Thursday, June 27, 2013

OpenLDAP user management Tutoral

This is a short tutorial for OpenLDAP user management. In this tutorial we will handle the user management by using slapd/ldap-utils packages.

These tools provide the bare necessities of adding, deleting, searching, modifying, exporting, and importing. They are a step up from "clown shoes" but if you are hoping for slick systems like phpLDAPadmin, go find it.

Aside LDAP searching, almost all interactions with slapd are done by creating a text file called LDIF (LDAP Data Interchange Format). You can use slapcat or slapadd to export/import LDIF files.

Some common terms used in LDAP:
dn -  specifies the distinguished name, the full uid, ou, and/or dc of the thing. If we are talking the dn of the base then dn: cn=techhelplist,dc=com. If we are talking about a "timmy" in the People organizational unit, then dn: uid=timmy,ou=People,dc=techhelplist,dc=com

cn - specifies the domain components, like the base of the thing. Like dc=techhelplist,dc=com. Maybe you will have subdomains, more cn.

ou - specifies the organizational unit. Think LDAP groups, NOT POSIX groups. It's part of the structure of the database, and MAY or MAY NOT fall along your linux user:group lines, it won't matter. example: ou=Employees

Here is an example of LDIF file, initial.ldif:
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: example.com
dc: example

dn: ou=People,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: People

dn: ou=Groups,dc=example,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Groups

Make sure there is no whitespace after each line, only newlines. Then you can import the file:
ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f initial.ldif 

Add a new user:
Let's say you want to add a new user Tommy, prepare Tommy's LDIF file then import into LDAP:
dn: uid=Tommysomething,ou=People,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: Tommy Something
uid: Tommysomething
uidNumber: 3000
gidNumber: 3000
homeDirectory: /home/Tommysomething
loginShell: /bin/bash
gecos: Tommy Something,Karate Instructor,Room 37A,435-555-555,801-555-555
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Then import tommy.ldif:
ldapadd -x -D "cn=admin,dc=example,dc=com" -w secretpassword -f posix-user.ldif


Add user group:
Same as add Tommy, you prepare the LDIF file:
dn: cn=tommygroup,ou=Group,dc=example,dc=com
objectClass: top
objectClass: posixGroup
cn: tommygroup
userPassword: {crypt}x
gidNumber: 3000


Then use ldapadd command to import the file.

Change user password:
You can use ldappasswd to update a user's password. The syntax is below:
ldappasswd -s newpassword -D "cn=admin,dc=example,dc=com" -w mysecretpassword -x uid=tommy,ou=People,dc=example,dc=com


Delete a user:
ldapdelete -D "cn=admin,dc=example,dc=com" -w mysecretpassword "uid=tommy,ou=People,dc=example,dc=com"


Add user to a group:
To add users into existing group, again, prepare a LDIF file:
dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: user1

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: user2

dn: cn=accounting,ou=Group,dc=techhelplist,dc=com
changetype: modify
add: memberuid
memberuid: user3

This time you need to use the ldapmodify command to make the update:
ldapmodify -x -D "cn=admin,dc=techhelplist,dc=com" -w mysecretpassword -f user2group.ldif


Like I said, this is a very simple tutorial, if you want to read more, go and read the OpenLDAP's admin guide: OpenLDAP Admin Guide

No comments: