LDAP Directory Synchronizer
Online Documentation
Overview
The Digital LDAP Directory Synchronizer Utility (LDSU) is a software tool that
provides directory data exchange between an LDAP directory and virtually
any other directory or database. LDSU can provide a necessary component to
incorporate an enterprise-wide Meta-Directory service by providing a method to
synchronize all directories. LDSU enables the automated and bi-directional
exchange of electronic directory information in a multi-vendor environment .
LDSU works with any directory that supports the LDAP protocol, or RFC 1777.
An enterprise directory synchronization solution is usually made up
of a series of individual LDSU runs called "instances".
Each LDSU instance either transfers data in or out of an LDAP directory.
A transfer in, or import, operation loads data from a
Foreign Directory Text File into the LDAP directory. A transfer out,
or export, operation extracts data from the LDAP directory
and places it into a Foreign Directory Text File.
LDSU Components
Each LDSU instance is made up of the following components:
-
The Layout File contains a table of attributes in the LDAP
directory used by LDSU. Each LDSU instance which uses the same type of LDAP
directory may use the same Layout File. (i.e. Have one layout file for each
LDAP directory type.) Each LDAP directory can have a separate layout file.
-
The Config File contains a list of parameters for a given LDSU
instance. These parameters determine the Mode (e.g. Import or Export), File
Names, LDAP directory name, Unique Fields, etc.
-
The Record Description File (RDF) contains a "mapping" of data
in the Foreign Directory File to attributes in the LDAP directory (Layout File).
LDSU also supports the LDAP Data Interchange Format (LDIF) as a built-in RDF
type if the Foreign Directory File is in LDIF Content or Changes format.
-
The Foreign Directory File is the Text file containing data to
be imported into or exported from the LDAP Directory. This data may have been
received from or is being sent to a Foreign (non-LDAP) Directory. It could also
be from or destined for another LDAP directory. (If synching two LDAP
directories.)
-
The LDAP directory can be any LDAP compatible directory
accessible to the machine where LDSU is running on the network via TCP/IP. It
does not need to be on the same machine as the LDSU software. Each LDSU
instance must involve an LDAP compatible directory.
LDSU Import Mode
LDSU Import mode compares an input file against an LDAP directory and
updates the LDAP directory as needed using Add, Modify, and Delete
transactions. The input file is a Foreign Directory File which consists
of all the entries to be contained in the LDAP directory (i.e. the input file
is a Full Export of the Foreign Directory).
Each entry in the input file is assigned a Group ID
to mark that these entries are "owned" by this foreign directory import.
(The Group ID is a constant value given to any LDAP directory attribute).
LDSU compares all the entries in the input file (by creating an Input Metafile
by using the RDF) with all
previously imported entries in the directory for this Group ID (by
extracting the entries to an Output Metafile) and updates
the LDAP Directory as needed (using the Distinguished Name (DN) as the key):
- Any entries no longer in the input file are deleted from the LDAP directory.
- Any changed entries are modified in the LDAP directory (for those attributes
that changed). Note: Any attributes in the LDAP directory for an entry
which are not identified in the RDF are not modified.
- Any new entries are added to the LDAP directory with the Group ID.
LDSU Import mode also contains many options which are defined in the Config File:
- Creation of parent entries if needed on Add operations.
- A Synch ID which marks all entries created by LDSU for all instances.
- Unique Field Checking which can assure that LDAP attributes (or groups of
attributes) are unique before adding or modifying an entry.
- Unique Field Generation which can create a unique value for an attribute
- A Case Checking switch which can recognize or not recognize case changes to
cause a change in the directory.
- Add-Only-Fields which allow the import to set only the initial value of an
attribute on an Add and never Modify it thereafter.
- Mark-for-Delete processing which allows a record to be simply "marked" as
deleted instead of physically removed from the directory.
- Threshold checking which can invalidate an entire import if too many
adds or deletes would have taken place (guards against partial files).
The Import RDF may allow the data in the input file to:
- Have header records which are skipped.
- Contain fixed length or variable length fields or a combination of both.
- If using variable length fields, contain a user specified separator
character or string.
- Have an additional user specified "sub-field" separator to allow variable
length fields within fields.
- Consist of one or more lines per logical record.
- Be ignored if it meets certain user-defined criteria (e.g If a field marks
a record to NOT be synched into the LDAP directory - which could be used for
Admin or Test accounts for instance).
- Be in the LDIF content format.
In addition, the RDF provides functions to process the data (substitute,
substring, uppercase, etc.) and has hooks to call user-written procedures if needed.
LDSU Transaction Mode
LDSU Transcaction mode applies transactions contained in the ADD, MODIFY, and/or
DELETE input files against an LDAP directory. One, two, or all three
of the input files may be specified. Or, if using LDIF changes format,
one input file containing any change types may be specified.
Transaction mode is used when a "trusted" source has generated changes which
LDSU will apply to the LDAP directory. LDSU processes files in the following
order:
- LDSU processes Deletes by deleting any records from the LDAP
directory identified in the Delete File.
- LDSU processes Modifies by comparing the attributes in the
Modify File with the matching LDAP directory entry and updating the
directory as needed. Only attributes identified in the RDF file will
be checked and possilbly modified. (Only a subset of attributes, therefore,
may be controlled by this import).
- LDSU processes Adds by adding any records in the Add File to the LDAP
directory.
LDSU Transaction mode also contains many options which are defined in the Config File:
- Modify or Add Flag which allows a Modify File record to be added if it
does not already exist in the LDAP directory. One case where this would be
useful would be in foreign directory extracts that cannot tell the difference
between a modified or newly added record.
- One or more Key fields (instead of the Distinguished Name (DN)) to
identify a record to the directory for Modify or Delete operations.
This allows data from another source to be layered (merged) on an existing
record without requiring the DN to be key between the two data sources.
- Creation of parent entries if needed on Add operations.
- A Group ID which marks all entries created by LDSU for this instance.
- A Synch ID which marks all entries created by LDSU for all instances.
- Unique Field Checking which can assure that LDAP attributes (or groups of
attributes) are unique before adding or modifying an entry.
- Unique Field Generation which can create a unique value for an attribute
- A Case Checking switch which can recognize or not recognize case changes to
cause a change in the directory.
The Transaction Mode RDF allows the data in the input file(s) to have all
the same formatting options as Import Mode. If using the LDIF format, however,
the input file must be LDIF Changes format instead of LDIF Content format.
LDSU Export Mode
LDSU basic Export mode extracts records from an LDAP directory, based on a
search base and search filters, and writes the records to a formatted output
file.
LDSU Export mode also contains many options which are defined in the Config File:
- Allow the export of records belonging to Import Group IDs as
specified by the Group ID. Multiple Group IDs can be included or excluded.
- Allow the export of only records matching the Synch ID.
- Allow the export of only records where a field matches a certain value.
(The value can use wildcards as supported by the LDAP directory.)
- Allow the export of only records which meet the conditions specified by
a custom LDAP filter which can be as complex as needed.
The Export RDF may allow the data in the output file to:
- Have header records which are copied from a specified header file.
- Contain data in fixed length fields or variable length fields.
- Contain constant strings interspersed with directory data that can be
used to build command procedures or other formatted output.
- Consist of one or more lines per logical record.
- Be ignored if it meets certain user-defined criteria that could not be
removed using the search filters.
- Be in the LDIF content format.
In addition, the RDF provides functions to process the data (substitute,
substring, uppercase, etc.) and has hooks to call user-written procedures if
needed.
LDSU Export1 Mode
LDSU Export1 mode extracts records, which are identified in an input file,
from an LDAP directory and writes those records to a formatted output file.
This mode differs from basic Export Mode in that the input file tells
LDSU which records to extract from the LDAP directory. In basic Export
Mode, the search filters derived from the configuration file determine
which records are extracted.
The only new option in Export1 Mode is that records in the input file
must be able to build the DN or one or more Key fields mey be specified
instead of the DN. The key field(s) for each record in the input file
must uniquely identify a record in the directory which is extracted
into the output file.
An example of when this mode might be useful is when you want to extract
records for a list of mail addresses. Specify the input file as a file
containing the list of mail addresses (one per line). Specify the mail
address attribute as the key field. Then each record which matches a
mail address will be exported into the output file.
LDSU Changes Mode
LDSU basic Changes mode compares an extract of records from an LDAP directory,
based on a search base and search filters, with a
previous extract (old metafile) and writes
the changes to formatted output file(s):
This mode requires that the process which applies the changes
generated by this LDSU run, signal that the changes were successfully
applied and that the current extract (new metafile) be used as the
previous extract (old metafile) the next time this LDSU changes instance is run.
- Any entry in the previous extract that is no longer in the LDAP directory
results in a DELETE change record containing the values from the previous
extract.
- Any changed entries which were modified in the LDAP directory results in a
MODIFY change record containing the values from the changed LDAP directory
record.
- Any new entries added to the LDAP directory results in an ADD changes
record containing the values from the new LDAP directory record.
Changes are written to separate ADD, DELETE, and (optionally) MODIFY output
files or to a single output file which contains all the changes. If an ADD
and DELETE file are specifed and a MODIFY output file is not specified, MODIFY changes are written
as a DELETE record (containing the previous record) and an ADD record
(containing the changed record). If using LDIF Changes format for the output
file, only a single output file should be specified.
LDSU Changes mode also contains many options which are defined in the Config File:
- Allow the comparison of records belonging to Import Group IDs as
specified by the Group ID. Multiple Group IDs can be included or excluded.
- Allow the comparison of only records matching the Synch ID.
- Allow the comparison of only records where a field matches a certain value.
(The value can use wildcards as supported by the LDAP directory.)
- Allow the comparison of only records which meet the conditions specified by
a custom LDAP filter which can be as complex as needed.
- A Case Checking switch which can recognize or not recognize case changes to
cause a change in the directory.
The Changes RDF may allow the data in the output file to:
- Have header records which are copied from a specified header file.
- Contain data in fixed length fields or variable length fields.
- Contain constant strings interspersed with directory data that can be
used to build command procedures or other formatted output.
- Consist of one or more lines per logical record.
- Be ignored if it meets certain user-defined criteria that could not be
removed using the search filters.
- Be in the LDIF changes format.
In addition, the RDF provides functions to process the data (substitute,
substring, uppercase, etc.) and has hooks to call user-written procedures if
needed.
LDSU Changes1 Mode
LDSU Changes1 mode compares an extract of records from an LDAP directory, based
on a search base and search filters, with an input file containing a
full export from a foreign directory and writes the changes to
formatted output file(s) to be applied back to the foreign directory.
This mode differs from basic Changes Mode in that feedback
from the Foreign Directory File is used to decide what has changed. In
basic Changes Mode, it is assumed that all ADD, MODIFY, and DELETES are
applied successfully to the foreign directory or they must all be
regenerated. Also, basic Changes Mode assumes that no other factors
can alter data in the foreign directory. In Changes1 Mode, each set of
ADD, MODIFY, and DELETE records are based on comparing the LDAP directory
with what is actually in the foreign directory.
This mode can only be used when the foreign directory is able to
provide a timely full export of its directory to compare against.
The only new option in Changes1 Mode is that records in the Foreign Directory
Input File must be able to build the DN or one or more Key fields mey be
specified instead of the DN if the foreign directory cannot derive the DN. The
key field(s) for each record in the input file must uniquely identify a record
in the directory whose DN is extracted to build the record in the Old Metafile.
Copyright © Digital Equipment Corporation 1998