LDIFDE errors "last token starts with 'C'", "change-modify entry missing '-'"

Cerulean

Cerulean

[H]F Junkie
Joined
Jul 27, 2006
Messages
9,476
Greetings,

I execute this:
Code: 
C:\Users\Administrator\Downloads\ldif_files>ldifde -i -k -f test.ldf -v -j "C:\Users\Administrator\Downloads\ldif_files"
Connecting to "dc1.company.local"
Logging in as current user using SSPI
Importing directory from file "test.ldf"
Loading entries

There is a syntax error in the input file
Failed on line 6.  The last token starts with 'C'.
The change-modify entry is missing the terminator '-'.
0 entries modified successfully.
An error has occurred in the program

C:\Users\Administrator\Downloads\ldif_files>

test.ldf is this:
Code: 
dn: CN=PrinterAdmins,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
objectClass: top
objectClass: group
member: CN=John Doe,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local

I have painstakingly troubleshooted this for a couple or few hours now without success. I have tried...
  • Adding a single link '-' at the end
  • Adding a line '-' followed by a blank line (two lines total) at the end
  • several other things; have spent lots of time Googling for solutions and trying everything without having success

The OUs, security group, and user exists. For the life of me, I can't figure it out. I have successfully imported an OU structure from 'oldcompany.com' domain, used Notepad++ to remove a particular space/enter character and also to replace 'dc=oldcompany,dc=com' with 'dc=company,dc=local', imported the users, imported the security groups -- everything successfully.. all that is left is to import the part of memberships to every group (tying users to their groups).

Please help. :(
 
Last edited:
What if you get rid of the two object class entries? And yes the official syntax should have the - and a space below the dash so it knows to stop.
 
This is what I had to do to get it to work:
  • Remove all objectClass lines; next time I need to leave this out of the command parameters for exporting
  • The first line of the file should be a blank line, followed by the "dn:" line of the first group
  • The second to last line of the file should be a -, followed by a blank line (the last line of the file)

So to import users, security groups, and group memberships from company.com to company.local, this is what I had to do:
  1. Exporting the OU structure from company.com; on company.com, we had an OU "CMPNY" in the root of the domain when you use Active Directory Users and Computers that contained everything (security groups, users, OUs, GPOs, etc)
    • Execute ldifde -f exportOUs.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou" on any machine connected to the old company.com AD domain; it will connect to srvADdc1 (a domain controller) to search and export from
  2. Exporting the Users from company.com
    • Execute ldifde -f exportUsers.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(objectCategory=Person)(objectClass=user))" -l "cn,displayName,distinguishedName,name,objectCategory,objectClass,sAMAccountName"
  3. Export Groups from company.com WITHOUT members (so as just empty security groups)
    • Execute ldifde -f exportGroupsEmpty.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,name,sAMAccountName,grouptype,objectclass"
  4. Export Groups from company.com WITH members (contains bare minimum information to identify what User objects are a Member of what Group)
    • Execute ldifde -f exportGroupsMembers.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(ObjectCategory=group)(objectClass=group)(name=*)(member=*))" -l "member"
  5. Importing the OU skeleton of the old company.com into the new company.local domain; we're using a different OU skeleton structure in company.local (no "CMPNY" OU at root), so this OU skeleton we're importing is merely just for the sake of importing old data, and after we import everything, we can rename/cleanup/delete whatever, and then move and arrange the imported objects over to our new/different OU skeleton structure standard that we've decided to use on our new company.local domain
    • Modify exportOUs.ldf via Notepad++ (my personal preference), find DC=com and replace all with DC=local, and save the file
    • Execute ldifde -i -k -f exportOUs.ldf -v -j "C:\"; you can change the path for the value of -j parameter, or remove -j "C:\" entirely -- all it does is log any errors to file
  6. Import Users from company.com into company.local
    • Modify exportUsers.ldf via Notepad++, find DC=com and replace all with DC=local, and save the file
    • Execute ldifde -i -k -f exportUsers.ldf -v -j "C:\"
  7. Import empty [Security] Group shells from company.com into company.local
    • Modify exportGroupsEmpty.ldf via Notepad++, find DC=com and replace all with DC=local, and save the file
    • Execute ldifde -i -k -f exportGroupsEmpty.ldf -v -j "C:\"
  8. Import the Membership pairing between Users and Groups from company.com to company.local
    • Open exportGroupsMembers.ldf via Notepad++
      • Examine the contents of this file very carefully; notice how a single item is split out over multiple lines (like if someone decided to hit the ENTER key 1/3 the way through a line) -- they should normally be on one line instead of overflowing into multiple lines
      • The first thing is to fix the multiple line overflowing issue. To do this, select all the character data in between two lines that would need to be deleted to fix it (for just that one instance), and 'replace all' it with literally nothing
      • Find dc=com and replace all with dc=local
      • Replace all empty lines with two lines: the first one should be a single - character, and the second should be a blank line; you can accomplish this by selecting that space and doing a replace all with \r\n-\r\n\r\n with Extended search mode in Notepad++
      • Make sure that the first line of the file is a blank empty line (no spaces, just empty line) before the first "dn:" line (for the first group)
      • Make sure the second to last line of the file is a - line, followed by a blank line (as the last line)
    • Find "changetype: add" and replace all with changetype: modify\r\nadd: member (basically, this changes 'add' to 'modify', and creates new line below this "add: member")
    • Execute ldifde -i -k -f exportGroupsMembers.ldf -v -j "C:\"

Example exportGroupsMembers.ldf (first line has a space in it -- it is not supposed to have a space in it, just supposed to be a blank line; last line after the - line is supposed to be a blank line too):
Code: 
dn: CN=ERP_User_Test,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=Ralph Doe,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Grace McPhillip,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Logan Rowley,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local
-

dn: CN=FolderSecurity_StockReportsDatabase_C,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=David Collins,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Kelly Paris,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=genericSalesUser,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
-

dn: CN=FolderSecurity_StockReportsDatabase_R,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=Ron Burgandy,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Jane Doe,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Bill Gates,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
-

What this primarily accomplishes is that when we migrate shared network drives over to the new network, individual folder security permissions are retained. We don't have to go and recreate all the groups, add members back into the groups, and then go weed through over 1000 folders of unique security permissions (stupid, I know).

After all this, we can..
  • Go in and DELETE all the user objects that are permanently obsolete (such as genericITAdmin and genericITModerator and genericITTech administrator, test accounts, random one-off accounts, etc) but keep real human person accounts that have been deactivated
  • Rename security groups to standardize on naming conventions, then later begin cleaning up security groups to consolidate, find patterns, remove unqiue security permissions, etc
  • Move objects over to our new OU skeleton structure and delete the CMPNY OU from root after we're done weeding through it, manipulating, removing, renaming old stuff

I thank the responders at the following threads: - [H]ardForum - ServerFault - TechNet

Primary resource from which I followed the overall export and import workflow

http://social.technet.microsoft.com...S/thread/1b24edf2-9af5-447c-9f15-631e88eefe8c

Additional helpful information I utilized or influenced me in my journey

http://support.microsoft.com/kb/555636

http://stackoverflow.com/questions/11465364/how-to-import-a-groups-members-using-ldifde

http://msmvps.com/blogs/systmprog/a...t-2F00-Import-data-from-Active-Directory.aspx

http://technet.microsoft.com/en-us/library/bb727091.aspx
 
Last edited:
You must log in or register to reply here.
Back
Top