I inherited a situation where the DEV environment was not kept up to
date with prod and so now I am having to create a DEV environment that
matches prod......some of you that have seen my recent posts will be
aware of this. I am hoping that these posts will help others that come
behind us as well.

I am now working on the best way to get a copy of my prod OU tree
structure alone (no CN's or groups etc..) and import that information
into prod. Using the ICE utility in iManager I continuously received SSL
ldap bind errors, which I saw a TID from NetIQ stating it was a bug in
iManager 2.7 which is what I am using. So I am now using LDAPADD...which
seems to work if I remove a few lines from the ldif entry which I will
explain below.

QUESTION: I am going to explain what I had to remove on the ldif entry
below in order for the import using the ldapadd command to work and can
someone tell me what the importance is of the attributes I removed and
what problems it will cause if any.

ran the command below to import this ldif file
#ldapadd -xWvD cn=<user>,o=<treename> -e /tmp/<certfile>.der -f
/tmp/test.ldif

version: 1
dn: ou=RED,o=BLUE
objectClass: srvprvEntityAux
objectClass: Partition
objectClass: ndsContainerLoginProperties
objectClass: ndsLoginProperties
objectClass: Top
objectClass: organizationalUnit
ou: RED
ACL: 2#entry#ou=RED,o=BLUE#loginScript
ACL: 2#entry#ou=RED,o=BLUE#printJobConfiguration
ACL: 3#entry#ou=RED,o=BLUE#appLauncherConfig
ACL: 2#entry#[Public]#sssActiveServerList
ACL: 16#subtree#cn=BACKUP,ou=BKUP,ou=RED,o=BLUE#[Entry Rights]
ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#gr oupMembership
ACL: 3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[All Attributes Ri
ghts]
ACL: 1#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[Entry Rights]
appLauncherConfig::
QU9UIEZJTEUUAAAAAQAAABQAAAAAAAAABAAEABQAAAACAAAAFA AAAAAA
AAAAAAAACAAAAAcAAAAQAAAAAwAAAAgAAAAGAAAAEAAAACAcAA AIAAAABQAAABAAAAAAAAAA
Convergence: 0
detectIntruder: TRUE
intruderAttemptResetInterval: 1200
intruderLockoutResetInterval: 600
lockoutAfterDetection: TRUE
loginIntruderLimit: 7
lowConvergenceSyncInterval: 132
srvprvUUID: 39678e70e9804cd9bc048012d7f21fec
sssActiveServerList::
iUS/RTgAAABNAEMARwBfAFMAVQBQAFAATwBSAFQALgBTAFUAUABQAE
8AUgBUAC4AUwBWAFMALgBAAA=
sssActiveServerList::
Xan4SSAAAABEADIALgBMAEQAQQBQAC4AUwBWAFMALgBNAEMARw AAAC
oAAABTAGUAYwByAGUAdABTAHQA


----------------------THE RESULTS OF THAT COMMAND
add objectClass:
srvprvEntityAux
Partition
ndsContainerLoginProperties
ndsLoginProperties
Top
organizationalUnit
add ou:
RED
add ACL:
2#entry#ou=RED,o=BLUE#loginScript
2#entry#ou=RED,o=BLUE#printJobConfiguration
3#entry#ou=RED,o=BLUE#appLauncherConfig
2#entry#[Public]#sssActiveServerList
16#subtree#cn=BADMIN,ou=BKUP,ou=RED,o=BLUE#[Entry Rights]
3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#gr oupMembership
3#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[All Attributes
Rights]
1#subtree#cn=MIN_G,ou=WEB,ou=LDAP,ou=RED,o=BLUE#[Entry Rights]
add appLauncherConfig:
AOT FILE
add Convergence:
0
add detectIntruder:
TRUE
add intruderAttemptResetInterval:
1200
add intruderLockoutResetInterval:
600
add lockoutAfterDetection:
TRUE
add loginIntruderLimit:
7
add lowConvergenceSyncInterval:
132
add srvprvUUID:
39678e70e9804cd9bc048012d7f21fec
add sssActiveServerList:
NOT ASCII (616 bytes)
NOT ASCII (592 bytes)
adding new entry "ou=RED,o=BLUE"
PuTTYldap_add: No such object
additional info: NDS error: no such entry (-601)
ldif_record() = 32



---------------That failed and so then I created another LDIF file that
just contained the following, and the ou=RED,o=BLUE was successfully
created.
dn: ou=RED,o=BLUE
objectClass: srvprvEntityAux
objectClass: Partition
objectClass: ndsContainerLoginProperties
objectClass: ndsLoginProperties
objectClass: Top
objectClass: organizationalUnit
ou: RED
add Convergence:
0
add detectIntruder:
TRUE
add intruderAttemptResetInterval:
1200
add intruderLockoutResetInterval:
600
add lockoutAfterDetection:
TRUE
add loginIntruderLimit:
7
add lowConvergenceSyncInterval:
132


So effectively I removed the ACL's and add srvprvUUID: and add
sssActiveServerList: from my LDIF file in order to get that ldapadd
command to create the OU..........what will happen with those values not
being on the OU in my DEV environment or will it even matter since it is
a new tree or will they get re-created etc...? Thank you


--
wferguson
------------------------------------------------------------------------
wferguson's Profile: https://forums.netiq.com/member.php?userid=360
View this thread: https://forums.netiq.com/showthread.php?t=54382