Aegis LDAP Adapter - Update 3: LDIF Operations

Aegis LDAP Adapter - Update 3: LDIF Operations

Welcome to the IQLdap Adapter Update 3 (version 0.8.0.0)!

This update brings LDIF Operations features into the IQLdap adapter in the form of two activities for LDIF Export and LDIF Import.

LDIF, LDAP Data Interchange Format is a standard defined by RFC 2849, which allows a set of LDAP objects to be represented in plain text format, thus allowing data to be exported and imported to and from LDAP directories. As its in plain text, details can be modified before they are loaded.

Could I have used the existing IQLdap activities to process LDIF data? In short no. Aegis workflows deal with data in different formats than LDIF formats for many data types. For simple data types like simple strings the values will be the same, but there are times that even strings need to be base64 encoded for LDIF.

For example, the objectGUID attribute in Active Directory which is an optional attribute of the TOP objectclass.

In AD, it is stored as in OCTET STRING datatype (http://tools.ietf.org/html/rfc2252), which would looks like this (in Hex) :

7B E5 3B 1D 68 CC C4 4D 94 B6 E3 12 17 4E 97 D5

The corresponding value shown in Aegis is the user friendly version :

1d3be57b-cc68-4dc4-94b6-e312174e97d5

The corresponding value in LDIF format is :

e+U7HWjMxE2UtuMSF06X1Q==

So care must be taken in not mixing incompatible values! Aegis uses user friendly values where possible or in formats which are native to Aegis so they can be used directly to avoid extra conversions in workflows.

This is the list of new Activities in this update and descriptions.

LDIF Export

3c

The LDIF Export activity exports data from a directory and saves it to file. Which objects are exported is controlled by the 'Filter', 'Base DN' and 'Search Scope' inputs, and works in the same way as the Object Query Activity.

Additionally the 'Attributes' input can be used to export specific attributes, or left empty to export all object attributes.

The Change Record input adds an optional Change Record and Mod Spec spec (example change: add) to each exported object, or alternatively select NONE to not add one. This value however is required by the LDIF import activity in order to know what to do when importing - add, modify or delete.

The outputs of the activity are a BOOLEAN to indicate success, and the number of objects which were exported.

LDIF Import

3b

The LDIF import activity imports to a directory depending on the modification spec defined in the LDIF file for each object.

The outputs of the activity includes a list of objects which fail to import and their associated error message, and a Boolean overall result.

The import operation is more complex than an export however. The LDIF file which is imported can only contain editable attributes - trying to set or modify a read-only attribute will results in a failure. Therefore you cannot simply export an object with all its attributes and expect to be able to re-import without some changes. A better approach is to export only those attributes required to re-create the object if this is your use case.

Examples

1. A single computer exported to LDIF with all attributes
# This LDIF was generated by an mjcLdap associated tool : (mjcLdap.dll v0.8.0.0)
version: 1

dn: CN=sigea-cSQL,CN=Computers,DC=sigea,DC=moc
pwdLastSet: 130577777232121075
dSCorePropagationData: 16010101000000.0Z
uSNChanged: 13199782
sAMAccountType: 805306369
msDS-SupportedEncryptionTypes: 28
objectSid:: AQUAAAAAAAUVAAAAhBk6kYufwKaOd754rTIGAA==
uSNCreated: 9885549
mS-DS-CreatorSID:: AQUAAAAAAAUVAAAAhBk6kYufwKaOd754qzIGAA==
countryCode: 0
whenCreated: 20140120123103.0Z
description: Failover cluster virtual network name account
cn: sigea-cSQL
servicePrincipalName: MSServerClusterMgmtAPI/sigea-cSQL.sigea.moc
servicePrincipalName: MSServerClusterMgmtAPI/SIGEA-CSQL
servicePrincipalName: MSClusterVirtualServer/sigea-cSQL.sigea.moc
servicePrincipalName: MSClusterVirtualServer/SIGEA-CSQL
servicePrincipalName: HOST/sigea-cSQL.sigea.moc
servicePrincipalName: HOST/SIGEA-CSQL
accountExpires: 9223372036854775807
isCriticalSystemObject: FALSE
objectGUID:: e+U7HWjMxE2UtuMSF06X1Q==
whenChanged: 20141014162843.0Z
objectCategory: CN=Computer,CN=Schema,CN=Configuration,DC=sigea,DC=moc
distinguishedName: CN=sigea-cSQL,CN=Computers,DC=sigea,DC=moc
codePage: 0
sAMAccountName: sigea-cSQL$
localPolicyFlags: 0
displayName: sigea-cSQL$
instanceType: 4
logonCount: 13
primaryGroupID: 515
dNSHostName: sigea-cSQL.sigea.moc
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
objectClass: computer
lastLogon: 130582691810437145
lastLogonTimestamp: 130576913056433405
userAccountControl: 4096
name: sigea-cSQL

2. A number of user objects with selected attributes exported and set to set changetype to add. Note these results are different types of objects, so although logoncount attribute was requested it is only returned for objects which have the attribute.
# This LDIF was generated by an mjcLdap associated tool : (mjcLdap.dll v0.8.0.0)
version: 1

dn: CN=Marc Andrews,OU=Jerusalem,OU=SIGEA,OU=Law Division,DC=sigea,DC=moc
changetype: add
cn: Marc Andrews
description: Description of: Marc Andrews
modifytimestamp: 20111102125441.0Z
logoncount: 34
sn: Andrews


dn: CN=Marc Brennan,OU=Sales,OU=Madrid,OU=SIGEA,OU=Law Division,DC=sigea,DC=moc
changetype: add
cn: Marc Brennan
description: Description of: Marc Brennan
modifytimestamp: 20111102125539.0Z
logoncount: 2
sn: Brennan


dn: CN=Marc Burkhard,OU=Sales,OU=Toronto,OU=SIGEA,OU=Law Division,DC=sigea,DC=moc
changetype: add
cn: Marc Burkhard
description: Description of: Marc Burkhard
modifytimestamp: 20101117190928.0Z
sn: Burkhard


dn: CN=Marc Capaletti - 0001,OU=Marketing,OU=London,OU=SIGEA,OU=Law Division,DC=sigea,DC=moc
changetype: add
cn: Marc Capaletti - 0001
description: Description of: Marc Capaletti
modifytimestamp: 20101117184245.0Z
sn: Capaletti

3. A number of user objects with selected attributes exported and set to set a change record of modify, and modification spec add (MODIFY:ADD in activity).
# This LDIF was generated by an mjcLdap associated tool : (mjcLdap.dll v0.8.0.0)
version: 1

dn: CN=JSnow,OU=Test,OU=Aegis,OU=MJC,DC=sigea,DC=moc
changetype: modify
add:streetAddress
streetAddress:: NSBTaGlsbHkgU2hvbGx5IFBvbGx5DQpNb2xseQ==
-
add:manager
manager: CN=cotterm,OU=DomainAdmins,OU=Users,OU=MJC,DC=sigea,DC=moc
-
add:memberOf
memberOf: CN=ABC_456,OU=OU1,OU=test,DC=sigea,DC=moc
memberOf: CN=Access Control Assistance Operators,CN=Builtin,DC=sigea,DC=moc
memberOf: CN=A Test Group,OU=test,OU=MJC,DC=sigea,DC=moc
memberOf: CN=Accounting-DG,OU=Accounting,OU=Warsaw,OU=SIGEA,OU=Law Division,DC=sigea,DC=moc
memberOf: CN=Accounting-DG,OU=Accounting,OU=Toronto,OU=SIGEA,OU=Law Division,DC=sigea,DC=moc
-
add:logonHours
logonHours:: +//H////////////////////4/8/
-

Use Cases

These are some usual uses of LDIF which can be achieved in Aegis workflow.

Used as a simple backup mechanism for existing objects - A simple scheduled workflow could achieve a regular backup.

Creating / Modifying a large volume of users or other objects.

Moving objects from one Directory to another.

Aegis however can be used to perform some really neat things with LDIF in conjunction with other features, for example using LDIF files to help detect changes, and more importantly the change to high value objects such as important security groups. How can this be achieved? Really simply...

  1. Export the objects + attributes you want to monitor on a schedule.

  2. Use an IQLdap Event definition to generate an event if any of the objects change. The event can only tell who what what object is changed, not the actual change.

  3. Trigger a workflow to perform an export of the modified object.

  4. This workflow should check the LDIF for the object for changes compared to an original, perform a notification or even revert the change that was made!


Limitations

This version of the IQLdap adapter will work with add, delete and replace change records. This version ignores control and rdns.
It will work with all data types which work for non LDIF operations in the IQLdap Adapter. It should work with LDIF generated from other systems but if you do find an attribute which does not work, please let me know - its probably from a data type I haven't been able to test!

Installation Instructions

This version can either be applied in full or as an upgrade to the original version (0.2.0.0) which is here (or version 0.4.0.0).

For a new installation, follow the installation instructions here but using the zip file attachment from this page.

For an upgrade follow the instructions below:

  1. Copy the updated IQLdapAdapterCommunityXXXX.zip file to your installation folder:<installdrive>:\Program Files (x86)\NetIQ Aegis should be a sub-folder at this location. This location will be referred to as <installpath> in the next steps.


123

  1. Stop the NetIQ Aegis Namespace Provider Service and dependant services (NetIQ Aegis Engine, NetIQ Aegis Activity Broker). Close the Adapter configuration Utility if open.

  2. Unzip IQLdapAdapterXXXXXX.zip to the <installpath> directly. Do not unzip it to any subfolder extract to the existing Aegis folder structure.

  3. Restart the NetIQ Aegis Namespace Provider Service and dependant services (NetIQ Aegis Engine, NetIQ Aegis Activity Broker)

  4. Open an elevated command prompt (Run As Administrator) and navigate to:
    <installpath>\Aegis\IQConnect73\bin

  5. Execute the load_iqldapLibrary.cmd command, with the following parameters:


server hostname or FQDN (IP address will work but will need to be updated if it changes in the future) running the "NetIQ Aegis Namespace Provider" service
port the port the "NetIQ Aegis Namespace Provider" service runs on (probably 2219)
domain of service Aegis Service account
service account the Aegis Service Account
Service Account Password the Aegis Service Account passwordExample:
load_iqldapLibrary.cmd myAegisServer 2219 myDomain aegissvc PaZZwOrd

The last line of output should include:

Finished processing '..\mof\IQLdapActivitiesLibrary.mof'. Processed 2 instances.

And thats it!

Details of full features from Previous versions:

Initial version description, feature list and installation instructions: https://www.netiq.com/communities/cool-solutions/cool_tools/aegis-ldap-adapter-for-netiq-edirectory-active-directory-openldap-and-compatible-ldap-directories/

Update 1 description and feature list : https://www.netiq.com/communities/cool-solutions/cool_tools/aegis-ldap-adapter-update-1/

Update 2 description and feature list : https://www.netiq.com/communities/cool-solutions/cool_tools/aegis-ldap-adapter-update-2-password-reset-groups-memberships-and-more/

 
Attachments

DISCLAIMER:

Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
1 of 1
Last update:
‎2014-10-23 20:42
Updated by:
 
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.