Create Contacts in Batch Mode Using LDAP Data

This article contains the following topics:
casm1401
This article contains the following topics:
Batch Import Contacts Using LDAP Data
You can run the pdm_ldap_import command-line utility to create CA SDM contacts in batch mode using LDAP data.
In addition to creating contacts, pdm_ldap_import updates existing contacts if they are not synchronized with their corresponding LDAP entries. You can use the pdm_ldap_sync batch process to update existing contacts, but not create ones.
When you import contacts using LDAP data, restart the CA SDM services if you encounter the following error: 
pdm_ldap_import: Method got_record in Ldap_Group_Catcher failed (LDAP agent not found).
pdm_ldap_import has the following syntax:
pdm_ldap_import -n "domain_name" -l "ldap_where_clause" [-c "contact_where_clause"] [-u "userid"]
  • -n
    "domain_name"
    Specifies the LDAP directory domain name from where you want to import contacts to CA SDM. If you do not specify the domain name, CA SDM retrieves the data using the default LDAP domain name.
  • -l "
    ldap_where_clause
    "
    Specifies the userids of LDAP records to be searched. Replacement variables are indicated with the '?' character. For example, for
    userid = ?
    . The default value is
    userid = ?
    . In this special case, id is mapped to the contact attribute ldap_dn.
    Note:
    Use the keywords as defined in the
    ldap.maj
    file. You can also search by using the memberOf = 'group_dn' syntax.
  • -c "
    contact_where_clause
    "
    (Optional) Specifies how to determine whether the contact record already exists. If the contact record does not exist, a new contact record is inserted. If the contact record does exist and is not synchronized with the current LDAP data, the contact record is updated.
  • -u "
    userid
    "
    (Optional) Specifies the login name under which the pdm_ldap_import program runs.
You can use wildcards with pdm_ldap_import to specify multiple records.
Examples: Batch Imports Using LDAP Data
This example imports a single LDAP record for userid jsmith11 from the LDAP directory with the domain name example.com:
pdm_ldap_import -n "example.com" -l "userid = 'jsmith11'"
This example imports all LDAP records with a userid that begins with the letter C from the LDAP directory with the domain name example.com:
pdm_ldap_import -n "example.com" -l "userid = 'c%'"
This example imports all LDAP User records in the directory from the LDAP directory with the domain name example.com:
pdm_ldap_import -n "example.com" -l "userid = '%'"
Batch Import Contacts by Date and Time
You can configure the pdm_ldap_import utility to import LDAP records that were created before or after a specified date and time. To enable this functionality, create an ldap.mod file with the following content:
OBJECT ldap { ATTRIBUTES LDAP_Entry { whenCreated whenCreated STRING ; }; };
This adds the
whenCreated
attribute to the LDAP object.
The rules for filtering records using the whenCreated attribute are as follows:
  • Use only the >= or <= operator.
  • Specify
    all
    characters for the date/time value, including the Z. Place a 0 in any location you do not wish to explicitly state (for example, the time of day).
  • Place the date/time specification at the beginning of the filter; do not use leading 0s at the beginning of the string.
  • Do not include the leading century. For example, to specify the year 2008, use 08.
Single quotation marks must surround the date/time value.
Example: Using the whenCreated Attribute to Import LDAP Entries
The following example uses the whenCreated attribute to import LDAP entries created after 3/11/2008.
Pdm_ldap_import -l "whenCreated >= '080312000000Z'"
Example: Using the whenCreated Attribute to Search for LDAP Records
The following example uses the whenCreated attribute with pdm_ldap_test to search for LDAP records created after 3/11/2008.
pdm_ldap_test.exe -f "whenCreated>=080312000000Z" -a whenCreated Starting ldap_test.exe... LDAP Directory Type : active directory Service Desk Platform : windows Search Base : DC=kirklandsd,DC=ca,DC=com Search Filter : (&(objectClass=person)(whenCreated>=080312000000Z)) Administrator Username : CN=Administrator,CN=Users,DC=kirklandsd,DC=ca,DC=com Administrator Password : ********** LDAP Host : gecko.kirklandsd.ca.com LDAP Port : 389 LDAP API Version : 3 DN: CN=aixmail,CN=Users,DC=kirklandsd,DC=ca,DC=com whenCreated(17)(0): 20080312035327.0Z DN: CN=hpmail,CN=Users,DC=kirklandsd,DC=ca,DC=com whenCreated(17)(0): 20080312035425.0Z DN: CN=sunmail,CN=Users,DC=kirklandsd,DC=ca,DC=com whenCreated(17)(0): 20080312035726.0Z 3 Total LDAP records found...
Batch Import Summary and Log Data
The pdm_ldap_import command maintains a detailed log of all activity of each run. The ldap_logging.0-n log file is located in the $NX_ROOT/log directory.
The following is an example of the summary data pdm_ldap_import returns at the command line:
pdm_ldap_import Starting... pdm_ldap_import Summary: Processed(21) Updated(1) No Matches(7) New Contacts(11) Multiple Matches(0) Empty Filter(2) Errors(0) pdm_ldap_import Complete...
The following table describes the summary data.
Status
Count
Description
Processed
21
The number of CA SDM contacts with corresponding LDAP entries.
Updated
1
The number of contact records that were updated because the corresponding LDAP entry contained different information
No Matches
7
The number of CA SDM contact records with no corresponding LDAP entries.
New Contacts
11
The number of new contact records that were created based on corresponding LDAP entries
Multiple Matches
0
The number of LDAP entries with multiple matching contact records, as defined by the ldap_search_base option
Empty Filter
2
The number of LDAP entries that cannot be used to generate a valid search filter
Errors
0
The number of LDAP entries that encountered an error during processing. For example, LDAP records that do not contain a value in a field required by CA SDM (such as Last Name) are counted as failures and cannot be imported.
Batch Update Contacts Using LDAP Data
You run the pdm_ldap_sync utility to update contact records in batch mode using LDAP data.
This utility overwrites the existing tenant of the LDAP contact defined in CA SDM. If you want to retain the tenant value, you must modify NX.env by adding the NX_RETAIN_TENANT_VALUE variable manually, and set it to "yes". If this variable is set to "no", missing, or not set properly, the utility overwrites the tenant information.
The pdm_ldap_sync utility synchronizes existing contacts with corresponding LDAP entries, but does not create contacts. You can use the pdm_ldap_import batch process to create contacts.
pdm_ldap_sync has the following syntax:
pdm_ldap_sync -n "example.com" -l "ldap_where_clause" [-c "contact_where_clause"] [-u "userid"]
  • -n 
    "domain_name"
    Specifies the LDAP directory domain name from where you want to import contacts to CA SDM. If you do not specify the domain name, CA SDM retrieves the data using the default LDAP domain name.
  • -l "ldap_where_clause"
    Determines how to search for matching LDAP records. Replacement variables are indicated with the '?' character. For example, for
    userid = ?
    , the default value is
    id = ?
    . In this special case, id is mapped to the Contact attribute ldap_dn.
  • -c "contact_where_clause"
    (Optional) Determines which contacts are used when searching for matching LDAP records.
    Default:
    "ldap_dn IS NOT NULL"
  • -u "userid"
    (Optional) Specifies the userid under which pdm_ldap_sync runs.
You can use wildcards with pdm_ldap_sync to specify multiple records.
Examples:
This example establishes a baseline of contact records that have a corresponding LDAP record:
pdm_ldap_sync -n "example.com" -l "userid = ?" -c ""
This example uses the default parameters to update all contacts that have an LDAP distinguishedName:
pdm_ldap_sync -n "example.com"
This example updates a single contact:
pdm_ldap_sync -n "example.com" -l "userid = ?" -c "userid = 'jsmith11'"
Batch Update Summary and Log Data
The pdm_ldap_sync command maintains a detailed log of all activity for every run. The ldap_logging.0-n file is located in the $NX_ROOT/log directory.
The following is an example of the summary data pdm_ldap_sync returns at the command line:
pdm_ldap_sync Starting... pdm_ldap_sync Summary: Processed(21) Updated(1) No Matches(7) No Changes(11) Multiple Matches(0) Empty Filter(2) Errors(0) pdm_ldap_sync Complete...
The following table describes the summary data:
Status
Count
Description
Processed
21
The number of CA SDM contacts with corresponding LDAP entries
Updated
1
The number of LDAP entries with information different from their corresponding CA SDM contact record
No Matches
7
The number of CA SDM contact records with no corresponding LDAP entries.
No Changes
11
The number of LDAP entries with information identical to their corresponding CA SDM contact record
Multiple Matches
0
The number of LDAP entries with multiple matching contact records in CA SDM, as defined by the ldap_search_base option
Empty Filter
2
The number of LDAP entries that cannot be used to generate a valid search filter
Errors
0
The number of LDAP entries that encountered an error during processing