Monday, March 9, 2015

How to Add LDAP Users and Groups in OpenLDAP on Linux

To add something to the LDAP directory, you need to first create a LDIF file.
The ldif file should contain definitions for all attributes that are required for the entries that you want to create.
With this ldif file, you can use ldapadd command to import the entries into the directory as explained in this tutorial.

If you are new to OpenLDAP, you should first install OpenLDAP on your system.

Create a LDIF file for New User

The following is a sample LDIF file that will be used to create a new user.
# cat adam.ldif
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Add a LDAP User using ldapadd

Now, use ldapadd command and the above ldif file to create a new user called adam in our OpenLDAP directory as shown below:
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f adam.ldif
Enter LDAP Password:
adding new entry "uid=adam,ou=users,dc=tgs,dc=com"

Assign Password to LDAP User

To set the password for the LDAP user we just created above, use ldappasswd command as shown in the below example:
# ldappasswd -s welcome123 -W -D "cn=ramesh,dc=tgs,dc=com" -x "uid=adam,ou=users,dc=tgs,dc=com"
Enter LDAP Password:
In the above command:
  • -s specify the password for the username entry
  • -x The username entry for which the password is changed
  • -D specify your DN here. i.e Distinguished name to authenticate in the server

Create LDIF file for New Group

Similar to adding user, you’ll also need a ldif file to add a group.
To add a new group to the LDAP groups OU, you need to create a LDIF with the group information as shown in the example ldif file below.
# cat group1.ldif
dn: cn=dbagrp,ou=groups,dc=tgs,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 678

Add a LDAP Group using ldapadd

Just like adding user, use ldapadd command to add the group from the group1.ldif file that we created above.
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f group1.ldif
Enter LDAP Password:
adding new entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"

Create LDIF file for an existing Group

To add an existing user to a group, we should still create an ldif file.
First, create an ldif file. In this example, I am adding the user adam to the dbagrp (group id: 678)
# cat file1.ldif
dn: cn=dbagrp,ou=groups,dc=tgs,dc=com
changetype: modify
add: memberuid
memberuid: adam

Add an User to an existing Group using ldapmodify

To add an user to an existing group, we’ll be using ldapmodify. This example will use the above LDIF file to add user adam to dbagrp.
# ldapmodify -x -W -D "cn=ramesh,dc=tgs,dc=com" -f file1.ldif
Enter LDAP Password:
modifying entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"

Verify LDAP Entries

Once you’ve added an user or group, you can use ldapsearch to verify it.
Here is a simple example to verify if the users exists in the LDAP database:
# ldapsearch -x -W -D "cn=ramesh,dc=tgs,dc=com" -b "uid=adam,ou=users,dc=tgs,dc=com" "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=adam,ou=users,dc=tgs,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# adam, users, tgs.com
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9b0lPd3AzYTBmT2xQcHBPNDcrK0VHRndEUjdMV2hSZ2U=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Delete an Entry from LDAP using ldapdelete

If you’ve made a mistake while adding an user or group, you can remove the entry using ldapdelete.
To delete an entry, you don’t need to create an ldif file. The following will delete user “adam” that we created earlier.
# ldapdelete -W -D "cn=ramesh,dc=tgs,dc=com" "uid=adam,ou=users,dc=tgs,dc=com"
Enter LDAP Password: