DSfW: How to export an object

  • 7012461
  • 22-May-2013
  • 22-May-2013

Environment

Novell Open Enterprise Server 11.1 (OES 11SP1)
Domain Services for Windows
DSfW

Situation

How to export an object on a DSfW server
How to export a user on a DSfW server
How to export a group on a DSfW server

Resolution

Use ldapsearch to export a user on a DSfW server with either the EXTERNAL, GSS-SPNEGO, or GSSAPI method.
This will return attributes not seen in iManager or other tools.
This ldapsearch is specific to DSfW servers.

To use any of those methods first export the LDAPCONF or SASL_PATH depending on the method used.
The EXTERNAL method uses the LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf.
The GSS-SPNEGO and GSSAPI use the SASL_PATH=/opt/novell/xad/lib64/sasl2
The GSS-SPNEGO and GSSAPI also need a kerberos ticket for administrator (kinit administrator)

Depending on the method to be used, first export the appropriate patch

Export the LDAP Conf file for external method to path:

  • export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
  • An external method will start with ldapsearch -Y EXTERNAL
Export SASL_PATH for GSS-SPNEGO method to path:
  • kinit administrator@<your_domain.com>   e.g. kinit administrator@novell.com
  • export SASL_PATH=/opt/novell/xad/lib64/sasl2
  • Using the  GSS-SPNEGO method will use ldapsearch -Y GSS-SPNEGO
  • Using the GSSAPI method will be ldapsearch -Y GSSAPI

To export an object using the EXTERNAL method (the easiest way to export an object) do the following

export LDAPCONF=/etc/opt/novell/xad/openldap/ldap.conf
/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan" > object.txt
or send the output to the display instead of the exporting the object to a file called object.txt remove the > object.txt
/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan"

To export and object using the GSS-SPNEGO or GSSAPI methods do the following
kinit administrator
export SASL_PATH=/opt/novell/xad/lib64/sasl2
/usr/bin/ldapsearch -Y GSS-SPNEGO -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan" > object.txt
/usr/bin/ldapsearch -Y GSSAPI -LLL -Q -b "cn=object,ou=container,dc=domain,dc=lan" > object.txt

If the context of the object is uncertain, but the name or cn is known then do the following search(es).

/usr/bin/ldapsearch -Y EXTERNAL -LLL -Q cn=object > object.txt
/usr/bin/ldapsearch -Y GSS-SPNEGO -LLL -Q cn=object > object.txt
/usr/bin/ldapsearch -Y GSSAPI -LLL -Q cn=object > object.txt

See TID 7003070 for more info on using ldapsearch on a DSfW server.

Additional Information

Once the LDAPCONF or SASL_PATH have been exported, they do not need to be exported again in the same terminal unless they are unset.  To check if they are set do:
echo $LDAPCONF
Should return - /etc/opt/novell/xad/openldap/ldap.conf
echo $SASL_PATH
Should return - /opt/novell/xad/lib64/sasl2
For the kerberos ticket, it only need be issued issued once every 24 hours unless a kdestroy has been issued.

Use the /usr/bin/ldapsearch instead of the /opt/novell/eDirectory/bin/ldapsearch
To see which ldapsearch is being being called if the full patch to ldapsearch is not specified, use the command which
which ldapsearch
If the /usr/bin/ldapsearch is returned then the full path to ldapsearch is not needed.  If the eDirectory version of ldapsearch is returned, use the complete patch for ldapsearch when invoked on a DSfW server.