epcim
10/20/2015 - 3:13 PM

ldap.howto.md

ldap openldap ldif

Open LDAP

Docs

UI

Linux GUI tool "luma"

CLI

Basics:

ldapsearch -h ds1.myorg.cz -b 'dc=myorg,dc=cz' cn="wpsadmins"
ldapsearch -LLx -h 192.168.11.1 -b "OU=Groups,OU=SWG,O=com,C=us" "(cn=PMRDPCA)"
ldapsearch -LLx -h 192.168.11.1 -b "OU=Groups,OU=SWG,O=com,C=us" -ut -D "cn=root" -w password
ldapsearch -xh HOST -b '' -s base subschemaSubentry


ldapadd -x -D "cn=Manager,dc=myorg,dc=cz" -f ldif_import4.txt -w secret

ldapmodify -x -h 192.168.11.1 -f cloudadmin.user.modify.ldif -D "cn=root" -w password 
ldapmodify -ZZx -D "cn=Manager,dc=myorg,dc=cz"  -w manager_password  -f user.ldif

ldapdelete "dc=myorg,dc=cz" -x -D "cn=Manager,dc=myorg,dc=cz" -W

Active Directory search:

ldapsearch -LLx -h 192.168.11.17 -b "OU=users,OU=CloudOU,DC=cloud,DC=cz,DC=com,DC=com" -D "cladmin" -w Passw0rd -ut

LDIF

User:

user.ldif
 dn: uid=pmichalec,o=comcr,dc=myorg,dc=cz
 changetype: modify
 add: userCertificate
 userCertificate;binary:< file: user.crt
 add: userPKCS12
 userPKCS12: < file: user.pkcs12

LDIF examples


    dn: uid,firma,domain

    group - Role

        dn: cn=ithum,dc=it97,dc=dyn,dc=dhs,dc=org
        objectclass: organizationalRole
        cn: ithum

    group - Administrators (with users)

        dn: cn=Administrators, o=Airius
        objectClass: groupOfUniqueNames
        uniqueMember: cn=Barbara Jenson, o=Airius
        uniqueMember: cn=Fred User, o=Airius

    # ldapsearch -x

    # extended LDIF
    #
    # LDAPv3
    # base <> with scope sub
    # filter: (objectclass=*)
    # requesting: ALL
    #

    # com.com
    dn: dc=com,dc=com
    dc: com
    objectClass: top
    objectClass: domain

    # People, com.com
    dn: ou=People,dc=com,dc=com
    ou: People
    objectClass: top
    objectClass: organizationalUnit

    # Group, com.com
    dn: ou=Group,dc=com,dc=com
    ou: Group
    objectClass: top
    objectClass: organizationalUnit

    # ldapuser, Group, com.com
    dn: cn=ldapuser,ou=Group,dc=com,dc=com
    objectClass: posixGroup
    objectClass: top
    cn: ldapuser
    gidNumber: 500

    # ldapuser, People, com.com
    dn: uid=ldapuser,ou=People,dc=com,dc=com
    uid: ldapuser
    cn: ldapuser
    objectClass: account
    objectClass: posixAccount
    objectClass: top
    objectClass: shadowAccount
    shadowMax: 99999
    shadowWarning: 7
    loginShell: /bin/bash
    uidNumber: 500
    gidNumber: 500
    homeDirectory: /home/ldapuser
    gecos: test2


    dn: o=example.com Corp,dc=example,dc=com
    objectclass: top
    objectclass: organization
    o: example.com Corp
    description: Fictional organization for example purposes

    dn: ou=People,o=example.com Corp,dc=example,dc=com
    objectclass: top
    objectclass: organizationalUnit
    ou: People
    description: Fictional organizational unit for example purposes
    tel: 555-5559

    dn: cn=June Rossi,ou=People,o=example.com Corp,dc=example,dc=com
    oudbjectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    cn: June Rossi
    sn: Rossi
    givenName: June
    mail: rossi@example.com
    userPassword: {sha}KDIE3AL9DK
    ou: Accounting
    ou: people
    telephoneNumber: 2616
    roomNumber: 220 

    dn: ou=Groups,o=example.com Corp,dc=example,dc=com
    objectclass: top
    objectclass: organizationalUnit
    ou: groups
    description: Fictional organizational unit for example purposes 

GROUPS #1

create FIRST Level groups branch

dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch

create the itpeople entry under groups

dn: cn=itpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: itpeople
description: IT security group
member: cn=William Smith,ou=people,dc=example,dc=com

create the hrpeople entry under groups

dn: cn=hrpeople,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: hrpeople
description: Human Resources group
member: cn=Robert Smith,ou=people,dc=example,dc=com

GROUPS #2

Complex example... http://www.zytrax.com/books/ldap/ch5/step3.html#step3

    dc
    |
    dc
    /  \ 
  ou    ou
  |     |
  o     uid,cn etc..

or like in MS ActiveDirectory

dc
|
dc
  \ 
   cn //container, example: Users
    \
    cn //group, example: Administrators
    cn //group, example: Developers

GROUPS #3 (DYNAMIC)

  • can add member, exclude etc..

LDIF to add a dynamic group:

dn: cn=dg1,o=myorg
changetype: add
objectClass: dynamicGroup
memberQueryURL: ldap:///o=myorg??sub?cn=*

LDIF to change a group object to a dynamic group object (with x-chain set):

dn: cn=group,o=myorg
changetype: modify
add: objectClass
objectClass: dynamicGroupAux
-
add: memberQueryURL
memberQueryURL: ldap:///o=myorg??sub?cn=*?x-chain

LDAP command for listing all static and dynamic groups under o=myorg which have at least one member

ldapsearch -b o=myorg -s sub "member=*" dn

MemberOf

CERT IMPORT

Backup

ldapsearch -w PASSWORD -x -D "cn=Manager,dc=myorg,dc=cz"  -b 'dc=myorg,dc=cz' -H "ldap://ldap.intranet.myorg" -LLL > vums-fedora-openldap-20140313-ldapsearch.ldif
slapcat > ldif

Restore

#remove root dc entry
ldapadd -Wxc -D "cn=admin,dc=myorg,dc=com" -H ldap://dev.myorg.com -f myorg-fedora-openldap-20140313-ldapsearch.ldif -v

#other
ldapadd -Wx -D "cn=admin,dc=myorg,dc=com" -H ldap://dev.myorg.com -f ldap_dump-20100525-1.ldif
ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
slapadd -l ldif

NOTE: 
    slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1). From the man page :

    The  LDIF  generated  by this tool is suitable for use with slapadd(8).
    As the entries are in database order, not superior  first  order,  they
    cannot be loaded with ldapadd(1) without first being reordered.