问题
I have two domains. One production. One testing. There is no trust between the two.
I can import all user objects and group objects successfully using ldifde commands. When I attempt to also include group members in my export/import I can't seem to successfully import.
Here are the variations I have tried:
Attempt 1:
file format:
dn: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
changetype: add
member: CN=USER1,OU=Users,OU=Managed,DC=dev,DC=net
member: CN=USER2,OU=Users,OU=Managed,DC=dev,DC=net
ldifde command used:
ldifde -i -k -f groupexp12072012-test.ldf -v
output:
Connecting to "DC"
Logging in as current user using SSPI
Importing directory from file "groupexp12072012-test.ldf"
Loading entries
1: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
Add error on line 1: Object Class Violation
The server side error is "The object class attribute must be specified."
0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.
Attempt 2: Added in the correct objectClass to my ldifde import file:
file format:
dn: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
changetype: add
objectClass: top
objectClass: group
member: CN=USER1,OU=Users,OU=Managed,DC=dev,DC=net
member: CN=USER2,OU=Users,OU=Managed,DC=dev,DC=net
ldifde command used:
ldifde -i -k -f groupexp12072012-test.ldf -v
output:
Connecting to "DC"
Logging in as current user using SSPI
Importing directory from file "groupexp12072012-test.ldf"
Loading entries
1: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
Entry already exists, entry skipped
0 entries modified successfully.
The command has completed successfully
Attempt 3: Deleted the existing group object and used the same command and format as "Attempt 2":
Connecting to "DC"
Logging in as current user using SSPI
Importing directory from file "groupexp12072012-test.ldf"
Loading entries
1: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
Object does not exist, entry skipped
0 entries modified successfully.
So I'm stuck. Apparently 'ldifde' can be used to import group members - all my colleagues say it has never worked but I stumble upon MS articles that say otherwise; http://social.technet.microsoft.com/Forums/nl/winserverDS/thread/089a3f3b-617f-4c66-a3fc-be543d97a612
Then I stumble on "5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions." here: http://support.microsoft.com/kb/555634
Am I going crazy for no reason - will I ever succeed using 'ldifde'?
edit: Yes, I was going crazy for no reason. One of my targeted users was actually in a different OU I was specifying for 'ldifde'. Because of this, 'ldifde' would just give up and not add any members to the group.
回答1:
Here is a way to add users to an existing group (ldifde -i -k -f AddGrpMember.ldf -v
):
dn: CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr
changeType: Modify
add: member
member: CN=jblanc,OU=MonOu,DC=dom,DC=fr
member: CN=Jean Paul Blanc,OU=MonOu,DC=dom,DC=fr
-
Here is a way to create a new group with members (ldifde -i -k -f NewGrpWithMember.ldf -v
):
dn: CN=NewGrpSec,OU=MonOu,DC=dom,DC=fr
changeType: Add
objectClass: top
objectClass: group
CN: NewGrpSec
member: CN=jblanc,OU=MonOu,DC=dom,DC=fr
member: CN=Jean Paul Blanc,OU=MonOu,DC=dom,DC=fr
回答2:
ldifde import of group members fails if the group members do not exist, or the dn in the file does not match the dn of the target group.
For a few important groups in my test domain, I word to replace "member:" with the entire header to modify a group. That way any individual group member doesn't halt the rest of the group members from importing.
Simple find and replace find: member: replace with: -^p^pdn:CN=[groupname],OU=[ou name],OU=Domain Users,DC=TEST,DC=ORG^pchangetype: modify^padd:member^pmember:
Basically, add a "-" followed by a blank line, and then the header lines.
来源:https://stackoverflow.com/questions/11465364/how-to-import-a-groups-members-using-ldifde