Re: synchronisation of LDAP with non-ldap data

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Monday, March 22, 2004 1:14 PM +0100 denis.havlik@t-mobile.at wrote:

> From time to time following things will happen:
>
> * old employees go away,
> * new people arrive,
> * some folks change name (or other data)
>
> Thus, I need to practically check all the LDAP user entries every night,
> find the differences between "now" and "before", add new users, delete
> (or at least somehow disable) old users, and possibly change some info
> for others. The question is: "what is the best way to do this":
>
> 1) keep the "old" SAP export, do a "diff" over old and new one, and do
> the LDAP stuff only on the difference.
> 2) Go with "brute force", and do a sweep over the SAP list, controlling
> every LDAP entry, followed by another sweep to find the folks that aren't
> in SAP list anymore. (OK, i could add "last updated" field, and then
> disable all the entries that weren't updated)
> 3) Do the "diff" as in 1, check that the diff isn't too big and then
> proceed with brute force as in 2.

You might look at the Perl LDIF module.  It allows you to load up 2 LDIF 
files and compare entries.  You could then put together the diff's of 
existing entries from the SAP output, and easily output the ADD's by what 
is in the SAP LDIF portion and not in your server's LDAP portion.  This 
means you would need to export your master's DB on a regular basis (we do 
that nightly ).

Personally, I'd advocate setting up an event based system for the 
long-term.

--Quanah


--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html