epcim
10/20/2015 - 3:13 PM
ldap.howto.md
ldap openldap ldif
user attributes
Open LDAP
Docs
UI
Linux GUI tool "luma"
CLI
Basics:
ldapsearch -h ds1.myorg.cz -b 'dc=myorg,dc=cz' cn="wpsadmins"
ldapsearch -LLx -h 192.168.11.1 -b "OU=Groups,OU=SWG,O=com,C=us" "(cn=PMRDPCA)"
ldapsearch -LLx -h 192.168.11.1 -b "OU=Groups,OU=SWG,O=com,C=us" -ut -D "cn=root" -w password
ldapsearch -xh HOST -b '' -s base subschemaSubentry
ldapadd -x -D "cn=Manager,dc=myorg,dc=cz" -f ldif_import4.txt -w secret
ldapmodify -x -h 192.168.11.1 -f cloudadmin.user.modify.ldif -D "cn=root" -w password
ldapmodify -ZZx -D "cn=Manager,dc=myorg,dc=cz" -w manager_password -f user.ldif
ldapdelete "dc=myorg,dc=cz" -x -D "cn=Manager,dc=myorg,dc=cz" -W
Active Directory search:
ldapsearch -LLx -h 192.168.11.17 -b "OU=users,OU=CloudOU,DC=cloud,DC=cz,DC=com,DC=com" -D "cladmin" -w Passw0rd -ut
LDIF
User:
user.ldif
dn: uid=pmichalec,o=comcr,dc=myorg,dc=cz
changetype: modify
add: userCertificate
userCertificate;binary:< file: user.crt
add: userPKCS12
userPKCS12: < file: user.pkcs12
LDIF examples
dn: uid,firma,domain
group - Role
dn: cn=ithum,dc=it97,dc=dyn,dc=dhs,dc=org
objectclass: organizationalRole
cn: ithum
group - Administrators (with users)
dn: cn=Administrators, o=Airius
objectClass: groupOfUniqueNames
uniqueMember: cn=Barbara Jenson, o=Airius
uniqueMember: cn=Fred User, o=Airius
# ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#
# com.com
dn: dc=com,dc=com
dc: com
objectClass: top
objectClass: domain
# People, com.com
dn: ou=People,dc=com,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, com.com
dn: ou=Group,dc=com,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# ldapuser, Group, com.com
dn: cn=ldapuser,ou=Group,dc=com,dc=com
objectClass: posixGroup
objectClass: top
cn: ldapuser
gidNumber: 500
# ldapuser, People, com.com
dn: uid=ldapuser,ou=People,dc=com,dc=com
uid: ldapuser
cn: ldapuser
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 500
gidNumber: 500
homeDirectory: /home/ldapuser
gecos: test2
dn: o=example.com Corp,dc=example,dc=com
objectclass: top
objectclass: organization
o: example.com Corp
description: Fictional organization for example purposes
dn: ou=People,o=example.com Corp,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: People
description: Fictional organizational unit for example purposes
tel: 555-5559
dn: cn=June Rossi,ou=People,o=example.com Corp,dc=example,dc=com
oudbjectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: June Rossi
sn: Rossi
givenName: June
mail: rossi@example.com
userPassword: {sha}KDIE3AL9DK
ou: Accounting
ou: people
telephoneNumber: 2616
roomNumber: 220
dn: ou=Groups,o=example.com Corp,dc=example,dc=com
objectclass: top
objectclass: organizationalUnit
ou: groups
description: Fictional organizational unit for example purposes
GROUPS #1
create FIRST Level groups branch
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
create the itpeople entry under groups
dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
member: cn=William Smith,ou=people,dc=example,dc=com
create the hrpeople entry under groups
dn: cn=hrpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com
GROUPS #2
Complex example... http://www.zytrax.com/books/ldap/ch5/step3.html#step3
dc
|
dc
/ \
ou ou
| |
o uid,cn etc..
or like in MS ActiveDirectory
dc
|
dc
\
cn //container, example: Users
\
cn //group, example: Administrators
cn //group, example: Developers
GROUPS #3 (DYNAMIC)
- can add member, exclude etc..
LDIF to add a dynamic group:
dn: cn=dg1,o=myorg
changetype: add
objectClass: dynamicGroup
memberQueryURL: ldap:///o=myorg??sub?cn=*
LDIF to change a group object to a dynamic group object (with x-chain set):
dn: cn=group,o=myorg
changetype: modify
add: objectClass
objectClass: dynamicGroupAux
-
add: memberQueryURL
memberQueryURL: ldap:///o=myorg??sub?cn=*?x-chain
LDAP command for listing all static and dynamic groups under o=myorg which have at least one member
ldapsearch -b o=myorg -s sub "member=*" dn
MemberOf
CERT IMPORT
Backup
ldapsearch -w PASSWORD -x -D "cn=Manager,dc=myorg,dc=cz" -b 'dc=myorg,dc=cz' -H "ldap://ldap.intranet.myorg" -LLL > vums-fedora-openldap-20140313-ldapsearch.ldif
slapcat > ldif
Restore
#remove root dc entry
ldapadd -Wxc -D "cn=admin,dc=myorg,dc=com" -H ldap://dev.myorg.com -f myorg-fedora-openldap-20140313-ldapsearch.ldif -v
#other
ldapadd -Wx -D "cn=admin,dc=myorg,dc=com" -H ldap://dev.myorg.com -f ldap_dump-20100525-1.ldif
ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
slapadd -l ldif
NOTE:
slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1). From the man page :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.