I was in the middle of writing a post for this blog (on AD recovery and the new database mount tool, if you’re interested) the other day when I needed to make some quick changes to a reanimated tombstone using LDIFDE. I couldn’t remember the correct syntax as it had been ages since I last used MODRDN in LDIFDE, so I decided to search for what I needed. Well, when several minutes of frantic Google-ing didn’t yield an answer I had to really start messing around (with LDIFDE as well as more searching). Eventually I achieved what I needed to achieve but it took me a lot longer than it should have! While searching I realised that the LDIFDE documentation doesn’t really go into LDIF and there’s very little information on the Microsoft web site about LDIF. In fact, almost all LDIF information out there seems to be found in the RFCs or on the non-MS directory server documentation sites and forums. Because there’s so little information on the subject of moving and/ or renaming objects using LDIF in Active Directory I thought I’d better get some information about this “out there” as it were...
In this post I’ll quickly illustrate how to perform a rename and a move LDAP operation in LDIF, using LDIFDE. I’ll write up another post on all of the LDAP operations using LDIFDE in the future.
Moving an object
To move an object you use the MODRDN change type. The MODRDN change type expects either two or three parameters, depending on whether you’re renaming or moving. In the case of a move operation these are NEWRDN, DELETEOLDRDN and NEWSUPERIOR. The NEWRDN value is the same as the current RDN, unless you wish to rename the object as well as move it. The DELETEOLDRDN value is set to 1 (for true), as AD doesn’t support multiple RDNs and the NEWSUPERIOR value is the distinguished name of the parent container that you wish to move the object into.
The following simple example LDIF file will move the (recently re-animated) user object “CN=Charlie Parker” from the “OU=Recovered Objects, DC=corp, DC=contoso, DC=com” organisational unit to the “OU=Standard Workers, OU=Organisational People, DC=corp, DC=contoso, DC=com” organisational unit.
Here's the file contents:
# move-ex.ldf
# example LDIF file that illustrates how to use the NEWRDN and NEWSUPERIOS
# LDIF commands to move an object (essentially change the DN)
#
dn: CN=Charlie Parker,OU=Recovered Objects,DC=corp,DC=contoso,DC=com
changeType: modrdn
newrdn: CN=Charlie Parker
deleteOldRdn: 1
newSuperior: OU=Standard Workers,OU=Organisational People,DC=corp,DC=contoso,DC=com
To use the above LDIF file copy the contents into a text file (be careful of any line wraps) and save it with an appropriate name. For the purpose of this example I’ll stick with the above name of “move-ex.ldf”. Then import the file using the import (-i) and file (-f) LDIFDE switches, like so:
ldifde -i -f move-ex.ldf
Here’s the LDIFDE output of running the above command with the listed LDIF file.
d:\scratch\ldif>ldifde -i -f move-ex.ldf
Connecting to "x86k8rwdc01.corp.contoso.com"
Logging in as current user using SSPI
Importing directory from file "move-ex.ldf"
Loading entries..
1 entry modified successfully.
The command has completed successfully
Renaming an object
Renaming an object is practically the same as moving an object but you don’t require the NEWSUPERIOR parameter. You simply use the MODRDN change type with the NEWRDN and DELETEOLDRDN parameters.
In this example I’ll rename “CN=Charlie Parker” to “CN=Parker, Charlie”. We’ll do this by providing “CN=Parker\, Charlie” as the NEWRDN value. We’ll use the value of 1 (true) for DELETEOLDRDN essentially making this a replace operation (the only option in AD, but not so in OpenLDAP for example).
Note. Notice that we need to use the LDAP escape character (backslash) to escape the comma which is the delimiter for a DN in LDAP.
Here are the contents of the file.
# rename-ex.ldf
# example LDIF file that illustrates how to use the NEWRDN LDIF command
# to move an object (modify the RDN attribute)
#
dn: CN=Charlie Parker,OU=Standard Workers,OU=Organisational People,DC=corp,DC=contoso,DC=com
changeType: modrdn
newrdn: CN=Parker\, Charlie
deleteOldRdn: 1
To use the above LDIF file copy the contents into a text file (be careful of any line wraps) and save it with an appropriate name. For the purpose of this example I’ll stick with the above name of “rename-ex.ldf”. Import the file using the import (-i) and file (-f) LDIFDE switches, like so:
ldifde -i -f move-ex.ldf
Here’s the LDIFDE output of running the above command with the listed LDIF file.
d:\scratch\ldif>ldifde -i -f rename-ex.ldf
Connecting to "x86k8rwdc01.corp.contoso.com"
Logging in as current user using SSPI
Importing directory from file "rename-ex.ldf"
Loading entries..
1 entry modified successfully.
The command has completed successfully
The output is exactly the same as both operations were one modification of one entry (the correct term for an instantiated object in LDAP speak).
Hope this helps. If nothing else, I’ll refer to this in the future!
|
