LDAP commands and scripts

Monday, 19 February 2007 16:00

This is boring stuff, but needed to build and maintain your ldap directory.

Renaming an LDAP entry

The modrdn LDAP operation allows an authorized user to rename an LDAP entry’s RDN (that is, modifying the RDN of that entry).

Optionally, the modrdn operation can keep the old attributes that form the pristine RDN. This can be accomplished by specifiying deleteOldRDN:0 at the end of the modrdn data. If deleteOldRND:1 is specified at the end of the modrdn operation, or it is not specified at all, the modrdn operation will keep the attributes (and its values) that formed the pristine RDN.

For example, let’s add a sample entry:

$ ldapmodify …

dn:cn=John Smith,ou=People,dc=sample,dc=com
changeType:add
objectClass:top
objectClass:person
cn:John Smith
sn:Smith

The attributes for the newly added entry are:

$ ldapsearch -x

-b”cn=John Smith,ou=People,dc=sample,dc=com”
-s base
dn: cn=John Smith,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
cn: John Smith
sn: Smith

Now, using the ldapmodify command, let’s invoke the modrdn operation onto the sample entry:

$ ldapmodify …

dn:cn=John Smith,ou=People,dc=sample,dc=com
changeType:modrdn
newrdn:cn=John A. Smith
deleteOldRDN:1

Since deleteOldRND:1 has been specified, the old cn attribiute (commonName), which was part of the RDN, is removed and then replaced by the new cn attribute and it’s new value.

$ ldapsearch -x

-b”cn=John A. Smith,ou=People,dc=sample,dc=com”
-s base
dn: cn=John A. Smith,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
sn: Smith
cn: John A. Smith

Should have we specified deleteOldRND:0, then the entry would have looked as follows:

$ ldapsearch -x

-b”cn=John A. Smith,ou=People,dc=sample,dc=com”
-s base
dn: cn=John A. Smith,ou=People,dc=sample,dc=com
objectClass: top
objectClass: person
cn: John Smith
cn: John A. Smith
sn: Smith

Scripts to make your life easier

The following are examples of the simple scripts for adding/deleting/modifying LDAP users. Keep in mind, that you first need to create local user on the server and than with the script, you export it to the LDAP. It's the exact same thing as we were doing earlier, only this can be automatically done with the following script.

> Create ldapuser_add script and copy/paste the following lines in

#!/bin/bash
grep $1 /etc/passwd > /tmp/changeldappasswd.tmp
/usr/share/openldap/migration/migrate_passwd.pl /tmp/changeldappasswd.tmp /tmp/changeldappasswd.ldif.tmp
cat /tmp/changeldappasswd.ldif.tmp | sed s/padl/example/ > /tmp/changeldappasswd.ldif
ldapadd -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/changeldappasswd.ldif
rm -f /tmp/changeldappasswd.*

Watch for the line brakes, because you will end up with errors if the line breake on some different point. Now, make the script executable and place it somewhere in your PATH.

[root@ldap ~]# chmod 700 ldapuser_add
[root@ldap ~]# mv ldapuser_add /usr/sbin

Sample usage:

[root@ldap ~]# addldapuser pablo

Note that the user Pablo must already exist on the server as a local user.

> Script ldapuser_delete for deleting LDAP users from database

#!/bin/bash
ldapdelete -x -W -D "cn=Manager,dc=example,dc=com" "uid=$1,ou=People,dc=example,dc=c

[root@ldap ~]# chmod 700 ldapuser_delete
[root@ldap ~]# mv ldapuser_delete /usr/sbin

Sample usage:

[root@ldap ~]# deleteldapuser pablo

> Script ldapuser_modify for modifying LDAP users

#!/bin/bash
grep $1 /etc/passwd > /tmp/modifyldapuser.tmp
/usr/share/openldap/migration/migrate_passwd.pl /tmp/modifyldapuser.tmp /tmp/modifyldapuser.ldif.tmp
cat /tmp/modifyldapuser.ldif.tmp | sed s/padl/example/ > /tmp/modifyldapuser.ldif
ldapmodify -x -D "cn=Manager,dc=example,dc=com" -W -f /tmp/modifyldapuser.ldif
rm -f /tmp/modifyldapuser.*

[root@ldap ~]# chmod 700 ldapuser_modify
[root@ldap ~]# mv ldapuser_modify /usr/sbin

< Prev		Next >

Add comment

JComments