User Management in OpenLDAP

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

OpenLDAP Tutorial :: User Management

OpenLDAP user management is handled by sets of tools provided by the slapd and ldap-utils packages.

These tools provide the bare necessities of adding, deleting, searching, modifying, exporting, and importing. They are a step up from "clown shoes" but if you are hoping for slick systems like phpLDAPadmin, go find it.

Some of the best tools for managing LDAP accounts are things like perl or bash scripting.

OpenLDAP, how interaction works

Aside from searching, almost all interactions with slapd are done by creating a text file called an LDIF (LDAP Data Interchange Format) file.

Tools like slapcat and slapadd export and import (respectively) special LDIF files.

Tools like ldapadd, ldapdelete, and ldapmodify can be used in command-line argument style but are usually easier to use command-line LDIF style.

Tools like ldapaddsearch and ldappasswd are usually one-liners but are scriptable.

Sometimes you may be writing scripts that create LDIF files then run LDAP commands.

Setting up the initial OpenLDAP structure

If you setup your OpenLDAP by running a configurator like dpkg-reconfigure (which is run as a matter of course after apt-get install slapd), then the admin account is already in the database. In this case, omit the entry for the admin account below.

If you setup your OpenLDAP only by writing /etc/ldap/slapd.conf then you may have to add the admin account in the initial ldif file. We will assume this case.

- dn specifies the distinguished name, the full uid, ou, and/or dc of the thing. If we are talking the dn of the base then dn: cn=techhelplist,dc=com. If we are talking about a "timmy" in the People organizational unit, then dn: uid=timmy,ou=People,dc=techhelplist,dc=com

- cn specifies the domain components, like the base of the thing. Like dc=techhelplist,dc=com. Maybe you will have subdomains, more cn.

- ou specifies the organizational unit. Think LDAP groups, NOT POSIX groups. It's part of the structure of the database, and MAY or MAY NOT fall along your linux user:group lines, it won't matter. example: ou=Employees

We will setup the initial base, and two organizational units called People and Groups.

This can be created with this LDIF file, we'll call it initial.ldif:

dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example.com
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups
Make sure there's no whitespace after the lines! Only newlines.

 

Then run ldapadd to import the file.

ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f initial.ldif
Where admin is the admin login from the slapd.conf and secretpassword is the password you used when you installed LDAP.

 

Adding OpenLDAP POSIX accounts

OK! Now the rubber meets the road. OpenLDAP can handle any variety of account properties which are defined by schema (or a schemum?). There's lots. We will concentrate on POSIX-compliant accounts since we will use this to provide account info for our Ubuntu boxes.

Tammy Something just got hired! Her POSIX username is tammysomething, we'll give her a POSIX uid of 3000, and POSIX default GID of 3000. This is her LDIF file, lets call it posix_user.ldif:

dn: uid=tammysomething,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Tammy Something
uid: tammysomething
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/tammysomething
loginShell: /bin/bash
gecos: Tammy Something,Karate Instructor,Room 37A,435-555-555,801-555-555
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
Make sure there's no whitespace after the lines! Only newlines.

 

Then run ldapadd to import the file.

ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f posix-user.ldif
Where admin is the admin login from the slapd.conf and secretpassword is the password you used when you installed LDAP.

 

You can have buttloads of LDIF entries in a single file for mass changes.

Adding OpenLDAP POSIX groups

Tammy Something doesn't actually HAVE a default group to be a member of, and Linux will warn her upon login that she sucks.

We will make a group with the name tammysomething with the gidNumber(POSIX GID) matching her uidNumber(POSIX UID), and name this file posix-group.ldif.

dn: cn=tammysomething,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: tammysomething
userPassword: {crypt}x
gidNumber: 3000
Make sure there's no whitespace after the lines! Only newlines.

 

Then run ldapadd to import the file.

ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f posix-group.ldif
Where admin is the admin login from the slapd.conf and secretpassword is the password you used when you installed LDAP.

 

Changing OpenLDAP Passwords

Tammy wants her password to be "ilikecheese" My admin password is "mysecretpassword".

ldappasswd -s ilikecheese -D "cn=admin,dc=example,dc=com"  /
-w mysecretpassword -x uid=tammysomething,ou=People,dc=example,dc=com

Deleting OpenLDAP entries

Tammy got fired for (allegedly) smoking crack.

ldapdelete -D "cn=admin,dc=example,dc=com" -w mysecretpassword /
"uid=tammysomething,ou=People,dc=example,dc=com"

Adding OpenLDAP users to groups

To put POSIX users into POSIX groups, create the group then modify the group to add a member. For example, techhelplist.com has all employees under the Employee OU, and various groups under the Groups OU. POSIX usernames (LDAP uid's): rogersoandso, jessicaperson, and spotofficedog need to be members of the accounting group. Assuming the accounting group doesn't exist yet:

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
objectClass: top
objectClass: posixGroup
cn: accounting
userPassword: {crypt}x
gidNumber: 3000
...would make my group for me, once I ran it thru ldapadd. If it already exists, then I can skip to making this ldif file, we can call it users2group.ldif
dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: rogersoandso

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: jessicaperson

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: spotofficedog
Make sure there's no whitespace after the lines! Only newlines.

Then run ldapmodify to import the file.

ldapmodify -x -D "cn=admin,dc=techhelplist,dc=com" -w mysecretpassword /
-f users2group.ldif

If this article was at least a little helpful, how about a +1?

Submit to DeliciousSubmit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to TechnoratiSubmit to LinkedInSubmit to Twitter

Found something bad?

Do your part to clean it up!

Report malicious links to:

StopBadware.org

Report phishing links to:

Google Safebrowsing - Phishing

Netcraft Anti-Phishing

Send Virus Samples to:

Clam AV Database

Microsoft Anti-Malware DB

But most importantly:

Follow THL on Twitter

 

Submitting an email to THL

Submissions welcome!

 j (a-t) techhelplist (d-o-t) com

password zips with "slick-banana"

Some other GREAT resources

StopMalvertising

MyOnlineSecurity