idsdb2ldif, db2ldif
Use the db2ldif command to output directory server entries to an LDIF file.
Description
The db2ldif command gets entries from a directory and puts it in a text file in LDAP Directory Interchange Format (LDIF). You can run this command against an instance at when the instance is running or stopped.
Attention: You
must specify the encryption seed and salt of the destination server
for the following conditions:
- If you are importing data to an instance configured for Advanced Encryption Standard (AES) encryption from another instance.
- If the target and the destination servers are not cryptographically synchronized.
For information about cryptographic synchronization of servers, see Synchronizing two-way cryptography between server instances.
Depending on the encryption scheme that is set on the servers, the LDIF file might contain different encrypted values.
- The command takes the following actions when you specify the encryption
seed and salt values of the destination server:
- Any
AES
encrypted data is decrypted by using the AES keys of source server. - The data is then encrypted by using the encryption seed and salt values of destination server.
ISO-8859-1 ASCII
characters with values in the range 33 - 126, and must be a minimum of 12 and a maximum of 1016 characters in length. For information about ASCII characters, see ASCII characters from 33 to 126. The encryption salt is a randomly generated value and is used to generate AES encryption keys. You can obtain the salt value of the destination server by searching thecn=crypto,cn=localhost
entry on destination server. The attribute name isibm-slapdCryptoSalt
. - Any
- The
SHA
encoded directory encryption seed of the source server is written to the LDIF file for reference during import. For parsing purposes, this encryption seed reference is in acn=crypto,cn=localhost
pseudo entry, which for information only. This value is not loaded as part of the import.
Synopsis
idsdb2ldif | db2ldif [-o output_file -I instance_name [-f config_file]
[-n filter_DN] [-c comments] [-k ?|key_seed -t key_salt] [-j]
[-d debug_level] [[-s subtree_DN [-x]] | [-l] [-r]] [-W]] | ?
Options
The db2ldif command takes the following parameters.- -c comments
- Specifies to add the comments to the output LDIF file.
- -d debug_level
- Sets the debug level to debug_level. The ldtrc command must be running, when you use this parameter.
- -f config_file
- Specifies the full path of the configuration file to use. If not specified, the default configuration file of the directory server instance is used.
- -I instance_name
- Specifies the directory server instance name from which to export data.
- -j
- Specifies not to export the operational attributes to an LDIF file.
- -k key_seed
- Specifies encryption key seed value of the destination server
to use for encryption of password data. A
?
provides a separate prompt and console masking of the seed value. You must use this parameter with the -t parameter. - -l
- Specifies to export the entries under
cn=localhost
. - -n filter_DN
- Specifies the DN of filter entry for filtering the entries before you add to output LDIF file. If you specify this parameter, entries that are stored in the database are filtered and then the partial entry is written to the LDIF file. The filtering is done as per filter that is specified in filter_DN.
- -o output_file
- Specifies the LDIF file to store the directory entries. All entries from the specified subtree are written in LDIF format to the output file. This parameter is required. If you do not want the file to be created in the current directory, then a file name with full path must be specified.
- -r
- Specifies to export the entries under
cn=Deleted Objects
. If the -s parameter is also specified, then the subtree DN must becn=Deleted Objects
. - -s subtree_DN
- Specifies the DN of the top entry of a subtree to be written to the LDIF file. This entry and the descendant entries in the directory hierarchy are written to the file. If this parameter is not specified, directory entries under the suffixes are written to the file.
- -t key_salt
- Specifies the encryption key salt value of destination server to use for encryption of password data. You must use this parameter with the -k parameter.
- -W output_file
- Specifies the full path of a file in which to redirect output.
- -x
- Specifies to exclude the nested replication contexts that are present under the subtree that is specified by the -s parameter. This parameter cannot be used with the -l parameter.
- -?
- Specifies to show the syntax help.
Examples
- Example 1:
- To export the data to an LDIF file, run the following command.