This guide explains how to use the OpenLDAP client tools to manage an OpenLDAP directory server. I am assuming you have root access to your directory server.
Common Options
There are some options common to all of the OpenLDAP tools used in this guide. I recommend creating shell aliases for the ldap commands with these options already defined. It would be wise to add these to your shell startup files or, if you prefer, maintain an OpenLDAP environment file. This guide demonstrates the latter. First, you need to determine how you are going to login to your directory server. Most likely, you will be able to run commands as root and use SASL‘s EXTERNAL mechanism. SASL EXTERNAL instructs OpenLDAP to accept your root access to the OS as root access to it. If you installed from source using one of the guides on this site, this will be the case. If you are not able to do this, you will need to supply the credentials for the root DN of the database you are managing.
ACLs may prevent access to data directories via SASL EXTERNAL. If this happens, you can add two sets of aliases, or you can modify the ACL. If you opt to add two sets, I recommending prepending the set used to work on the configuration directory with c.
I created the examples with the assumption that you will create and source an environment file as described below. If you don’t do this, you will have to supply the options from the aliases each time you use the respective OpenLDAP command.
SASL EXTERNAL
Create or add to /root/.ldap-env the following lines:
alias ldapadd="ldapadd -Y EXTERNAL -H ldapi:///"
alias ldapdelete="ldapdelete -Y EXTERNAL -H ldapi:///"
alias ldapmodify="ldapmodify -Y EXTERNAL -H ldapi:///"
alias ldappasswd="ldappasswd -Y EXTERNAL -H ldapi:/// -S"
alias ldapsearch="ldapsearch -Y EXTERNAL -H ldapi:///"The -Y option is used to specify which SASL mechanism to use. EXTERNAL passes the UID and GID of the user running the command to the directory server. -H is used to specify the URI of the directory server to connect to. In this example, we will use the UNIX-domain socket. Finally, the -S instructs ldappasswd to prompt you for the new password.
Now source the file:
source /root/.ldap-envSimple Authentication
If for some reason you can’t use SASL, you will need to supply the root DN and password to bind to the server.
Create or add to /root/.ldap-env the following lines. Replace the highlighted part with what is relevant for your site.
BIND_DN="cn=admin,dc=tylersguides,dc=com"
alias ldapadd="ldapadd -x -W -D ${BIND_DN} -H ldapi:///"
alias ldapdelete="ldapdelete -x -W -D ${BIND_DN} -H ldapi:///"
alias ldapmodify="ldapmodify -x -W -D ${BIND_DN} -H ldapi:///"
alias ldappasswd="ldappasswd -x -W -D ${BIND_DN} -H ldapi:/// -S"
alias ldapsearch="ldapsearch -x -W -D ${BIND_DN} -H ldapi:///"If you can’t remember the root DN, you can get it with the following command. You should see at least two entries. The cn=config is probably not the one you want.
slapcat -n 0 | grep olcRootDNIf the command doesn’t work, you are probably using the older configuration file method of configuring OpenLDAP. In this case, you will find it in your slapd.conf
The -x option is for simple authentication instead of SASL. -H is used to specify the URI of the directory server you wish to connect to. In this example, we will use the UNIX-domain socket to connect to the server. You use -W to be prompted for your password. The DN you are using to log in with is specified with -D. Finally, the -S instructs ldappasswd to prompt you for the new password. If you want, you can store the password in a file and use -y filename instead of -W. If you do this, make sure there are no newline characters at the end of the file. Another option is to supply the password on the command line with -w.
Now source the file:
source /root/.ldap-envFinding Entries
Directories are searched using ldapsearch. You must provide a -b and a search base to get any results. For instance, if you wanted to search the configuration directory, you would use the following command.
ldapsearch -b "cn=config"This will display every user attribute of every entry on the server that has a DN starting with the specified base. In this case, it would show the entire configuration directory. You probably want something specific instead of the whole directory. To do this, use an LDAP filter. If you are looking for entries with a specific attribute value, you can get by with a simple filter like this:
root@ldap:~# ldapsearch -b "cn=config" "(mail=example@tylersguides.com)"I wrote a guide on LDAP filters if you need to do anything more complex than this.
Adding Entries
You use the ldapadd command to add new entries to an OpenLDAP server. You can take two approaches. One is to create an LDIF file, and the other is type it directly into your terminal. Whichever approach you take, you must specify the entries in the LDIF format.
Typing the Entry Into a Terminal
root@ldap:~# ldapadd -Q
dn: uid=example,ou=users,dc=tylersguides,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
uidNumber: 5001
gidNumber: 5000
uid: example
homeDirectory: /home/example
cn: example
sn: example
mail: example@tylersguides.com
adding new entry "uid=example,ou=users,dc=tylersguides,dc=com"The -Q suppresses SASL output. Leave it out of your commands if you wish.
The first line of a new entry is always going to be the entry’s DN. Other than that, the order the entries are in doesn’t matter. If you are typing the entry directly into a terminal, add a blank line after your entry. You can add as many entries as you like. Press Ctrl+D when you are finished.
Reading Entries From a File
I prefer adding entries using a file. To do this, create an LDIF file with the entries formatted the same way as if you had typed them into a terminal. If you are adding multiple entries, put a blank line between each entry.
When you are finished, add the entries with ldapadd -f:
root@ldap:~# ldapadd -f /path/to/my.ldifDeleting Entries
Deleting entries is easy. All you have to do is give ldapdelete the DN of the object you wish to delete. For example:
root@ldap:~# ldapdelete "uid=testuser,ou=users,dc=tylersguides,dc=com"You can bulk delete entries by creating a file with a list of DNs to delete.
root@ldap:~# ldapdelete -f deletefileChanging Entries
Entries are changed with ldapmodify. The format it uses is similar to ldapadd.
Suppose you want to delete the mail attribute from the following entry.
root@ldap:~# #The -LLL sets the output to LDIFv1 and suppresses comments.
root@ldap:~# ldapsearch -LLL -Q -b "dc=tylersguides,dc=com" "(uid=testuser2)"
dn: uid=testuser2,ou=users,dc=tylersguides,dc=com
objectClass: posixAccount
objectClass: inetOrgPerson
uidNumber: 5001
uid: testuser2
gidNumber: 5000
loginShell: /bin/sh
mail: testuser2@tylersguides.com
homeDirectory: /home/testuser2
cn: Test
sn: TestYour command would look like this:
root@ldap:~# ldapmodify -Q
dn: uid=testuser2,ou=users,dc=tylersguides,dc=com
changetype: modify
delete: mailWith ldapmodify, the second line of the entry you are changing will be:
changetype: modifyThe next line will be one of these:
delete: attribute
add: attribute
replace: attributeWhen you are adding or replacing attributes, the value(s) is on the next line. Here is how you would add the entry deleted in the first example:
root@ldap:~# ldapmodify -Q
dn: uid=testuser2,ou=users,dc=tylersguides,dc=com
changetype: modify
add: mail
mail: testuser2@tylersguides.comNow let’s add an additional mail attribute to the testuser2 entry.
root@ldap:~# ldapmodify -Q
dn: uid=testuser2,ou=users,dc=tylersguides,dc=com
changetype: modify
add: mail
mail: testuser2@example.comTo make multiple changes to an entry, separate them with a – on a line by itself.
root@ldap:~# ldapmodify -Q
dn: uid=testuser2,ou=users,dc=tylersguides,dc=com
changetype: modify
replace: mail
mail: testuser2@tylersguides.com
-
add: employeeType
employeeType: Contractor
Changing Passwords
Passwords are changed with ldappasswd.
root@ldap:~# ldappasswd "uid=testuser2,ou=users,dc=tylersguides,dc=com"
New password:
Re-enter new password: