•  

Use caution with LDIFDE

Thu, Apr 2, 2009

Technology

If you are expecting to use LDIFDE.EXE as a way to duplicate a source directory to a target directory then you should be aware of a potential problem that could cause incomplete group membership lists.  In some cases your target groups could be omitting members.

My customer recently wanted to export users and groups from one forest to another forest.  The first inclination was to use Microsoft’s LDIFDE.EXE to export the users and groups into an LDIF file.  There are plenty of examples of how to accomplish this task and it seemed pretty straight forward. 

So after following the basic steps of exporting to a LDIF file, using a find/replace with the new distinguishedName, and then importing the LDIF files we thought it was all done… right?  Well not exactly.  We noticed that not all users were showing up in the security groups.  What was going on?

We looked through the LDIF export file and noticed something strange:

dn: CN=MyGroup,OU=My Groups,DC=Domain,DC=com
changetype: modify
add: member
member:
CN=A user with a long common name that extends the length of the dn,OU=My Users,OU=Parent,DC=Dom
ain,DC=com
-

Can you see the problem?  When we did a find/replace it was trying to match the full distinguishedName.  You can clearly see that some of the group members were folded onto multiple lines and would not match our find/replace method.  This meant that many members were left off the newly imported groups.  So why was this happening?

It turns out there is a catch in the way LDIFDE.EXE creates the export file.  The default behavior of LDIFDE whenever there is a line of data that is too long is to fold the data onto another line.  This is outlined in the RFC for LDIF.  So in our case we had members that had a long distinguishedName and those users were not showing up in the groups.

So how do we fix this?  My first thought is to create a (vb|java)script that would look for the folded lines and concatenate them into a single line.  Then I started to wonder if LDIFDE.EXE would accept the data lines that were concatenated.  I haven’t had time to test the concatenated data line idea but I will soon and will then post the results. 

I also plan on creating a tool to import objects defined in a LDIF file without having to concatenate the data.  Stay tuned for that as well.

Comments are closed.