This is boring stuff, but needed to build and maintain your ldap directory.
Renaming an LDAP entry
The modrdn LDAP operation allows an authorized user to rename an LDAP entry’s RDN (that is, modifying the RDN of that entry).
Optionally, the modrdn operation can keep the old attributes that form the pristine RDN. This can be accomplished by specifiying deleteOldRDN:0 at the end of the modrdn data. If deleteOldRND:1 is specified at the end of the modrdn operation, or it is not specified at all, the modrdn operation will keep the attributes (and its values) that formed the pristine RDN.
For example, let’s add a sample entry:
$ ldapmodify …
| dn:cn=John Smith,ou=People,dc=sample,dc=com changeType:add objectClass:top objectClass:person cn:John Smith sn:Smith |
The attributes for the newly added entry are:
$ ldapsearch -x
| -b”cn=John Smith,ou=People,dc=sample,dc=com” -s base dn: cn=John Smith,ou=People,dc=sample,dc=com objectClass: top objectClass: person cn: John Smith sn: Smith |
Now, using the ldapmodify command, let’s invoke the modrdn operation onto the sample entry:
$ ldapmodify …
| dn:cn=John Smith,ou=People,dc=sample,dc=com changeType:modrdn newrdn:cn=John A. Smith deleteOldRDN:1 |
Since deleteOldRND:1 has been specified, the old cn attribiute (commonName), which was part of the RDN, is removed and then replaced by the new cn attribute and it’s new value.
$ ldapsearch -x
| -b”cn=John A. Smith,ou=People,dc=sample,dc=com” -s base dn: cn=John A. Smith,ou=People,dc=sample,dc=com objectClass: top objectClass: person sn: Smith cn: John A. Smith |
Should have we specified deleteOldRND:0, then the entry would have looked as follows:
$ ldapsearch -x
| -b”cn=John A. Smith,ou=People,dc=sample,dc=com” -s base dn: cn=John A. Smith,ou=People,dc=sample,dc=com objectClass: top objectClass: person cn: John Smith cn: John A. Smith sn: Smith |
Scripts to make your life easier
The following are examples of the simple scripts for adding/deleting/modifying LDAP users. Keep in mind, that you first need to create local user on the server and than with the script, you export it to the LDAP. It's the exact same thing as we were doing earlier, only this can be automatically done with the following script.
> Create ldapuser_add script and copy/paste the following lines in
| #!/bin/bash grep $1 /etc/passwd > /tmp/changeldappasswd.tmp /usr/share/openldap/migration/migrate_passwd.pl /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ > /tmp/changeldappasswd.ldif ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/changeldappasswd.ldif rm -f /tmp/changeldappasswd.* |
Watch for the line brakes, because you will end up with errors if the line breake on some different point. Now, make the script executable and place it somewhere in your PATH.
[root@ldap ~]# chmod 700 ldapuser_add
[root@ldap ~]# mv ldapuser_add /usr/sbin
Sample usage:
[root@ldap ~]# addldapuser pablo
Note that the user Pablo must already exist on the server as a local user.
> Script ldapuser_delete for deleting LDAP users from database
| #!/bin/bash ldapdelete -x -W -D "cn=Manager,dc=example,dc=com" "uid=$1,ou=People,dc=example,dc=c |
[root@ldap ~]# chmod 700 ldapuser_delete
[root@ldap ~]# mv ldapuser_delete /usr/sbin
Sample usage:
[root@ldap ~]# deleteldapuser pablo
> Script ldapuser_modify for modifying LDAP users
| #!/bin/bash grep $1 /etc/passwd > /tmp/modifyldapuser.tmp /usr/share/openldap/migration/migrate_passwd.pl /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ > /tmp/modifyldapuser.ldif ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/modifyldapuser.ldif rm -f /tmp/modifyldapuser.* |
[root@ldap ~]# chmod 700 ldapuser_modify
[root@ldap ~]# mv ldapuser_modify /usr/sbin
Leave a Reply