Hello list.
We are using a perl script, based on Net::LDAP to sync our AD server
with our OpenLdap directory. My colleagues told me we couldn't create
the entries directly in AD, as those entries requires additional
processing, so we're generating LDIFF instead, which is imported into
some microsoft later.
My problem is that the dn for any user contains its group, so its group
must exists before the user entry is created. But AD also refuses to add
a non-existent user dn to a group entry, so the user entry must exists
before it can get added to its group entry. Which means the correct
entry creation sequence is:
- create empty group
- create user
- add user to group
However, I couldn't find a way in current Net::LDAP API to write an
Net::LDAP::Entry once for creation, and thereafter only for subsequent
modifications in the ldiff output. The following code
my $ldif = Net::LDAP::LDIF->new('-', 'w', change => 1);
my $group = Net::LDAP::Entry->new();
$group->dn('cn=group');
$ldif->write_entry($group);
$group->add('member' => 'cn=user');
$ldif->write_entry($group);
Results in
dn: cn=group
changetype: add
dn: cn=group
changetype: add
member: cn=user
Whereas I'd want something as :
dn: cn=group
changetype: add
dn: cn=group
changetype: modify
replace: member
member: cn=user
The only idea I have currently is to fake a ldap server using a Mock
Net::DALP object i could use so as to insert
$group->update($dummy_server) between the two calls to
$ldif->write_entry(). Any other suggestion ?
--
Guillaume Rousse
Moyens Informatiques - INRIA Futurs
Tel: 01 69 35 69 62
