How to export an object on a DSfW server
How to export a user on a DSfW server
How to export a group on a DSfW server
Use ldapsearch to export a user on a DSfW server with either the EXTERNAL, GSS-SPNEGO, or GSSAPI method.
This will return attributes not seen in iManager or other tools.
This ldapsearch is specific to DSfW servers.
To use any of those methods first export the LDAPCONF or SASL_PATH depending on the method used.
The EXTERNAL method uses the LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf.
The GSS-SPNEGO and GSSAPI use the SASL_PATH=/opt/novell/xad/lib64/sasl2
The GSS-SPNEGO and GSSAPI also need a kerberos ticket for administrator (kinit administrator)
Depending on the method to be used, first export the appropriate patch
Export the LDAP Conf file for external method to path:
- export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
- An external method will start with ldapsearch -Y EXTERNAL
Export SASL_PATH for GSS-SPNEGO method to path:
- kinit administrator@<your_domain.com> e.g. kinit firstname.lastname@example.org
- export SASL_PATH=/opt/novell/xad/lib64/sasl2
- Using the GSS-SPNEGO method will use ldapsearch -Y GSS-SPNEGO
- Using the GSSAPI method will be ldapsearch -Y GSSAPI
To export an object using the EXTERNAL method (the easiest way to export an object) do the following
/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan" > object.txt
or send the output to the display instead of the exporting the object to a file called object.txt remove the > object.txt
/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan"
To export and object using the GSS-SPNEGO or GSSAPI methods do the following
/usr/bin/ldapsearch -Y GSS-SPNEGO -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan" > object.txt
/usr/bin/ldapsearch -Y GSSAPI -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan" > object.txt
If the context of the object is uncertain, but the name or cn is known then do the following search(es).
/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q cn=object > object.txt
/usr/bin/ldapsearch -Y GSS-SPNEGO -LLL -Q cn=object > object.txt
/usr/bin/ldapsearch -Y GSSAPI -LLL -Q cn=object > object.txt
See TID 7003070 for more info on using ldapsearch on a DSfW server.
Once the LDAPCONF or SASL_PATH have been exported, they do not need to be exported again in the same terminal unless they are unset. To check if they are set do:
Should return - /etc/opt/novell/xad/openldap/ldap.conf
Should return - /opt/novell/xad/lib64/sasl2
For the kerberos ticket, it only need be issued issued once every 24 hours unless a kdestroy has been issued.
Use the /usr/bin/ldapsearch instead of the /opt/novell/eDirectory/bin/ldapsearch
To see which ldapsearch is being being called if the full patch to ldapsearch is not specified, use the command which
If the /usr/bin/ldapsearch is returned then the full path to ldapsearch is not needed. If the eDirectory version of ldapsearch is returned, use the complete patch for ldapsearch when invoked on a DSfW server.
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.