idsdb2ldif, db2ldif

Edit online

Use the db2ldif command to output directory server entries to an LDIF file.

Description

The db2ldif command gets entries from a directory and puts it in a text file in LDAP Directory Interchange Format (LDIF). You can run this command against an instance at when the instance is running or stopped.

Attention: You must specify the encryption seed and salt of the destination server for the following conditions:
  • If you are importing data to an instance configured for Advanced Encryption Standard (AES) encryption from another instance.
  • If the target and the destination servers are not cryptographically synchronized.

For information about cryptographic synchronization of servers, see Synchronizing two-way cryptography between server instances.

Depending on the encryption scheme that is set on the servers, the LDIF file might contain different encrypted values.

  • The command takes the following actions when you specify the encryption seed and salt values of the destination server:
    1. Any AES encrypted data is decrypted by using the AES keys of source server.
    2. The data is then encrypted by using the encryption seed and salt values of destination server.
    The encryption seed is used to generate a set of AES secret key values. The key values are stored in the stash file of a directory server instance. These values are used to encrypt and decrypt stored password and secret key attributes. The encryption seed must contain only printable ISO-8859-1 ASCII characters with values in the range 33 - 126, and must be a minimum of 12 and a maximum of 1016 characters in length. For information about ASCII characters, see ASCII characters from 33 to 126. The encryption salt is a randomly generated value and is used to generate AES encryption keys. You can obtain the salt value of the destination server by searching the cn=crypto,cn=localhost entry on destination server. The attribute name is ibm-slapdCryptoSalt.
  • The SHA encoded directory encryption seed of the source server is written to the LDIF file for reference during import. For parsing purposes, this encryption seed reference is in a cn=crypto,cn=localhost pseudo entry, which for information only. This value is not loaded as part of the import.

Synopsis

idsdb2ldif | db2ldif [-o output_file -I instance_name [-f config_file]
           [-n filter_DN] [-c comments] [-k ?|key_seed -t key_salt] [-j] 
           [-d debug_level] [[-s subtree_DN [-x]] | [-l] [-r]] [-W]] | ?

Options

The db2ldif command takes the following parameters.
-c comments
Specifies to add the comments to the output LDIF file.
-d debug_level
Sets the debug level to debug_level. The ldtrc command must be running, when you use this parameter.
-f config_file
Specifies the full path of the configuration file to use. If not specified, the default configuration file of the directory server instance is used.
-I instance_name
Specifies the directory server instance name from which to export data.
-j
Specifies not to export the operational attributes to an LDIF file.
-k key_seed
Specifies encryption key seed value of the destination server to use for encryption of password data. A ? provides a separate prompt and console masking of the seed value. You must use this parameter with the -t parameter.
-l
Specifies to export the entries under cn=localhost.
-n filter_DN
Specifies the DN of filter entry for filtering the entries before you add to output LDIF file. If you specify this parameter, entries that are stored in the database are filtered and then the partial entry is written to the LDIF file. The filtering is done as per filter that is specified in filter_DN.
-o output_file
Specifies the LDIF file to store the directory entries. All entries from the specified subtree are written in LDIF format to the output file. This parameter is required. If you do not want the file to be created in the current directory, then a file name with full path must be specified.
-r
Specifies to export the entries under cn=Deleted Objects. If the -s parameter is also specified, then the subtree DN must be cn=Deleted Objects.
-s subtree_DN
Specifies the DN of the top entry of a subtree to be written to the LDIF file. This entry and the descendant entries in the directory hierarchy are written to the file. If this parameter is not specified, directory entries under the suffixes are written to the file.
-t key_salt
Specifies the encryption key salt value of destination server to use for encryption of password data. You must use this parameter with the -k parameter.
-W output_file
Specifies the full path of a file in which to redirect output.
-x
Specifies to exclude the nested replication contexts that are present under the subtree that is specified by the -s parameter. This parameter cannot be used with the -l parameter.
-?
Specifies to show the syntax help.

Examples

Example 1:
To export the data to an LDIF file, run the following command.
idsdb2ldif -I instance_name -o without-j.ldif
The following output is written to the LDIF file:
dn: cn=tom,dc=mycompany,dc=com
control: 1.3.18.0.2.10.19 false::
MIQAAADVMIQAAAAmCgEAMIQAAAAdBAxjcmVhdG9yc05hbWUxhAAAAAkEB0NOPVJPT1QwhAA
AADgKAQAwhAAAAC8ED2NyZWF0ZVRpbWVzdGFtcDGEAAAAGAQWMjAwODAzMDcwMTMyMjcu
MDAwMDAwWjCEAAAAJwoBADCEAAAAHgQNbW9kaWZpZXJzTmFtZTGEAAAACQQHQ049Uk9PV
DCEAAAAOAoBADCEAAAALwQPbW9kaWZ5VGltZXN0YW1wMYQAAAAYBBYyMDA4MDMwNzAx
MzIyNy4wMDAwMDBa
userpassword: {SHA}loNd2L+nGL1kR8zIevia4Wddrso=
objectclass: person
objectclass: top
sn: tom
cn: tom
ibm-entryuuid: 16d448c0-8032-102c-9762-e03d72fe6fad
The directory server instance has a user entry with the distinguished name cn=tom, dc=mycompany,dc=com.
The output contains a control with OID 1.3.18.0.2.10.19, a criticality of false, and a base 64 encoded control value. The control is the means by which the operational attributes are sent to the LDIF file. The control information is difficult to understand and read in the resulting LDIF file. The control value is in binary format, which includes information about how to appropriately update the identified operational attributes for the target import.
If you run the db2ldif command with the -j parameter, the operational attributes are not exported. For example:
idsdb2ldif -I instance_name -j -o with-j.ldif
The following output is written to the LDIF file: 
dn: cn=tom,dc=mycompany,dc=com
userpassword: {SHA}loNd2L+nGL1kR8zIevia4Wddrso=
objectclass: person
objectclass: top
sn: tom
cn: tom
ibm-entryuuid: 16d448c0-8032-102c-9762-e03d72fe6fad