Using Ldifde

The Ldifde command allows you to import and export accounts using Lightweight Directory Access Protocol (LDAP) file formats. It is explained in the Windows Help And Support Center (search for "Ldifde"). Figure 4-3 lists the primary commands used with Ldifde displayed by typing ldifde /? at the command prompt.

oftjCommand Prompt

-f filename Input < -s servername The se: -c FromDN ToDN Replao

-d RootDN -r Filter -p SearchScope -1 list

Turn on Import Mode (The default is Export> Input or Output filename

The server to bind to (Default to DC of computer's domaii

Replace occurences of FromDN to ToDN

Turn on Uerbose Mode

Log File Location

Port Number (default = 389>

Use Unicode format

Terminate execution if the server takes longer than the specified number of seconds to respond to an operation (default = no timeout specified) Enable SflSL layer encryption Help

The root of the LDAP search (Default to Naming Context) LDAP search filter (Default to "<objectClass=»>"> Search Scope (Base/OneLevel/Subtree>

List of attributes (ct in an LDflP search List of attributes (ct

Disable Paged Search. Enable the SAM logic ( Do not export binary eparated> to look fo: eparated) to omit fr<

The import will go on ignoring 'Constraint Uiolatii and 'Object Already Exists' errors The import will use lazy commit for betti (enabled by default) The import will not use lazy commit The import will use the specified number (default is 1)

Figure 4-3 Ldifde command-line help file

The two most important switches for the Ldifde command are:

■ -i Turn on Import mode. (The default is Export.)

■ -f FileName: the Input or Output FileName

For example, the following command will import objects from the file named Groups.ldf:

ldifde.exe -i -f groups.ldf

Table 4-4 details the primary Ldifde commands.

Table 4-4 Ldifde Commands (Primary)

Command Usage

General parameters

-i Turn on Import mode (The default is Export)

-f filename Input or Output filename

-s servername The server to bind to

-c FromDN ToDN Replace occurrences of FromDN to ToDN

-v Turn on Verbose mode

-j path Log File Location

-t port Port Number (default = 389)

Export specific parameters

-d RootDN The root of the LDAP search (Default to Naming Context)

-r Filter LDAP search filter (Default to "(objectClass=*)")

-p SearchScope Search Scope (Base/OneLevel/Subtree)

-l list List of attributes (comma-separated) to look for in an LDAP search

-o list List of attributes (comma-separated) to omit from input

-g Disable paged search

-m Enable the Security Accounts Manager (SAM) logic on export

-n Do not export binary values

Import specific parameters

-k The import will ignore "Constraint Violation" and "Object Already Exists"


Credentials parameters

-a UserDN Sets the command to run using the supplied user distinguished name and password; for example: "cn=administrator,dc=contoso,dc-com password" -b UserName Sets the command to run as username domain password; the default is to

Domain run using the credentials of the currently logged-on user

Note The Ldifde utility is included in Windows Server 2003, and you can copy it to a computer running Windows 2000 Professional or Windows XP. It can then be bound and used remotely to the Windows Server 2003 Active Directory.

The format of the file used by Ldifde is not quite as intuitive as the CSV file format. Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) is a draft Internet standard for a file format used to perform batch operations against directories that conform to LDAP standards. You can use LDIF to both import and export data, allowing batch operations such as add, create, delete, and modify to be performed against Active Directory. The Ldifde command-line utility included in Windows Server 2003 supports batch operations based on the LDIF file format standard. Therefore, the LDIF file format is to Ldifde what the CSV file format is to Csvde.

The LDIF file format consists of attribute names followed by a colon and the value of the attribute. As an example, suppose that you wanted to use Ldifde to create two global groups named Marketing and Finance in the Users container of the domain. The contents of the LDIF file would look similar to the following example:

DN: CN=Marketing,CN=Users,DC=Contoso,DC=Com changeType: add CN: Marketing description: Marketing Users objectClass: group sAMAccountName: Marketing

DN: CN=Finance,CN=Users,DC=Contoso,DC=Com changeType: add CN: Finance description: Finance Users objectClass: group sAMAccountName: Finance

Although doing so is not strictly required, you would usually save this text file with a .ldf extension—for example, Groups.ldf. The changeType entry is not an attribute name. Instead, its value specifies the type of operation that needs to occur. The three valid changeType values are add, modify, and delete. As the names suggest, add will import new content into the directory, modify will change the configuration of existing content, and delete will remove the specified content.

To import the contents of the LDIF file shown above, the command would be: ldifde.exe -i -f groups.ldf

After this command is issued, two new global groups named Marketing and Finance would be added to the Users container of the domain. To add two members to a group using Ldifde, the LDIF file would be:

dn: CN=Finance,CN=Users,DC=Contoso,DC=Com changetype: modify add: member member: CN=Dan Holme,OU=employees,dc=contoso,dc=com member: CN=Scott Bishop,OU=employees,dc=contoso,dc=com

The changetype is set to modify and then the change operation is specified: add objects to the member attribute. Each new member is then listed on a separate line that begins with the attribute name, member. The change operation is terminated with a line containing a single dash. Changing the third line to the following would remove the two specified members from the group:

delete: member

Was this article helpful?

0 0


Post a comment