In the spirit of “the best way to get a correct answer is to post an obviously wrong answer on USENET”, I hereby present the most efficient method of mass-alteration of LDAP user entities I can think of.
You probably shouldn’t do this.
As you know, LDAP is a terrible protocol for getting basic user information and handling authentication of them. You also probably know that it is a well-established standard, and so it is likely to be among (or the sole) method of getting authentication in your new application without maintaining yet another username/password database. Also, the replacements for LDAP tend to want to use LDAP as a source of knowledge.
There is, effectively, one open-source LDAP server: OpenLDAP, also called
slapd. There are effective but non-powerful tools to manipulate the data:
ldapmodify. Do not be deceived by the existence of
ldapdelete: those are
ldapmodify in disguise.
When setting up users in that tenuous space between four and many – if there are four, you can probably ask them all to come sit down and type in a password, whereas many is the number where that just isn’t feasible – I have found that the best plan is as follows:
Construct an ldif file for your users with the help of migrationtools, which is probably in a package of that name.
Edit the ldif file with the help of vim or emacs, whichever makes you happiest. Use lots of regexps.
For example, the form:
s/cn: \(\a*\) \(\a*\)/cn: \1 \2\rgn: \1/
That looks for common names (Maeve Binghy), separates them by the first space, and writes the given name field on the next line. You can do a similar thing with
sn: \2 to get the surname field. There are falsehoods you should know about names, and this violates several of them – but it gets you going.
Then make careful edits.
Then delete all the dn’s that you no longer care about and re-insert them. If you grep the dn: field out of your ldif into a new one, then remove the prefix dn:,
ldapdeletewill take that. Make sure you have blank lines separating them.
There, I told you it was awful.
UPDATE: Apparently I’m not the only one.
apt show ldapvi:
Package: ldapvi Version: 1.7-10+b3 Section: text Maintainer: Rhonda D'Vine <email@example.com> Homepage: http://www.lichteblau.com/ldapvi/ APT-Sources: http://http.debian.net/debian buster/main amd64 Packages Description: perform an LDAP search and update results using a text editor From a first glance ldapvi looks like ldapsearch: You search for entries in the ldap database. But the results get opened in your preferred editor, and you can change, add or delete entries from there. After you are done you quit the editor and ldapvi offers you several options: View your changes as LDIF, commit changes or discard them.
I rest my case.