none
LDIF File Import Into Active Directory

    Question

  • 
    
    i was requested to create new groups in my Active directory, using the belwo Groups.ldif file:
     
    ================================================================
     
    
     
    
     
    dn: cn=admin,ou=groups,ou=ECM,ou=applications,dc=udcdev,dc=local
     
    changetype: add
     
    description: Oracle application software ECM system group.
     
    objectclass: top
     
    objectclass: groupOfUniqueNames
     
    cn: admin
     
    dn: cn=sysmanager,ou=groups,ou=ECM,ou=applications,dc=udcdev,dc=local 
    
    changetype: add
     
    description: Oracle application software ECM system group.
     
    objectclass: top
     
    objectclass: groupOfUniqueNames
     
    cn: sysmanager
     
    dn: cn=UDCGroupUser,ou=groups,ou=ECM,ou=applications,dc=udcdev,dc=local changetype: add
     
    description: Oracle application software ECM system group.
     
    objectclass: top
     
    objectclass: groupOfUniqueNames
     
    cn: UDCGroupUser
     
    ===================================================================
     
    On my Ad users and computed, i created the OU's Applications, ECM and groups.
     
    now when i run thecmmand:
     
    ldifde -i -f groups.ldif -s [servername]
     
    i'm getting the error
     
    ---------------------------------------------------------------------------
     
    Connecting to "udcdc.udcdev.local"
     Logging in as current user using SSPI
     Importing directory from file "groups.ldif"
     Loading entriesAdd error on entry starting on line 1: Object Class Violation
     The server side error is: 0x207c A required attribute is missing.
     The extended server error is:
     0000207C: UpdErr: DSID-031511EA, problem 6002 (OBJ_CLASS_VIOLATION), data 0
     
    --------------------------------------------------------------------------------------------------
     
    what is wrong with my ldif file or with the command?
    

    Monday, June 18, 2012 4:30 AM

Answers

  • OK, so try once again but... first remove a comment from attribute ( <-- you can skip this class ) :D

    Paste below code

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: user
    objectclass: groupOfUniqueNames
    cn: @IT(RWD)
    sAMAccountName: @IT(RWD)

    and please also specify -j option to enable logging by adding into syntax

    ldifde -i -f usr.ldif -s [servername] -j c:\output.log


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Tuesday, June 19, 2012 1:08 PM
  • Good to hear that it works for you :) Yes, you can also add this attribute's value. You need to set up UserPrincipalName but in your case it requires some special character, so let's checlk if it will work this way.

    Normaly, you need to only add

    UserPrincipalName: username@domain.local

    in your case @ (at) is in name at the beginning, so we need to try with \@ combination to see if it allows for adding it to a name

    Check this below code

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: user
    cn: @IT(RWD)
    sAMAccountName: @IT(RWD)
    userPrincipalName: \@IT(RWD)@udcdev.local

    However, have you considered using another (more convenient) method of new user creation process, like DSTools (DSADD) or Windows PowerShell module for AD, Quest PowerShell module for AD ?


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Wednesday, June 20, 2012 8:45 AM

All replies

  • Only the most specific objectClass should be specified. In your case, do not use "objectClass: top". Are you sure you want to create objects of class groupOfUniqueNames? As I understand it this is for a collection of unique names. Normally, groups are "objectClass: group".


    Richard Mueller - MVP Directory Services

    Monday, June 18, 2012 5:49 AM
  • this is how i recieved the request from the application consultant.

    this request was to integrate our windows2008 AD with some Oracle application

    when i asked them about this object class, they dont have idea about it. coz they are linux guys dont know much about windows ad but this is the format thay want it.

    also they reqest to add some users, and even the format for the ldif file for user creation is really confising me.

    a sample few lines of that ldif file for user creation is as below:

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IT(RWD)

    dn: cn=@IT(R),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IT(R)

    any help i can get regarding to this?

    many thanks

    Monday, June 18, 2012 6:26 AM
  • I think that this LDIFDE syntax and file are proper but you have missed some mandatory attributes to create new group(s) :)

    Try to add within each section:

    groupType and sAMAccountName attributes which are mandatory.

    Group types are:

    "groupType=8" - Universal groups
    "groupType=4" - Global
    groups
    "groupType=2" - Domain Local groups
    "grouptype=-2147483640" -
    Security Universal groups
    "grouptype=-2147483646" - Security Global
    groups
    "grouptype=-2147483644" - Security Domain Local groups

    http://www.petri.co.il/forums/showthread.php?t=24690

    and sAMAccountName is a group name


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Monday, June 18, 2012 8:24 AM
  • thank you too much sir,

    for the groups it was only 3 groups so i managed to add it manually,

    but now i have this ldif file to import around 200 user accounts

    i'm not sure if this format is acceptable, coz i couldnt import it using the ldifde command,

    please find the below part of the ldif file and advise what should be done to import it,

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IT(RWD)

    dn: cn=@IT(R),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IT(R)

    dn: cn=@IT(RW),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IT(RW)

    dn: cn=@IT(RWDA),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete admin permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IT(RWDA)

    dn: cn=@IA(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IA account with read write delete permission.
    objectclass: top
    objectclass: groupOfUniqueNames
    cn: @IA(RWD)

    Ther import error msg is:

    Loading entriesAdd error on entry starting on line 1: Object Class Violation
    The server side error is: 0x207c A required attribute is missing

    • Edited by HotTrigger Tuesday, June 19, 2012 5:27 AM
    Tuesday, June 19, 2012 5:20 AM
  • So, in this case you should also set up sAMAccountName and specify proper objectClass as the attributes are mandatory during user creation. Please take a look at example record and fix the rest

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: user
    objectclass: groupOfUniqueNames <-- you can skip this class
    cn: @IT(RWD)
    sAMAccountName: @IT(RWD)

    Please run an import just for few users at the beginning to test syntax. However, remember that those users will be created with empty password and their account are disabled. Setting password over LDIFDE is inconvenient, so I would suggest another method for setting password up and enabling accounts. Create after all a flat text file with dn attributes, one per line and save file as users.txt on C-Drive

    example:

    cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    cn=@IT(R),ou=accounts,ou==ECM,ou=applications,dc=udcdev,dc=local

    In command-line run below query

    for /f "tokens=*" %i in (c:\users.txt) do dsmod user "%i" -pwd UserPassword -disabled no -mustchpwd yes -pwdneverexpires no -canchpwd yes


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Tuesday, June 19, 2012 6:32 AM
  • Quoto from the error:

    Loading entriesAdd error on entry starting on line 1: Object Class Violation
    The server side error is: 0x207c A required attribute is missing

    It seems the specified object class does not exist.

    I also didn't understand why set the "ObjectClass:top", Where's that TOP come from? Maybe you can ask Oracle for more inforamtion since they require that.

    I see that error when try to use the Active Directory Application Mode (ADAM) Synchronizer (Adamsync.exe) tool to synchronize the Active Directory objects to an ADAM instance on a Windows Server 2003-based or Windows Server 2008-based computer, detailes are inclueded here: http://support.microsoft.com/kb/923835. You may have a look at that.

    Here's a Step-by-Step Guide to Bulk Import and Export to Active Directory for your reference.

    Regards,
    Miya

    Regards,

    Miya


    Miya Yao

    TechNet Community Support

    Tuesday, June 19, 2012 8:03 AM
  • dear iSiek,

    Icopied the lines in your reply and paste it in a new file, so it was look like:

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: user
    objectclass: groupOfUniqueNames <-- you can skip this class
    cn: @IT(RWD)
    sAMAccountName: @IT(RWD)

    and now when i try to import it as a trail example, i got the error:

    Connecting to "udcdc"
    Logging in as current user using SSPI
    Importing directory from file "usr.ldif"
    Loading entriesAdd error on entry starting on line 1: No Such Attribute
    The server side error is: 0x57 The parameter is incorrect.
    The extended server error is:
    00000057: LdapErr: DSID-0C090C3E, comment: Error in attribute conversion operation, data 0, v1db1
    0 entries modified successfully.
    An error has occurred in the program
    No log files were written.  In order to generate a log file, please
    specify the log file path via the -j option.

    so still canot do the proper import

    i tried the links from Mr. Miya, but it didnt help m to solve it

    Tuesday, June 19, 2012 12:58 PM
  • OK, so try once again but... first remove a comment from attribute ( <-- you can skip this class ) :D

    Paste below code

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: user
    objectclass: groupOfUniqueNames
    cn: @IT(RWD)
    sAMAccountName: @IT(RWD)

    and please also specify -j option to enable logging by adding into syntax

    ldifde -i -f usr.ldif -s [servername] -j c:\output.log


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Tuesday, June 19, 2012 1:08 PM
  • Thank you too much Sir,

    i was able now to import this single user after removing the whole line for "objectclass: groupOfUniqueNames"

    and i'm really sory for didnt realize the comment before,

    i'm going now to update all the records as per this one and do the import.

    Many thanks.

    Wednesday, June 20, 2012 5:35 AM
  • sorry for coming back :)

    i did import all thelist i have it.

    the point now is when i go to the account page in ADUC for any user, i found that the "User Logon Name" field is empty, only the "User Login Name(Pre-windows 2000)" field has the data,

    is it possible also to fill the userlogin name fields to have th loging name with the domain name?

    Wednesday, June 20, 2012 8:16 AM
  • The field you want is userPrincipalName. You can add a line to the ldif file similar to:

    userPrincipalName: IT(RWD)@udcdev.local

    -----

    However, note that users can always logon using sAMAccountName@MyDomain.com, where sAMAccountName is the "pre-Windows 2000 logon" name of the user and MyDomain.com is the name of the domain. It's as if this is the default userPrincipalName. Also, what follows the "@" character should be a valid upn suffix for the domain, so I'm not sure what will happen if there is another "@" character in the userPrincipalName.


    Richard Mueller - MVP Directory Services

    Wednesday, June 20, 2012 8:42 AM
  • Good to hear that it works for you :) Yes, you can also add this attribute's value. You need to set up UserPrincipalName but in your case it requires some special character, so let's checlk if it will work this way.

    Normaly, you need to only add

    UserPrincipalName: username@domain.local

    in your case @ (at) is in name at the beginning, so we need to try with \@ combination to see if it allows for adding it to a name

    Check this below code

    dn: cn=@IT(RWD),ou=accounts,ou=ECM,ou=applications,dc=udcdev,dc=local
    changetype: add
    description: IT account with read write delete permission.
    objectclass: user
    cn: @IT(RWD)
    sAMAccountName: @IT(RWD)
    userPrincipalName: \@IT(RWD)@udcdev.local

    However, have you considered using another (more convenient) method of new user creation process, like DSTools (DSADD) or Windows PowerShell module for AD, Quest PowerShell module for AD ?


    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Wednesday, June 20, 2012 8:45 AM
  • Thank you Richard, thank you Krzysztof,

    i tried the code sent by Mr. Krzysztof, it works fine without the "\"

    when i put the userPrincipleName as \@IT(RWD)@udcdev.local, the login name came as \@IT(RWD) so i simply removed the "\" and it came fine.

    thank you too much.

    Wednesday, June 20, 2012 9:04 AM
  • The backslash is the AD escape character, but it only has meaning in distinguished names. You cannot escape characters in a string attribute like userPrincipalName. So that explains why you can assign the value without the backslash to the userPrincipalName attribute. However, make sure you can logon with "@IT(RWD)@udcdev.local". I have not tested such a scenario, and some references seem to indicate that the upn suffix is validated at some point.


    Richard Mueller - MVP Directory Services

    Wednesday, June 20, 2012 3:23 PM
  • I tested a user account with userPrincipalName similar to "@username@mydomain.com", and I was able to logon with this name. This must be valid.


    Richard Mueller - MVP Directory Services

    Wednesday, June 20, 2012 4:23 PM
  • That's good to know because I've never seen this before :) That's really interesting name convention :D

    Regards, Krzysztof ---- Visit my blog at http://kpytko.wordpress.com

    Wednesday, June 20, 2012 4:29 PM