinAttrValue = @args[0]; 81. @attrValueList = @args; 82. The code on lines 55 to 61 reads one input line and takes care of skipping comment lines. The code on lines 63 to 68 parses the input line into an array of strings (using commas as separators). The code on lines 70 to 75 processes the first noncomment input line; it creates a joinAttrName string variable and an attrNameList array variable to store the relevant attribute names. Line 77 increments a counter that is used to generate the summary, and the code on lines 79 “81 sets the joinAttrValue and attrValueList variables that hold the join value and any values to update that are present on the input line. Next some LDAP- related work is done. Listing 23.8 shows the code that searches for an entry to update. It uses the PerLDAP search() method. Listing 23.8 The ldapsync Code (Part 3 of 5): Searching for an Entry to Update 83. # Search for entry with uid equal to the join attribute 84. $filter = "(&(objectClass=person)" 85. . "($joinAttrName=$joinAttrValue))"; 86. $entry = $ldap->search( $ldapSearchBase, "subtree", 87. $filter, 0, @attrNameList ); 88. 89. # Found a match - update if necessary 90. $matchLogString = "with $joinAttrName $joinAttrValue"; 91. $entryCount = 0; 92. for ( $tmpEntry = $entry; $tmpEntry; 93. $tmpEntry = $ldap->nextEntry ) { 94. ++$entryCount; 95. } 96. if ( $entryCount == 0 ) { 97. logError( "Found no entry $matchLogString." ); 98. ++$notFoundCount; 99. } elsif ( $entryCount > 1 ) { 100. logError( "$entryCount entries found $matchLogString." ); 101. ++$multipleMatchCount; 102. } else { 103. logInfo( "Found one entry $matchLogString." 104. . " Checking for updates..." ); The code on lines 83 to 87 constructs a search filter and issues an LDAP search operation against the directory server. The remainder of the code checks that exactly one entry was found and logs an error message if not (the code for the logError() subroutine is shown later in this section, in Listing 23.10). Listing 23.9 shows the code that determines whether any values in the entry that was found need to be updated and issues an LDAP modify command if updates are needed. Listing 23.9 The ldapsync Code (Part 4 of 5): Modifying an Entry 105. $entryNeedsUpdating = 0; 106. for ( $i = 1; $i < @attrNameList.size; ++$i ) { 107. if ( $i > @attrValueList.size ) { 108. # No more new values: break out of for loop. 109. done; 110. } 111. if ( @attrValueList[$i] eq "" ) { 112. # New value is empty: try the next one 113. next; 114. } 115. 116. # Replace attribute's values if new value does not match old 117. if ( ! $entry->hasValue( @attrNameList[$i], 118. @attrValueList[$i], 0 )) { 119. $entry->setValues( @attrNameList[$i], 120. @attrValueList[$i] ); 121. logInfo( " - replace @attrNameList[$i]" 122. . " with @attrValueList[$i]" ); 123. $entryNeedsUpdating = 1; 124. } 125. } 126. 127. # Update entry over LDAP if needed 128. if ( $entryNeedsUpdating ) { 129. logInfo( "Modifying entry $matchLogString" ); 130. $ldap->update( $entry ); 131. if ( $ldap->getErrorCode()) { 132. logError( "Modify failed for entry" 133. . " $matchLogString: " 134. . $ldap->getErrorString() ); 135. ++$updateFailureCount; 136. } else { 137. logInfo( "Modify done." ); 138. ++$updateSuccessCount; 139. } 140. } 141. } 142. } 143. The PerLDAP hasValue() method is used by the code on lines 117 and 118 to determine whether a value read from the input file is already present in the entry; this check avoids unnecessary updates. If the value is not present, the code on lines 119 and 120 uses the PerLDAP setValues() method to replace the existing values in the entry with the new ones. An entryNeedsUpdating flag is set on line 123 so that the code on lines 127 to 141 can determine whether an LDAP modify operation needs to be issued. If so, the code on line 130 uses the PerLDAP update() method to perform the LDAP modify. Listing 23.10 shows the remainder of the ldapsync source code. The code on lines 144 to 171 closes the LDAP connection and prints a series of "INFO.:" lines that summarize the ldapsync run. The code segments for the logError() and logInfo() subroutines start on lines 179 and 189, respectively. These subroutines simply print error and informative lines in a consistent way. Listing 23.10 The ldapsync Code (Part 5 of 5) 144. # Close LDAP connection and clean up 145. $ldap->close; 146. 147. # Print an activity summary and determine exitCode 148. logInfo( "--------------------------------------" ); 149. logInfo( "Summary:" ); 150. $exitCode = 0; 151. if ( $changeCount > 0 ) { 152. logInfo( " $changeCount change records were processed." ); 153. if ( $updateSuccessCount > 0 ) { 154. logInfo( " $updateSuccessCount entries were updated." ); 155. } else { 156. logInfo( " No entries were updated." ); 157. } 158. if ( $updateFailureCount > 0 ) { 159. logInfo( " $updateFailureCount failed update(s)." ); 160. $exitCode = 1; 161. } 162. if ( $notFoundCount > 0 ) { 163. logInfo( " $notFoundCount entries were not found." ); 164. $exitCode = 1; 165. } 166. if ( $multipleMatchCount > 0 ) { 167. logInfo( " $multipleMatchCount $joinAttrName values" 168. . " matched more than one entry." ); 169. $exitCode = 1; 170. } 171. } 172. 173. # That's all folks! 174. logInfo( (scalar localtime) . " - ldapsync finished." ); 175. exit $exitCode; 176. # End of main. 177. 178. 179. # Start of logError(): 180. sub 181. logError { 182. local( $msg ) = @_; 183. 184. print "ERROR: $msg\n"; 185. } 186. # End of logError(). 187. 188. 189. # Start of logInfo(): 190. sub 191. logInfo { 192. local( $msg ) = @_; 193. 194. print "INFO.: $msg\n"; 195. } 196. # End of logInfo(). Ideas for ImprovementMany things could be done to improve the ldapsync tool; if you decide to use it, some customization will likely be needed to meet your specific synchronization requirements. Here are a few general ideas for improvement:
|
EAN: 2147483647
Pages: 242