I got an opportunity to work on exporting and importing groups from/to OID excluding the members of the groups today. In our case, the development environment had groups with users as members of it already and need to move those users to production environment. We need to provision the roles/groups to users into OID using Oracle Identity Manager and thus we had to exclude the members of the groups.
First, we need to export the groups from OID as shown below:
./ldapsearch -p 389 -h ldap_hostname -D “cn=orcladmin” -w welcome1 -L -s one -b “cn=Groups,dc=oracle,dc=com” “(objectclass=*)” “*” > oid_groups.ldif
Now, we need to edit this oid_groups.ldif file to remove the lines involving uniquemember pertaining to groups as shown below:
uniquemember: cn=testuser,cn=users,dc=oracle,dc=com
If you are using TextPad to edit this file, there is a handsome option Macro to do it in a second.
Once the ldif is ready to imported, we need to run ldap command as shown below in production environment to import all the groups.
./ldapadd -h ldap_hostname -p 389 -D “cn=orcladmin” -w admin123 -c -v -f oid_groups.ldif
That’s it. Your production environment is ready with all groups and OIM can readily provision roles to it.
Now, let us understand in detail about the ldap command options we used for exporting and importing.
Exporting:
./ldapsearch -p 389 -h ldap_hostname -D “cn=orcladmin” -w welcome1 -L -s one -b “cn=Groups,dc=oracle,dc=com” “(objectclass=*)” “*” > oid_groups.ldif
-h : ldap hostname (in our case, this is development environment)
-p : ldap port
-D : OID administrator
-w : OID admin password
-L : Print entries in LDIF format
-s : This defines scope of search.
- base – For searching only the base entry.
- one – For searching only the children of the base entry.
- sub – For searching the base entry and all its descendants.
-b : base DN for search. We have search all groups under cn=Groups. If you are specific to search within a group, then you can mention it as cn=group_name,cn=Groups,dc=oracle,dc=com.
“(objectclass=*)” : Search based on all object classes that groups are associated to
Importing:
./ldapadd -h ldap_hostname -p 389 -D “cn=orcladmin” -w admin123 -c -v -f oid_groups.ldif
-c: Tells ldapadd to proceed in spite of errors
-v: Specifies verbose mode
-f :ldif filename
Comments are closed.