Highlighted
Respected Contributor.
Respected Contributor.
286 views

Perl Scripting against eDirectory


Is there a way to perl script against eDirectory similar to using
powershell and the AD modules? In particular I am needing to
systematically clean up a number of groups, and if this were AD it would
be a pretty simple powershell script. I'm hoping to find a perl
equivalent.


--
stampsr
------------------------------------------------------------------------
stampsr's Profile: https://forums.netiq.com/member.php?userid=7353
View this thread: https://forums.netiq.com/showthread.php?t=54085

Labels (1)
0 Likes
7 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Re: Perl Scripting against eDirectory

It would help to know what you want to do. You can use any language
against eDirectory that supports either LDAP or NCP, and where LDAP has
been a standard, and a part of eDirectory for decades, that is probably
the easiest way to go.

To get more help, share some of the details of what is wrong, how it
became wrong, how things should be once fixed, and we may be able to find
a great way to fix it easily.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Perl Scripting against eDirectory


Currently there isn't any issues in particular. The task I am working
on now, is that I have a number of groups that at some point in the past
got out of sync. So the AD version of the group has one set of members,
and the eDirectory group has another. The eDirectory version of the
group has more members than the AD version. I am working on creating a
script to compare the two, and then remove the unnecessary groups from
the eDirectory group's members list. By the sounds of it I just need to
look at using LDAP and Perl. Ill be honest I was hoping there was
something similar to the AD powershell tools, quick one liners for
removing or modifying objects is handy.


--
stampsr
------------------------------------------------------------------------
stampsr's Profile: https://forums.netiq.com/member.php?userid=7353
View this thread: https://forums.netiq.com/showthread.php?t=54085

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Perl Scripting against eDirectory

If your Powershell commands are using LDAP then they may work against
eDirectory as well. If they are using something proprietary (as I'm
guessing) then you're probably limited in how useful that will be. Since
your task is to do work between two disparate systems, having proprietary
tools on either side will probably leave you out on the other unless those
tools, like NetIQ Identity Manager (IDM), are meant to handle the
integration. If you are using IDM, or if you set that up, then
reconciling differences between environments can be very simple; basically
choose to migrate the group from one side to the other and let the system
reconcile differences.

The standards-based tools (pick-your-language + LDAP) should work against
both environments, though because they cannot make assumptions like "I
have credentials based on the user logged into this box" they may need a
little bit more structure to be complete.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Perl Scripting against eDirectory


Looks like I will be going the launguage + LDAP. I tried migrating the
Group from AD to eDirectory, but it doesnt update the members for the
eDirectory Group, atleast not under the Nested Tab. Its strange but
support just told me to manually remove the entries under the Nested
Tab.


--
stampsr
------------------------------------------------------------------------
stampsr's Profile: https://forums.netiq.com/member.php?userid=7353
View this thread: https://forums.netiq.com/showthread.php?t=54085

0 Likes
Highlighted
Respected Contributor.
Respected Contributor.

Re: Perl Scripting against eDirectory


Just as an update. I found out that the groupMember attribute on my
groups is not synced with the member attribute. At the moment the
member attribute appears to be the attribute that is synced with AD.


--
stampsr
------------------------------------------------------------------------
stampsr's Profile: https://forums.netiq.com/member.php?userid=7353
View this thread: https://forums.netiq.com/showthread.php?t=54085

0 Likes
Highlighted
Knowledge Partner
Knowledge Partner

Re: Perl Scripting against eDirectory

stampsr wrote:

>
> Just as an update. I found out that the groupMember attribute on my
> groups is not synced with the member attribute. At the moment the
> member attribute appears to be the attribute that is synced with AD.


There are some quirks in that the eDirectory approach for determining group membership and the AD approach differ somewhat.

In eDirectory depending on the tool used, you can end up with for example just the Group.Member attribute set. This can be problematic and you really should at least have the reciprocal User.GroupMembership attribute.
There are also equivalentToMe / securityEquals which are often set also, in some scenarios setting these is optional.


In AD - one can only configure membership on the group object, the inverse (memberOf) on the user is a pseudo-attribute and maintained by AD automatically.

I've previously done this sort of comparison in pure Powershell using .NET System.DirectoryServices LDAP provider.
Alex McHugh - Knowledge Partner - Stavanger, Norway
Who are the Knowledge Partners
If you appreciate my comments, please click the Like button.
If I have resolved your issue, please click the Accept as Solution button.
0 Likes
Highlighted
Absent Member.
Absent Member.

Re: Perl Scripting against eDirectory


stampsr;259951 Wrote:
> Ill be honest I was hoping there was something similar to the AD
> powershell tools, quick one liners for removing or modifying objects is
> handy.


You might want to take a look at http://www.jrbsoftware.com/
John provides a set of utilities for both Novell and MS environments
(quick one liners for removing or modifying objects!). IMO the license
costs are minimal compared to the amount of hours you can save.

HTH
Cheers
David


--
djbrightman
------------------------------------------------------------------------
djbrightman's Profile: https://forums.netiq.com/member.php?userid=1524
View this thread: https://forums.netiq.com/showthread.php?t=54085

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.