I helped a customer who needed to reset the four default ACL’s on all 7000 of their users back to the defaults. This perl program creates an LDIF which accomplishes this task.

Here are the steps you need to follow:

On Linux, Perl is installed by default.
On Windows, you’ll have to install Perl. I prefer the one from

1. Create input file with all the user DN’s
ldapsearch -h shiloh -b “o=novell” “objectclass=inetorgperon” dn > users
2. Create the LDIF that adds the default ACL’s
perl users acl.ldif
3. Import the acl.ldif file
ldapmodify -h shiloh -D “cn=admin,o=novell” -w novell -f acl.ldif

On Linux, ldapsearch and ldapmodify are installed by default.
On Windows, both of these commands are available in sys:Public\mgmt\ConsoleOne\1.2\bin.

If some of the default ACL’s are present, add the -c switch to the ldapmodify command. It will continue processing the ldif even if duplicate values are found.

Changes in 5.0:

Previously, the DN’s had to be separated by exactly one line. In 5.0, this restriction has been removed. The DN’s can be separated by any number of lines. In addition, they don’t need to be separated at all.

0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: jimsc
Sep 23, 2010
3:37 pm