Using LDAP
From Debian Clusters
This is the fourth page of a five-part tutorial on LDAP. The full tutorial includes
Contents |
Using LDAP
For any of these tutorials, you'll need to have ldap-utils installed on whatever machine you're trying to adminster LDAP with. This is done with an easy apt-get install ldap-utils.
There are a few common tasks you'll probably become quite familiar with while using LDAP:
- Changing an entry in the LDAP database
- Removing an entry from the LDAP database
- Adding users to the LDAP database
- Searching the LDAP database
Changing an Entry
To update one of the entries, use the utility ldapmodify. Ldapmodify can be used a number of different ways: from the command line, interactively, or taking data from a file. In most small changes, it's easiest to use the interactive mode.
If I do an ldapsearch -x uid=kwanous, I get back these results:
# kwanous, People, raptor.loc dn: uid=kwanous,ou=People,dc=raptor,dc=loc uid: kwanous cn: KWanous ...snipped... homeDirectory: /home/kwanous gecos: KWanous,,,
Unfortunately, the homeDirectory is incorrect. It should use my NFS mount, not the local hard drive. I'm going to walk through correcting this. This same process of starting up LDAP and modifying a field will work for other fields, too.
Ldapmodify
First, start up ldapmodify with the credentials to bind with. In my case, this is
ldapmodify -x -D cn=admin,dc=raptor,dc=loc -W
-
-xspecifies to use simple authentication -
-Dis used to specify the LDAP administrative user's credentials -
-Wwill cause you to be prompted for the password for the LDAP administrative user
If you enter the password correctly, you'll see an error message like below.
gyrfalcon:~# ldapmodify -x -D cn=admin,dc=raptor,dc=loc -W Enter LDAP Password: ldap_bind: Invalid credentials (49)
If you enter it correctly, though, you'll be greeted with a blank line. This confused me for quite a while the first time, but it just means that ldapmodify is in interactive mode and ready to have you update an entry.
First, specify which entry will be modified. This is taken from the second line, after the comments, of the LDAP search. In this case, I specified
dn: uid=kwanous,ou=People,dc=raptor,dc=loc
Once entering it, hit enter to get to a new line. Next, LDAP needs to be told what to do with this entry. I want to modify it, so I entered
changetype: modify
After that, LDAP needs to know which field to modify. I need to change the home directory, so on a new line, I entered
replace: homeDirectory
Finally, LDAP takes in the new value for the field. This is specified with the field name and then the new value (again on a new line). In my case, that means entering
homeDirectory: /shared/home/kwanous
Once you've entered the changes, it's time to exit ldapmodify and flush them. On the other hand, you can make more changes to that same entry by adding a hyphen on a new line and then entering the replace field and new values again. To exit ldapmodify and make the changes, press the keys CTRL and D at the same time.
Below is the full script for my changes:
gyrfalcon:~# ldapmodify -x -D cn=admin,dc=raptor,dc=loc -W Enter LDAP Password: dn: uid=kwanous,ou=People,dc=raptor,dc=loc changetype: modify replace: homeDirectory homeDirectory: /shared/home/kwanous - modifying entry "uid=kwanous,ou=People,dc=raptor,dc=loc"
If I do another ldapsearch for kwanous, I see that the home directory has been changed:
dn: uid=kwanous,ou=People,dc=raptor,dc=loc uid: kwanous cn: KWanous ...snipped... gecos: KWanous,,, homeDirectory: /shared/home/kwanous
References
Removing an Entry
ldapmodify can also be used to delete an entry by specifying changetype: delete instead of modify or add.
A shorter way uses the utility ldapdelete. Here, the LDAP entry to delete is specified on the command line. If you ran the migrate_all_online.sh script in the LDAP Server tutorial, all of the users from /etc/passwd now have corresponding entries in the LDAP system, including root. It's a good idea to take the root account out.
To delete the root account user from LDAP, run
ldapdelete -x -D "cn=admin,dc=your,dc=cluster" -W "uid=root,ou=People,dc=your,dc=cluster"
-
-xspecifies to use simple credentials -
-Dis the LDAP administrative account. Be sure to changedc=your,dc=clusterto your actual domain name. -
-Wwill cause it to prompt for the administrative password -
uid=root,ou=People,dc=your,dc=clusteris the account to delete. Again, be sure to change this value to your actual domain name.
By replacing "root" in the above command to the one you want, you can delete any user from LDAP.
Adding Users to LDAP
Most of the time, many users need to be added at once. This is described below.
To add just one user, the utility ldapmodify is often more convenient to use. This uses the same process as changing an entry with ldapmodify, except the changetype should be add. See the two above sections for more information.
Adding Users in Bulk
First, create a list of new user names with one on each line in /tmp/users.
To add a user, you'll need to create the stats for them. The easiest way to do this is to pull off the information from an existing user and then change it for the new user. To get all the basic information and output it to a file, use the command
ldapsearch -LLL -x uid=<existing username> >> /tmp/template
Go through /etc/template and change all out instances of the old user with variables that will be replaced (USERID, UIDNUM, and GIDNUM). After editing, my file is shown below. Your dn should be specific to your domain, as should your homeDirectory!
dn: uid=USERID,ou=People,dc=raptor,dc=loc uid: USERID cn: USERID objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: UIDNUM gidNumber: GIDNUM homeDirectory: /shared/home/USERID gecos: USERID,,,
I'm going to be adding all my users to GIDNUM=100, which is the group users, and I'll be starting with the userid (UID) 1001. You can modify the following script to use something different. Paste the following script into a file and make it executable (chmod o+x <filename>), then run it.
#!/bin/bash
# Short little LDAP-file creating script
GIDNUM=100
UIDNUM=1001
for x in `cat /tmp/users`
do
sed "s/USERID/$x/g" /tmp/template | sed "s/UIDNUM/$UIDNUM/g" | sed "s/GIDNUM/$GIDNUM/g" > /tmp/$x.ldif
UIDNUM=`expr $UIDNUM + 1`
done
It will generate one file for each new user name in /tmp/users, and replace the variables with correct values from the file with the list of user names. To see the files after they've been made, issue
ls /tmp/*.ldif
It's always a good idea to check a few one of them out and make sure the variables were replaced as you were expecting them to. Next, all of these files need to be added to the LDAP database. Again, copy and paste this script and make it executable. Change the part that says "<your credentials here"> to your fully qualified administrator user name (such as "cn=admin,dc=raptor,dc=loc"). With the current configuration, you'll be prompted for your password each time. If you'd rather, you can change
-W
to
-w "<your password here>"
Finally, run it.
#!/bin/bash # Short little ldapadd script for x in `ls /tmp/*.ldif` do echo "Adding user file $x" ldapadd -x -D "<your credentials here>" -W -f $x done
Sanity Check
You should see an output like the following for each user as the script is running:
Adding the user file /tmp/mycoolnewuser.ldif Enter LDAP Password: adding new entry "uid=mycoolnewuser,ou=People,dc=raptor,dc=loc"
After the script finishes, make sure you can search for the user -
ldapsearch -x uid=<new username here>
and then from a machine acting as an LDAP client, id the user -
id <new username>
and become the user -
su - <new username>
Home Directories and Passwords
At this point, the users have been created, but none of them have home directories or passwords. (Since they don't have passwords, they won't be able to log in.)
First, you'll need to set a password for each user - from a machine that's an LDAP Client! - with
passwd <username>
If all goes well, you'll see
gyrfalcon:/etc/pam.d# passwd mycooluser New password: Re-enter new password: LDAP password information changed for mycooluser passwd: password updated successfully
Next, to add the home directories... there are two options. First, one line can be added to PAM, the authentication mechanisms, to take care of this for you. On the other hand, you can manually add them yourself.
Permanent Solution
To have home directories automatically created for users the first time they log in, edit /etc/pam.d/common-session. Above the existing lines, add this
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
Replace /etc/skel/ with the location of your skeleton files, if you have them somewhere else. After making this change, users will have their home directories created for them from now on.
One-time Solution
To create the home directories manually, but in one fell swoop, use the following script. You'll need to create the file, make it executable, and again change it for your values before running it. Right now, I have the home directories being created on my NFS mount.
#!/bin/bash
# Short little script to add home directories
for x in `cat /tmp/users`
do
rsync -plarv /etc/skel/ /shared/home/$x/
chown -R $x:100 /shared/home/$x/
done
Again, keep in mind that this is a one-time fix. If you want a more permanent solution, see the section above.
Searching
Ldapsearch is the utility for searching the LDAP database. (It comes with the ldap-utils package.) It's a powerful and flexible interface to the LDAP database.
Ldapsearch supports a few different filters, but before we get into that, it's important to recognize there are two different ways of accessing the LDAP database:
- anonymously:
ldapsearch -x - with admin credentials, which will prompt for the password:
ldapsearch -x -D "<adminstrative account>" -W- the administrative account should be something like
"cn=admin,dc=raptor,dc=loc"
- the administrative account should be something like
Administrative credentials will give slightly more information, such as showing the encrypted password field. I'll just be using anonymous authentication, but administrative authentication can be used for any of these examples, too.
Presence Filters
Presence filters use a wildcard character (*) to just see if something exists in the database. For instance,
ldapsearch -x "objectClass=*"
will search for every entry with any corresponding objectClass. To see everything that has an ipServicePort entry, use
ldapsearch -x ipServicePort=*
Exact Filers
Exact filters check to see if a value matches exactly. This can be used to search for a specific user,
ldapsearch -x "uid=kwanous"
to see the top level entry (the organization),
ldapsearch -x "objectClass=organization"
or even see a list of every account in the system, such as this line
ldapsearch -x "objectClass=account" | grep "dn: "
Substring Matching
Substrings can also be searched for with ldapsearch. For instance,
ldapsearch -x "uid=t*"
returns all the entries whose uid field starts with t. These might include tommy, tammy, tmitchel, etcetera. Using
ldapsearch -x "uid=*t*"
would find any entries with a t somewhere in the uid field. (A few you'll find for sure with this search are root, gnats, and statd.)
Approximate Filers
Approximate filters are in the implementation, but the specification of these are very vague. Your mileage may vary! Use ~= for an approximate filter. On my system, searching with
ldapsearch -x "uid~=kwanos"
did indeed return the same results as searching for "uid=kwanous".
