TechHelpList.com

OpenLDAP Tutorial :: User Management

OpenLDAP user management is handled by sets of tools provided by the slapd and ldap-utils packages.

These tools provide the bare necessities of adding, deleting, searching, modifying, exporting, and importing. They are a step up from "clown shoes" but if you are hoping for slick systems like phpLDAPadmin, go find it.

Some of the best tools for managing LDAP accounts are things like perl or bash scripting.

OpenLDAP, how interaction works

Aside from searching, almost all interactions with slapd are done by creating a text file called an LDIF (LDAP Data Interchange Format) file.

Tools like slapcat and slapadd export and import (respectively) special LDIF files.

Tools like ldapadd, ldapdelete, and ldapmodify can be used in command-line argument style but are usually easier to use command-line LDIF style.

Tools like ldapaddsearch and ldappasswd are usually one-liners but are scriptable.

Sometimes you may be writing scripts that create LDIF files then run LDAP commands.

Setting up the initial OpenLDAP structure

If you setup your OpenLDAP by running a configurator like dpkg-reconfigure (which is run as a matter of course after apt-get install slapd), then the admin account is already in the database. In this case, omit the entry for the admin account below.

If you setup your OpenLDAP only by writing /etc/ldap/slapd.conf then you may have to add the admin account in the initial ldif file. We will assume this case.

- dn specifies the distinguished name, the full uid, ou, and/or dc of the thing. If we are talking the dn of the base then dn: cn=techhelplist,dc=com. If we are talking about a "timmy" in the People organizational unit, then dn: uid=timmy,ou=People,dc=techhelplist,dc=com

- cn specifies the domain components, like the base of the thing. Like dc=techhelplist,dc=com. Maybe you will have subdomains, more cn.

- ou specifies the organizational unit. Think LDAP groups, NOT POSIX groups. It's part of the structure of the database, and MAY or MAY NOT fall along your linux user:group lines, it won't matter. example: ou=Employees

We will setup the initial base, and two organizational units called People and Groups.

This can be created with this LDIF file, we'll call it initial.ldif:

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example.com
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

Then run ldapadd to import the file.

ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f initial.ldif

Adding OpenLDAP POSIX accounts

OK! Now the rubber meets the road. OpenLDAP can handle any variety of account properties which are defined by schema (or a schemum?). There's lots. We will concentrate on POSIX-compliant accounts since we will use this to provide account info for our Ubuntu boxes.

Tammy Something just got hired! Her POSIX username is tammysomething, we'll give her a POSIX uid of 3000, and POSIX default GID of 3000. This is her LDIF file, lets call it posix_user.ldif:

dn: uid=tammysomething,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Tammy Something
uid: tammysomething
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/tammysomething
loginShell: /bin/bash
gecos: Tammy Something,Karate Instructor,Room 37A,435-555-555,801-555-555
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Then run ldapadd to import the file.

ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f posix-user.ldif

You can have buttloads of LDIF entries in a single file for mass changes.

Adding OpenLDAP POSIX groups

Tammy Something doesn't actually HAVE a default group to be a member of, and Linux will warn her upon login that she sucks.

We will make a group with the name tammysomething with the gidNumber(POSIX GID) matching her uidNumber(POSIX UID), and name this file posix-group.ldif.

dn: cn=tammysomething,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: tammysomething
userPassword: {crypt}x
gidNumber: 3000

Then run ldapadd to import the file.

ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f posix-group.ldif

Changing OpenLDAP Passwords

Tammy wants her password to be "ilikecheese" My admin password is "mysecretpassword".

ldappasswd -s ilikecheese -D "cn=admin,dc=example,dc=com"  /
      -w mysecretpassword -x uid=tammysomething,ou=People,dc=example,dc=com

Deleting OpenLDAP entries

Tammy got fired for (allegedly) smoking crack.

ldapdelete -D "cn=admin,dc=example,dc=com" -w mysecretpassword /
            "uid=tammysomething,ou=People,dc=example,dc=com"

Adding OpenLDAP users to groups

To put POSIX users into POSIX groups, create the group then modify the group to add a member. For example, techhelplist.com has all employees under the Employee OU, and various groups under the Groups OU. POSIX usernames (LDAP uid's): rogersoandso, jessicaperson, and spotofficedog need to be members of the accounting group. Assuming the accounting group doesn't exist yet:

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
objectClass: top
objectClass: posixGroup
cn: accounting
userPassword: {crypt}x
gidNumber: 3000

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: rogersoandso

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: jessicaperson

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: spotofficedog

Then run ldapmodify to import the file.

ldapmodify -x -D "cn=admin,dc=techhelplist,dc=com" -w mysecretpassword /
    	-f users2group.ldif

If this article was at least a little helpful, how about a +1?