Managing eDirectory Objects with LDAP Commands
Novell Cool Solutions: Tip
By Donald Lohr
Digg This -
Posted: 31 Jan 2007
A Forum reader recently asked:
"Any help is appreciated as to how to find/delete the NDS 'Other Name' field attribute, which appears to be a secondary 'CN' attribute mapping that I can't find anywhere. I am aware I can just delete all NDS 'Other name' field entries within the NDS User Objects to get rid of this 'template - Other name' output, but I'm just trying to understand where it's coming from.
We did test changing the Footprints User ID field mapping to the 'uid' LDAP attribute, but then the Footprints search results had about 1/2 of its output as blank User ID's in the User ID column. This was for users whose User ID column showed correctly (well, with appended 'Other name' entries), when using 'cn' as the Footprints User ID LDAP mapping. The 'Other name' field didn't show up, though - no 'templates' in the search output."
And here's the response from Donald Lohr ...
The CN attribute is a multi-valued attribute. The "Other Name" field in ConsoleOne and NWAdmin is a way to populate the other values you want the CN attribute to have. An ldapsearch / look-up will return all of the multiple values.
The uid attribute is a UNIX ID attribute. Some legacy utilities such as NWAdmin do not populate that attribute when a user object is created. Several methods exist to handle your issue here. You can search for the "Create UID for older users" thread in the novell.support.edirectory.netware forum, posted on 11:25am 7/12/2006.
There is a simple way to do an ldapsearch / look-up to see all of its values. There are command-line based ldap programs in the sys:public\mgmt\ConsoleOne\1.2\bin folder that I use the many times daily:
Several good bits of info:
1. Get to a DOS command prompt in the bin folder.
ldapsearch -LLL -h serverDNSname -D cn=adminUserID,ou=container,o=org -W -Z "(cn=*) cn >export.ldif
2. Use "ldapsearch /?" to see what the above string syntax is. Of course, you will have to provide your server's dns name and the actual user (with admin rights) you are binding (ldap login) with.
Because the example above is piping to a file, you will not see the "Enter LDAP Password:" item. Just know that when you execute the ldapsearch command (as shown above), you need to provide the password for the user you are binding (ldap login) with. Try it first without the ">export.ldif" so you can see what is being returned.
You will see things like these returned:
dn: cn=BSMITH3,ou=container,o=org cn: BSMITH3 cn: Default MO User Template dn: cn=BSMITH2,ou=container,o=org cn: BSMITH2 dn: cn=ASMITH,ou=container,o=org cn: ASMITH cn: GroupHome Template
The example of the ldapsearch syntax above is a very simple one. Using the ldapsrch.html as a reference, you can see that complex strings can be used to get exactly what you want returned:
ldapsearch -LLL -h serverDNSname -D cn=adminUserID,ou=container,o=org -W -Z "(cn=GroupHome Template) cn >export2.ldif ldapsearch -LLL -h serverDNSname -D cn=adminUserID,ou=container,o=org -W -Z "(cn=Default MO User Template) cn >export3.ldif
With the above mentioned a6i0f1p.html page, you can then modify your export2.ldif and export3.ldif file so that you can use the ldapmodify.exe to delete the "Other Name" attributes (if you will).
I started out several years ago not knowing anything about managing eDirectory objects with LDAP commands, and now I almost prefer it, especially when I have more than a handful of objects I am working with.
Of course (I have to say this), you will not want to do your LDAP command learning, investigation, and testing with these command-line tools in your production environment. Where these ldap tools and using the ldap protocol might seem limiting, they are not; and you can, by mistake, change a lot of objects very quickly. Personally been there and done that.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com