LDIF File Import Into Active Directory
-
Monday, June 18, 2012 4:30 AM
i was requested to create new groups in my Active directory, using the belwo Groups.ldif file: ================================================================ dn: cn=admin,ou=groups,ou=ECM,ou=applications,dc=udcdev,dc=local changetype: add description: Oracle application software ECM system group. objectclass: top objectclass: groupOfUniqueNames cn: admin dn: cn=sysmanager,ou=groups,ou=ECM,ou=applications,dc=udcdev,dc=local changetype: add description: Oracle application software ECM system group. objectclass: top objectclass: groupOfUniqueNames cn: sysmanager dn: cn=UDCGroupUser,ou=groups,ou=ECM,ou=applications,dc=udcdev,dc=local changetype: add description: Oracle application software ECM system group. objectclass: top objectclass: groupOfUniqueNames cn: UDCGroupUser =================================================================== On my Ad users and computed, i created the OU's Applications, ECM and groups. now when i run thecmmand: ldifde -i -f groups.ldif -s [servername] i'm getting the error --------------------------------------------------------------------------- Connecting to "udcdc.udcdev.local" Logging in as current user using SSPI Importing directory from file "groups.ldif" Loading entriesAdd error on entry starting on line 1: Object Class Violation The server side error is: 0x207c A required attribute is missing. The extended server error is: 0000207C: UpdErr: DSID-031511EA, problem 6002 (OBJ_CLASS_VIOLATION), data 0 -------------------------------------------------------------------------------------------------- what is wrong with my ldif file or with the command?
All Replies
-
Monday, June 18, 2012 5:49 AM
Only the most specific objectClass should be specified. In your case, do not use "objectClass: top". Are you sure you want to create objects of class groupOfUniqueNames? As I understand it this is for a collection of unique names. Normally, groups are "objectClass: group".
Richard Mueller - MVP Directory Services
-
Monday, June 18, 2012 6:26 AM
this is how i recieved the request from the application consultant.
this request was to integrate our windows2008 AD with some Oracle application
when i asked them about this object class, they dont have idea about it. coz they are linux guys dont know much about windows ad but this is the format thay want it.
also they reqest to add some users, and even the format for the ldif file for user creation is really confising me.
a sample few lines of that ldif file for user creation is as below:
dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IT(RWD)dn: cn=@IT(R),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IT(R)any help i can get regarding to this?
many thanks
-
Monday, June 18, 2012 8:24 AM
I think that this LDIFDE syntax and file are proper but you have missed some mandatory attributes to create new group(s) :)
Try to add within each section:
groupType and sAMAccountName attributes which are mandatory.
Group types are:
"groupType=8" - Universal groups
"groupType=4" - Global
groups
"groupType=2" - Domain Local groups
"grouptype=-2147483640" -
Security Universal groups
"grouptype=-2147483646" - Security Global
groups
"grouptype=-2147483644" - Security Domain Local groupshttp://www.petri.co.il/forums/showthread.php?t=24690
and sAMAccountName is a group name
Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com
-
Tuesday, June 19, 2012 5:20 AM
thank you too much sir,
for the groups it was only 3 groups so i managed to add it manually,
but now i have this ldif file to import around 200 user accounts
i'm not sure if this format is acceptable, coz i couldnt import it using the ldifde command,
please find the below part of the ldif file and advise what should be done to import it,
dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IT(RWD)dn: cn=@IT(R),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IT(R)dn: cn=@IT(RW),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IT(RW)dn: cn=@IT(RWDA),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete admin permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IT(RWDA)dn: cn=@IA(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IA account with read write delete permission.
objectclass: top
objectclass: groupOfUniqueNames
cn: @IA(RWD)Ther import error msg is:
Loading entriesAdd error on entry starting on line 1: Object Class Violation
The server side error is: 0x207c A required attribute is missing- Edited by HotTrigger Tuesday, June 19, 2012 5:27 AM
-
Tuesday, June 19, 2012 6:32 AM
So, in this case you should also set up sAMAccountName and specify proper objectClass as the attributes are mandatory during user creation. Please take a look at example record and fix the rest
dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete permission.
objectclass: user
objectclass: groupOfUniqueNames <-- you can skip this class
cn: @IT(RWD)
sAMAccountName: @IT(RWD)Please run an import just for few users at the beginning to test syntax. However, remember that those users will be created with empty password and their account are disabled. Setting password over LDIFDE is inconvenient, so I would suggest another method for setting password up and enabling accounts. Create after all a flat text file with dn attributes, one per line and save file as users.txt on C-Drive
example:
cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
cn=@IT(R),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=localIn command-line run below query
for /f "tokens=*" %i in (c:\users.txt) do dsmod user "%i" -pwd UserPassword -disabled no -mustchpwd yes -pwdneverexpires no -canchpwd yes
Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com
-
Tuesday, June 19, 2012 8:03 AMModerator
Quoto from the error:
Loading entriesAdd error on entry starting on line 1: Object Class Violation
The server side error is: 0x207c A required attribute is missingIt seems the specified object class does not exist.
I also didn't understand why set the "ObjectClass:top", Where's that TOP come from? Maybe you can ask Oracle for more inforamtion since they require that.
I see that error when try to use the Active Directory Application Mode (ADAM) Synchronizer (Adamsync.exe) tool to synchronize the Active Directory objects to an ADAM instance on a Windows Server 2003-based or Windows Server 2008-based computer, detailes are inclueded here: http://support.microsoft.com/kb/923835. You may have a look at that.
Here's a Step-by-Step Guide to Bulk Import and Export to Active Directory for your reference.
Regards,
MiyaRegards,
Miya
Miya Yao
TechNet Community Support
-
Tuesday, June 19, 2012 12:58 PM
dear iSiek,
Icopied the lines in your reply and paste it in a new file, so it was look like:
dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete permission.
objectclass: user
objectclass: groupOfUniqueNames <-- you can skip this class
cn: @IT(RWD)
sAMAccountName: @IT(RWD)and now when i try to import it as a trail example, i got the error:
Connecting to "udcdc"
Logging in as current user using SSPI
Importing directory from file "usr.ldif"
Loading entriesAdd error on entry starting on line 1: No Such Attribute
The server side error is: 0x57 The parameter is incorrect.
The extended server error is:
00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1
0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.so still canot do the proper import
i tried the links from Mr. Miya, but it didnt help m to solve it
-
Tuesday, June 19, 2012 1:08 PM
OK, so try once again but... first remove a comment from attribute ( <-- you can skip this class ) :D
Paste below code
dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete permission.
objectclass: user
objectclass: groupOfUniqueNames
cn: @IT(RWD)
sAMAccountName: @IT(RWD)and please also specify -j option to enable logging by adding into syntax
ldifde -i -f usr.ldif -s [servername] -j c:\output.log
Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com
- Marked As Answer by Miya YaoModerator Thursday, June 21, 2012 7:54 AM
-
Wednesday, June 20, 2012 5:35 AM
Thank you too much Sir,
i was able now to import this single user after removing the whole line for "objectclass: groupOfUniqueNames"
and i'm really sory for didnt realize the comment before,
i'm going now to update all the records as per this one and do the import.
Many thanks.
-
Wednesday, June 20, 2012 8:16 AM
sorry for coming back :)
i did import all thelist i have it.
the point now is when i go to the account page in ADUC for any user, i found that the "User Logon Name" field is empty, only the "User Login Name(Pre-windows 2000)" field has the data,
is it possible also to fill the userlogin name fields to have th loging name with the domain name?
-
Wednesday, June 20, 2012 8:42 AM
The field you want is userPrincipalName. You can add a line to the ldif file similar to:
userPrincipalName: IT(RWD)@udcdev.local
-----
However, note that users can always logon using sAMAccountName@MyDomain.com, where sAMAccountName is the "pre-Windows 2000 logon" name of the user and MyDomain.com is the name of the domain. It's as if this is the default userPrincipalName. Also, what follows the "@" character should be a valid upn suffix for the domain, so I'm not sure what will happen if there is another "@" character in the userPrincipalName.
Richard Mueller - MVP Directory Services
-
Wednesday, June 20, 2012 8:45 AM
Good to hear that it works for you :) Yes, you can also add this attribute's value. You need to set up UserPrincipalName but in your case it requires some special character, so let's checlk if it will work this way.
Normaly, you need to only add
UserPrincipalName: username@domain.local
in your case @ (at) is in name at the beginning, so we need to try with \@ combination to see if it allows for adding it to a name
Check this below code
dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
changetype: add
description: IT account with read write delete permission.
objectclass: user
cn: @IT(RWD)
sAMAccountName: @IT(RWD)
userPrincipalName: \@IT(RWD)@udcdev.localHowever, have you considered using another (more convenient) method of new user creation process, like DSTools (DSADD) or Windows PowerShell module for AD, Quest PowerShell module for AD ?
Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com
- Marked As Answer by Miya YaoModerator Thursday, June 21, 2012 7:54 AM
-
Wednesday, June 20, 2012 9:04 AM
Thank you Richard, thank you Krzysztof,
i tried the code sent by Mr. Krzysztof, it works fine without the "\"
when i put the userPrincipleName as \@IT(RWD)@udcdev.local, the login name came as \@IT(RWD) so i simply removed the "\" and it came fine.
thank you too much.
-
Wednesday, June 20, 2012 3:23 PM
The backslash is the AD escape character, but it only has meaning in distinguished names. You cannot escape characters in a string attribute like userPrincipalName. So that explains why you can assign the value without the backslash to the userPrincipalName attribute. However, make sure you can logon with "@IT(RWD)@udcdev.local". I have not tested such a scenario, and some references seem to indicate that the upn suffix is validated at some point.
Richard Mueller - MVP Directory Services
-
Wednesday, June 20, 2012 4:23 PM
I tested a user account with userPrincipalName similar to "@username@mydomain.com", and I was able to logon with this name. This must be valid.
Richard Mueller - MVP Directory Services
-
Wednesday, June 20, 2012 4:29 PMThat's good to know because I've never seen this before :) That's really interesting name convention :D
Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com
.png)
