wferguson1 Absent Member.
Absent Member.
798 views

export and import OU structure only


I inherited a situation where the DEV environment was not kept up to
date with prod and so now I am having to create a DEV environment that
matches prod......some of you that have seen my recent posts will be
aware of this. I am hoping that these posts will help others that come
behind us as well.

I am now working on the best way to get a copy of my prod OU tree
structure alone (no CN's or groups etc..) and import that information
into prod. Using the ICE utility in iManager I continuously received SSL
ldap bind errors, which I saw a TID from NetIQ stating it was a bug in
iManager 2.7 which is what I am using. So I am now using LDAPADD...which
seems to work if I remove a few lines from the ldif entry which I will
explain below.

QUESTION: I am going to explain what I had to remove on the ldif entry
below in order for the import using the ldapadd command to work and can
someone tell me what the importance is of the attributes I removed and
what problems it will cause if any.

ran the command below to import this ldif file
#ldapadd -xWvD cn=<user>,o=<treename> -e /tmp/<certfile>.der -f
/tmp/test.ldif

version: 1
dn: ou=RED,o=BLUE
objectClass: srvprvEntityAux
objectClass: Partition
objectClass: ndsContainerLoginProperties
objectClass: ndsLoginProperties
objectClass: Top
objectClass: organizationalUnit
ou: RED
ACL: 2#entry#ou=RED,o=BLUE#loginScript
ACL: 2#entry#ou=RED,o=BLUE#printJobConfiguration
ACL: 3#entry#ou=RED,o=BLUE#appLauncherConfig
ACL: 2#entry#[Public]#sssActiveServerList
ACL: 16#subtree#cn=BACKUP,ou=BKUP,ou=RED,o=BLUE#[Entry Rights]
ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#groupMembership
ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[All Attributes Ri
ghts]
ACL: 1#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[Entry Rights]
appLauncherConfig::
QU9UIEZJTEUUAAAAAQAAABQAAAAAAAAABAAEABQAAAACAAAAFAAAAAAA
AAAAAAAACAAAAAcAAAAQAAAAAwAAAAgAAAAGAAAAEAAAACAcAAAIAAAABQAAABAAAAAAAAAA
Convergence: 0
detectIntruder: TRUE
intruderAttemptResetInterval: 1200
intruderLockoutResetInterval: 600
lockoutAfterDetection: TRUE
loginIntruderLimit: 7
lowConvergenceSyncInterval: 132
srvprvUUID: 39678e70e9804cd9bc048012d7f21fec
sssActiveServerList::
iUS/RTgAAABNAEMARwBfAFMAVQBQAFAATwBSAFQALgBTAFUAUABQAE
8AUgBUAC4AUwBWAFMALgBAAA=
sssActiveServerList::
Xan4SSAAAABEADIALgBMAEQAQQBQAC4AUwBWAFMALgBNAEMARwAAAC
oAAABTAGUAYwByAGUAdABTAHQA


----------------------THE RESULTS OF THAT COMMAND
add objectClass:
srvprvEntityAux
Partition
ndsContainerLoginProperties
ndsLoginProperties
Top
organizationalUnit
add ou:
RED
add ACL:
2#entry#ou=RED,o=BLUE#loginScript
2#entry#ou=RED,o=BLUE#printJobConfiguration
3#entry#ou=RED,o=BLUE#appLauncherConfig
2#entry#[Public]#sssActiveServerList
16#subtree#cn=BADMIN,ou=BKUP,ou=RED,o=BLUE#[Entry Rights]
3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#groupMembership
3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[All Attributes
Rights]
1#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[Entry Rights]
add appLauncherConfig:
AOT FILE
add Convergence:
0
add detectIntruder:
TRUE
add intruderAttemptResetInterval:
1200
add intruderLockoutResetInterval:
600
add lockoutAfterDetection:
TRUE
add loginIntruderLimit:
7
add lowConvergenceSyncInterval:
132
add srvprvUUID:
39678e70e9804cd9bc048012d7f21fec
add sssActiveServerList:
NOT ASCII (616 bytes)
NOT ASCII (592 bytes)
adding new entry "ou=RED,o=BLUE"
PuTTYldap_add: No such object
additional info: NDS error: no such entry (-601)
ldif_record() = 32



---------------That failed and so then I created another LDIF file that
just contained the following, and the ou=RED,o=BLUE was successfully
created.
dn: ou=RED,o=BLUE
objectClass: srvprvEntityAux
objectClass: Partition
objectClass: ndsContainerLoginProperties
objectClass: ndsLoginProperties
objectClass: Top
objectClass: organizationalUnit
ou: RED
add Convergence:
0
add detectIntruder:
TRUE
add intruderAttemptResetInterval:
1200
add intruderLockoutResetInterval:
600
add lockoutAfterDetection:
TRUE
add loginIntruderLimit:
7
add lowConvergenceSyncInterval:
132


So effectively I removed the ACL's and add srvprvUUID: and add
sssActiveServerList: from my LDIF file in order to get that ldapadd
command to create the OU..........what will happen with those values not
being on the OU in my DEV environment or will it even matter since it is
a new tree or will they get re-created etc...? Thank you


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54382

Labels (1)
0 Likes
3 Replies
wferguson1 Absent Member.
Absent Member.

Re: export and import OU structure only


More information, I found out that all I have to remove are the lines of
the "subtree" ACL's....what purpose do they serve?

ACL: 16#subtree#cn=BACKUP,ou=BKUP,ou=RED,o=BLUE#[Entry Rights]
ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#gr oupMembership
ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[All Attributes
Rights]
ACL: 1#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[Entry Rights]


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54382

0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: export and import OU structure only

On 09/30/2015 12:57 PM, wferguson wrote:
>
> More information, I found out that all I have to remove are the lines of
> the "subtree" ACL's....what purpose do they serve?
>
> ACL: 16#subtree#cn=BACKUP,ou=BKUP,ou=RED,o=BLUE#[Entry Rights]
> ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#gr oupMembership
> ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[All Attributes
> Rights]
> ACL: 1#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[Entry Rights]


These lines grant rights to the two objects mentioned in them:

cn=BACKUP,ou=BKUP,ou=RED,o=BLUE
cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE

If these two objects do not exist in your new environment, then references
to them (including in ACLs) will fail.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...
0 Likes
wferguson1 Absent Member.
Absent Member.

Re: export and import OU structure only


Thank you ab.......in my dev environment I will be creating new admin
accounts etc. as well, so then me just creating the OU structure from
ldif import should be fine. Then I will create my admin and backup user
and assign those rights. Thank you.


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54382

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.