Unless you are using some kind of management tool, you use ldapadd to add a user to an OpenLDAP database. Before doing so, you will need a few pieces of information:
- What type of user you are creating (e.g. POSIX or non-POSIX)
- The LDAP suffix of the database you wish to add the user to.
- A user with sufficient privileges to add a new entry.
- The OU, if any, you wish to create the user in.
If you just need an example, click here to skip to one at the bottom of the page.
Type of User
You need to determine the type of user in order to determine which structural object class and which auxiliary classes, if any to apply to the user you wish to create. The class(es) will determine which attributes are available and which ones are required. Most of the time, people use one of the person classes. This isn’t necessary. Assuming you are using password authentication, you can use any class that has the userPassword attribute. See the .schema files in your schema directory if you want to see all of the classes that are available to you. This is usually in /etc/ldap, /etc/openldap, or /usr/local/etc/openldap.
Every entry has one and only one structural class. Auxiliary classes are optional. You can use as many auxiliary classes as you want.
Use this table describing common classes for users to help you choose which class(es) you need.
| Class Name | Type | Attributes |
|---|---|---|
person |
Structural |
Required:
Optional:
|
organizationalPerson |
Structural | This has the same required and optional attributes as person along with the following optional attributes:
|
residentialPerson |
Structural | This has the same required and optional attributes as person along with the following optional attributes:
|
inetOrgPerson |
Structural | This has the same required and optional attributes as organizationalPerson along with the following optional attributes:
|
posixAccount |
Auxiliary |
Required:
Optional:
|
shadowAccount |
Auxiliary |
Required:
Optional:
|
Gather Information
Depending on your installation, you may have more than one database available. Login into your server and follow the example below as root to get a list of available databases and their suffixes:
[root@ldap ~]# slapcat -n 0 -a '(olcSuffix=*)' | egrep 'Suffix|olcDatabase'
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {1}mdb
olcSuffix: dc=tylersguides,dc=comOn my test system, I have a single database with the suffix dc=tylersguides,dc=com.
The following command will list all of the organizational units I have in my single database:
[root@ldap ~]# slapcat -n 1 -a '(objectClass=organizationalUnit)' | grep '^dn'
dn: ou=groups,dc=tylersguides,dc=com
dn: ou=users,dc=tylersguides,dc=com
dn: ou=system,dc=tylersguides,dc=comI have three organizational units. A good way to think of organizational units is they are similar to directories on a file system. They are entries used to act as a parent to other entries, allowing you to keep your data organized.
Create an LDIF
Create an LDIF file with the users you wish to create. Here is an example of a user for OS authentication:
dn: uid=testuser,ou=users,dc=tylersguides,dc=com
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: First Name
sn: Last Name
uid: testuser
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/testuser
loginShell: /bin/sh
gecos: CommentsAdd the LDIF To Your Server
When you are finished, add the user to your server with ldapadd. Let’s look at a few examples.
[root@ldap ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /tmp/user.ldifIn this example, -Y EXTERNAL instructs ldapadd to use the SASL EXTERNAL mechanism for authentication. I.e., the server is configured to trust my OS user. In many cases, servers are configured to trust the root user.
-H ldapi:/// specifies the URL to connect to. The ldapi protocol means ldapadd will use an address family UNIX socket to connect to the server instead of TCP/IP. You have to be logged into your server in order to do this.
Finally, -f /tmp/user.ldif is the path to the LDIF file you want ldapadd to add to your server.
[root@ldap ~]# ldapadd -x -H ldap://localhost -D \
"cn=admin,dc=tylersguides,dc=com" -f /tmp/user.ldif -WIf you don’t know the password for your database’s administrative user, my guide on changing OpenLDAP passwords can help you reset it.
The table below describes the options used.
| Option | Description |
|---|---|
-H ldap://localhost |
The URI of the server you wish to connect to. |
-x |
Use simple authentication instead of SASL. I.e. you wish to use a username and password. |
-D "cn=admin,dc=tylersguides,dc=com" |
The DN of the user you wish to login to the directory server as. The user you use must have the necessary permissions to add the user. |
-W |
You want to be prompted for the bind password. Other options allow you to specify it on the command line or read it from a file. |
-f /tmp/user.ldif |
The path to an LDIF file you want ldapadd to add to the directory. |