Re: "add" and "replace" at the same time?

[Christian Jung <Christian.Jung@wanadoo.fr>]

Hi Volker!

Don't you think that it is too dangerous to make this with add/modify? A 
little example:

ADS has got a group A and OpenLDAP has the same group defined (they're 
in sync):

dn: cn=A,...
...
uniqueMember: userA
uniqueMember: userB
uniqueMember: userC

Now some Windows-Guru deletes userB and adds userD to this group. Your 
LDIF will show this:

dn: cn=A,...
...
uniqueMember: userA
uniqueMember: userC
uniqueMember: userD

But you don't know anything about userB anymore. So userB would never be 
deleted on your OpenLDAP. And that could be a security risk. I think you 
have to write a script/app for doing this.


Chris


Maibaum, Volker wrote:
> Hello, 
>
> I'm trying to synchronize Data between Active Directory and OpenLDAP (except
> Passwords). 
> I read the changes made in Active Directory with ldapsearch and I want put
> the resulting LDIF-Information into OpenLDAP, by using ldapmodify.
> Now I have the problem, that I can either use "ldapmodify -a" to add new
> Entries, or "ldapmodify -r" to replace existing Entries, but not both at the
> same time. 
>
> Is there a way I can import an LDIF-File into OpenLDAP, so that the existing
> Entries are overwritten (without deleting Attributes that are not in the
> LDIF-File) and not-existing Entries are added to OpenLDAP?
>
> What may be the best way to do this?
>
>
> thanks in advance, 
>
> Volker