[389-users] Deleting entries that are not modified recently

Tue Oct 6 00:43:48 UTC 2009

On Fri, 25 Sep 2009, Rich Megginson wrote:

> Kimmo Koivisto wrote:
> > Hello
> >
> > This was what I needed to search entries:
> >
> > ldapsearch -x -b xx -D xxx -w xxx
> > "(&(cn=*)(modifytimestamp<=2009092513000000Z)(objectclass=person))"
> >
> > But then, how to pipe ldapsearch and ldapdelete to delete the result
> > dn's of ldapsearch?
> >   
> specify "dn" as the attribute to return - just add it to the end of the 
> command line - also add -LLL to the ldapsearch command line to make it 
> less verbose
> you will then have output like
> dn: somedn
> blank line
> repeat.....
> 
> You will have to use sed/awk/perl to strip the "dn: " from the DNs, and 
> ignore the blank lines
> > Regards,
> > Kimmo
> >
> > 2009/9/25 Kimmo Koivisto <koippa at gmail.com>:
> >   
> >> Hello
> >>
> >> Thanks for your answer.
> >>
> >> I know about those timestamps, but I don't know if I can compare
> >> timestamps with ldapsearch.
> >>
> >> So, is it possible to compare or search entries older that defined
> >> timestamp, for example:
> >>
> >> ldapsearch "(objectClass=*)" * modifyTimestamp>20090801000000Z
> >>
> >> or how I could do this?
> >>
> >> Regards,
> >> Kimmo
> >>
> >>
> >> 2009/9/25 Juan Asensio Sánchez <okelet at gmail.com>:
> >>     
> >>> Hi
> >>>
> >>> All entries in the directory have some operational attributes called
> >>> createTimestamp, modifiTimestamp, creatorsName and modifiersName. With
> >>> them, you can check when an entry has been created or modified, and
> >>> who did it. I think this is what you are looking for.
> >>>
> >>> Those attributes, thar are operational, are not returned when you ask
> >>> for all attributes, you must specify their names manually:
> >>>
> >>> ldapsearch ...... "(objectClass=*)" * createTimestamp
> >>>
> >>> Regards
> >>>
> >>> 2009/9/25 Kimmo Koivisto <koippa at gmail.com>:
> >>>       
> >>>> Hello
> >>>>
> >>>> I'm using fedora-ds-1.0.4-1.RHEL4 and I have an application that
> >>>> creates and modifies entries located in FDS.
> >>>> Application does not remote old entries, and I cannot change how
> >>>> application works.
> >>>>
> >>>> I would like to delete entries that are not modified recently with
> >>>> either plain ldapsearch+ldapdelete or using some FDS tools, perl scipt
> >>>> etc.
> >>>>
> >>>> So, my question is, what is the easiest way to delete entries, for
> >>>> example older that 3 months?

If I may make a suggestion (and apologies for the last mail being way
behind -- mail's running behind for me today)...

Before doing anything like this, I'd recommend doing a little reading up
on ldapsearch, ldapmodiify, ldapdelete and the like, and getting a really
firm grip on how they work and how to use them.

What you're trying to do is potentially very dangerous if you don't have
a really good understanding of what you're doing, and very likely to
wipe a lot of data out of your LDAP directory that you don't want wiped
out.

I'm not trying to sound disrespectful here, but it sounds like you don't
yet have a firm grip on how the basic LDAP tools work yet, and if I were
in your position I'd steer far clear of a mass-delete script until I was
sure I knew what I was doing.