Our corporate LDAP directory is housed on a Snow Leopard Server Open Directory setup. I'm trying to use the ldapsearch
tool to export an .ldif file to import into another external LDAP server to authenticate with externally; basically trying to be able to use the same credentials internally and externally.
I've got ldapsearch
working and giving me the contents and attributes of everything in the "Users" OU, and even filtering down to only the attributes I need:
ldapsearch -xLLL -H ldap://server.domain.net /
-b "cn=users,dc=server,dc=domain,dc=net" objectClass /
uid uidNumber cn userPassword > directorycontents.ldif
That gives me a list of users and properties that I can import to my remote OpenLDAP server.
dn: uid=username1,cn=users,dc=server,dc=domain,dc=net
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
uidNumber: 1000
uid: username1
userPassword:: (hashedpassword)
cn: username1
However, when I try the same query on an OD "group" instead of a "container," the results are something like this:
dn: cn=groupname,cn=groups,dc=server,dc=domain,dc=net
objectClass: posixGroup
objectClass: apple-group
objectClass: extensibleObject
objectClass: top
gidNumber: 1032
cn: groupname
memberUid: username1
memberUid: username2
memberUid: username3
What I really want is a list of users from the top example filtered based on their group memberships, but it looks like membership is set from the Group side, rather than the user account side. There must be a way to filter this down and only export what I need, right?
I work with LDAP, but not that specific brand of server.
First thing I'd try is a search on users pulling all of their attributes instead of restricting it the way your example does.
Often there's a "memberOf" attribute on the user that lists the group name or group DN for groups that a user is in, kept in sync with the information in the group. If that's there, that is the easiest way to do what you want.
The
*
will grab all user attributes (the default behavior) and the+
will grab all operational attributes (special attributes).This works very well.
Are you aiming to represent groups by having user objects located in different containers? Like:
If so, I expect you're going to have to write a script to massage the LDIF. Try the excellent Python-LDAP modules.
I would question why you want to do that though. It makes it messy to have users that belong to multiple groups, and is contrary to Open Directory's conventions. Can't you just copy all the user and group objects to your OpenLDAP server, and query it based on group membership rather than which container the user object exists in?