Common LDAP Administrative Tasks

Common LDAP Administrative Tasks

Here are some explanations of how to do many common LDAP tasks. They are all based on our sample organization with DNs of example and com.

Starting and Stopping LDAP

You can use the chkconfig command to get ldap configured to start at boot:

     [root@bigboy tmp]# chkconfig ldap on

To start, stop, or restart ldap after booting, use:

     [root@bigboy tmp]# service ldap start
     [root@bigboy tmp]# service ldap stop
     [root@bigboy tmp]# service ldap restart

Remember to restart the ldap process every time you make a change to the LDAP database file for the changes to take effect on the running process.

LDAP Users Changing Their Own Passwords

LDAP users can modify their LDAP passwords using the regular passwd command:

     [ldapuser@smallfry ldapuser]$ passwd
     Changing password for user ldapuser.
     Enter login(LDAP) password:
     New password:
     Retype new password:
     LDAP password information changed for ldapuser
     passwd: all authentication tokens updated successfully.
     [ldapuser@smallfry ldapuser]$

Modifying LDAP Users by User root

One easy way for the system administrator to manage LDAP users is to modify the regular Linux users' characteristics on the LDAP server in the regular way and then run a script to automatically modify the LDAP database.

The Modify LDAP User Script

You can use the very simple sample script /usr/local/bin/modifyldapuser to extract a particular user's information from /etc/passwd and import it into your LDAP database.

The script works by using the grep command to extract the /etc/passwd user record to a temporary file. It then runs the migrate_passwd script on this data and outputs the result to a temporary LDIF file. Next, the script replaces the default padl DC with the example DC and exports this to the final LDIF file. Finally, the ldapmodify command does the update, and then the temporary files are deleted.

     #!/bin/bash

     grep $1 /etc/passwd > /tmp/modifyldapuser.tmp

     /usr/share/openldap/migration/migrate_passwd.pl \
         /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp

     cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ \
         > /tmp/modifyldapuser.ldif

     ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f \
         /tmp/modifyldapuser.ldif

     rm -f /tmp/modifyldapuser.*

Remember to make the script executable and usable only by user root with the chmod command:

     [root@bigboy tmp]# chmod 700 /usr/local/bin/modifyldapuser
     [root@bigboy tmp]#

To use the script, modify the Linux user. In this case, modify the password for user ldapuser by running the modifyldapuser script using ldapuser as the argument. You will be prompted for the LDAP root password:

     [root@bigboy tmp]# passwd ldapuser
     Changing password for user ldapuser.
     New password:
     Retype new password:
     passwd: all authentication tokens updated successfully.
     [root@bigboy tmp]# modifyldapuser ldapuser
     Enter LDAP Password:
     modifying entry "uid=ldapuser,ou=People,dc=example,dc=com"

     [root@bigboy tmp]#

Adding New LDAP Users

You can use the short script in this section to add LDAP users to your database. I'll also provide an example of how to use it.

Create an LDAP Add User Script

You can create a /usr/local/bin/addldapuser script based on the modifyldapuser script you created earlier. For example:

     #!/bin/bash

     grep $1 /etc/passwd > /tmp/changeldappasswd.tmp

     /usr/share/openldap/migration/migrate_passwd.pl \
         /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp

     cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ \
         > /tmp/changeldappasswd.ldif

     ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f \
         /tmp/changeldappasswd.ldif

     rm -f /tmp/changeldappasswd.*

Add the User to the Database

Adding the user to the database takes three steps:

[root@bigboy tmp]# addldapuser ldapuser
Enter LDAP Password:
adding new entry "uid=ldapuser,ou=People,dc=example,dc=com"

[root@bigboy tmp]#

Deleting LDAP Users

Sometimes you want to get rid of users instead of add them. You can create a /usr/local/bin/deleteldapuser script to delete LDAP users from your database. For example:

     #!/bin/bash

     ldapdelete -x -W -D "cn=Manager,dc=example,dc=com" \
          "uid=$1,ou=People,dc=example,dc=com"

To delete the user from the database, run the deleteldapuser script with the username as the only argument. This example below deletes a previously created Linux user named ldapuser. The script prompts you for your LDAP root password:

     [root@bigboy tmp]# deleteldapuser ldapuser
     Enter LDAP Password:
     [root@bigboy tmp]#

LDAP Web Management Tools

Once you understand the principles behind LDAP management, you may want to use a graphical tool to help with further administration. If the tool misbehaves, at least you'll now know how to try to fix it behind the scenes from the command line.

The LDAP Account Manager (LAM), which is available at http://lam.sourceforge.net/, is a well known, easy-to-use product. After you feel comfortable enough with the background tasks and concepts outlined in this chapter, you should give it a try.