Import ActiveDirectory LDIF into OpenDJ/OpenDS?

Question

I need to test a LDAP synchronization service.

For that reason, I've installed OpenDJ (formerly OpenDS) LDAP server on my developer machine (ApacheDS requires admin privileges for starting/stopping a service - I don't have them & I don't get them).

OpenDS allows me to populate the LDAP with 2000 sample entries.
Unfortunately, they aren't very AD conformant:

I need an ActiveDirectory properties structure:

I used an LDIF-generator from here to generate the ActiveDirectory entries.
Then I tried importing them with Apache Directory Studio:

But on importing, I get this error: [LDAP: error code 65 - Entry cn=Trang Eastus,ou=Product Testing,dc=example,dc=com violates the Directory Server schema configuration because it includes attribute sAMAccountName which is not allowed by any of the objectclasses defined in that entry]

How can I import a ActiveDirectory schema with Apache Directory Studio ?
Or more generically asked, how can I get these entries in there, ASAP ?

score 0 · Answer 1 · answered Jul 05 '16 at 13:55

0

Active Directory attribute types are not standard, so they do not come bundled in OpenDJ.

So you first need to modify OpenDJ's schema to allow adding Active Directory attributes. I suspect you would have the same kind of problems with other LDAP servers like OpenLDAP.

answered Jul 05 '16 at 13:55

JnRouvignac

807
5
19

Sorry I missed the last bit. – JnRouvignac Jul 05 '16 at 19:04
I do not know the schema for AD so I cannot help you on this subject. – JnRouvignac Jul 05 '16 at 19:05

score 0 · Answer 2 · answered Jul 06 '16 at 07:04

0

I don't think Active Directory exposes its schema in an LDAP compliant way. What most users are doing when synchronizing data between AD and other LDAP servers such as OpenDJ is mapping AD attributes and objectclasses to LDAP attributes and objectclasses.

This said, you should be able to reconstruct a "user" LDAP objectclass based on Microsoft documentation of their schema. The best source I found is this table : http://www.kouti.com/tables/userattributes.htm. I don't think anyone has been down that route and efforts.

Beware, in LDAP worlds, the hierarchy of person objectclasses is person, organizationalPerson, inetOrgPerson. In MS AD world, the objectclass user is in the middle : person, organizationalPerson, user, inetOrgPerson.

answered Jul 06 '16 at 07:04

Ludovic Poitou

4,788
2
21
30

You mean alter the LDIF file before importing data. Well, actually I know I can do that, but I need to port over AD sample entries for users + groups. The purpose is having a Directory where I can add, remove, change groups for testing purposes. I also need to import all groups and users to see if it works. I can't do that on the productive domain controller - that would be disastrous... So in order to test my software, the attributes need to be called the same, and the classnames need to be called the same... everything else is negotiable, just not class&attribute names... – Stefan Steiger Jul 06 '16 at 07:39
Basically I just need a local copy of the production activedirectory (users + groups, without passwords) which I can modify, so I can test my software. I also have no administrator rights, and I'm not getting them either. Also I have no direct access to the AD server. I can create an LDIF from OUs, users, groups, etc. but that's of little value when I can't import them (the users). Unfortunately, samaccountname is the windows username. The AD contains 50'000 users, and I need to do performance testing on continually syncing that customer AD with our software's database, plus testing edgeCases. – Stefan Steiger Jul 06 '16 at 07:42

Import ActiveDirectory LDIF into OpenDJ/OpenDS?

2 Answers2