How to add user membership using LDIF?

Question

I am attempting to use an LDIF to add user memberships to existing user groups.

Example:

dn: CN=Domain Users,CN=Users
changeType: Modify
add: member
member: CN=SomeCN1
member: CN=SomeCN2
member: CN=SomeCN3
member: CN=SomeCN4

All works fine, except when one of the memberships already exist. For example, if the SomeCN2 membership already exists, the entire statement fails and no memberships get added. This is a function of the "Modify" changeType... I've tried looking at how to format the LDIF differently, but can't seem to figure it out. I thought of a statement for each membership, but that will lead my file being enormous and difficult to manage and that's not ideal.

How can I structure my membership statements so all memberships get added, regardless if one of the memberships already exist?

Answer 1

Multi-valued attributes in an LDAP object must have unique values, that is, each value of a multi-valued attribute must be different from any other value of the attribute in that object. No structuring of an LDIF input can change that.

1. I have seen applications remove all values of the multi-valued attribute, then add the desired (in this case, there are no multi-valued attributes). In some cases where the multi-valued attribute is required by the object class of which the group is a member, the entire group can be removed and then added back.

2. Obviously, #1 is a substandard solution (though it can be made a little more palatable by using LDAP transactions wherein the group is removed and added as part of a single transaction, but this may not be available, the world being full of low-quality servers and APIs that do not support transactions). The LDAP client would do better to retrieve all the members of the group, then, with that knowledge, add only the attribute values that are not already in the group.