Scribd
Upload
424 views

Open Ldap

The document provides instructions for setting up an OpenLDAP server including: 1) Installing OpenLDAP, setting the admin password, and importing schema files. 2) Configuring the LDAP server with the domain name and root user. 3) Adding LDAP user accounts, extracting local system users to the directory, and deleting LDAP entries.

Uploaded by

Sanjay Handa
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
424 views

Open Ldap

The document provides instructions for setting up an OpenLDAP server including: 1) Installing OpenLDAP, setting the admin password, and importing schema files. 2) Configuring the LDAP server with the domain name and root user. 3) Adding LDAP user accounts, extracting local system users to the directory, and deleting LDAP entries.

Uploaded by

Sanjay Handa
Copyright
© © All Rights Reserved
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 6

ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f base.

ldif
by:
ldapadd -x -w redhat -D cn=Manager,dc=example,dc=com -f /etc/openldap/base.ldif

[1]
Install OpenLDAP Server.
[root@dlp ~]# yum -y install openldap-servers openldap-clients
[root@dlp ~]# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_
CONFIG
[root@dlp ~]# chown ldap. /var/lib/ldap/DB_CONFIG
[root@dlp ~]# systemctl start slapd
[root@dlp ~]# systemctl enable slapd
[2]

Set OpenLDAP admin password.

[root@dlp ~]# slappasswd


New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chrootpw.ldif
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f chrootpw.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={0}config,cn=config"
[3]

Import basic Schemas.

[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/cosine.ld


if
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0

adding new entry "cn=cosine,cn=schema,cn=config"


[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/nis.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=nis,cn=schema,cn=config"
[root@dlp ~]# ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/openldap/schema/inetorgpe
rson.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=inetorgperson,cn=schema,cn=config"
[4]

Set your domain name on LDAP DB.

# generate directory manager's password


[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
[root@dlp ~]# vi chdomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
# specify the password generated above for "olcRootPW" section
dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,c
n=auth"
read by dn.base="cn=Manager,dc=server,dc=world" read by * none
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=Manager,dc=server,dc=world
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxx
dn: olcDatabase={2}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=Manager,dc=server,dc=world" write by anonymous auth by self write by *
none

olcAccess: {1}to dn.base="" by * read


olcAccess: {2}to * by dn="cn=Manager,dc=server,dc=world" write by * read
[root@dlp ~]# ldapmodify -Y EXTERNAL -H ldapi:/// -f chdomain.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}monitor,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
modifying entry "olcDatabase={2}hdb,cn=config"
[root@dlp ~]# vi basedomain.ldif
# replace to your own domain name for "dc=***,dc=***" section
dn: dc=server,dc=world
objectClass: top
objectClass: dcObject
objectclass: organization
o: Server World
dc: Server
dn: cn=Manager,dc=server,dc=world
objectClass: organizationalRole
cn: Manager
description: Directory Manager
dn: ou=People,dc=server,dc=world
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=server,dc=world
objectClass: organizationalUnit
ou: Group
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=server,dc=world -W -f basedomain.ldif
Enter LDAP Password: # directory manager's password
adding new entry "dc=server,dc=world"
adding new entry "cn=Manager,dc=server,dc=world"
adding new entry "ou=People,dc=server,dc=world"
adding new entry "ou=Group,dc=server,dc=world"

Add LDAP User Accounts in the OpenLDAP Server.

[1]
Add a user.
# generate encrypted password
[root@dlp ~]# slappasswd
New password:
Re-enter new password:
{SSHA}xxxxxxxxxxxxxxxxx
[root@dlp ~]# vi ldapuser.ldif
# create new
# replace to your own domain name for "dc=***,dc=***" section
dn: uid=cent,ou=People,dc=server,dc=world
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Cent
sn: Linux
userPassword: {SSHA}xxxxxxxxxxxxxxxxx
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cent
dn: cn=cent,ou=Group,dc=server,dc=world
objectClass: posixGroup
cn: Cent
gidNumber: 1000
memberUid: cent
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=server,dc=world -W -f ldapuser.ldif
Enter LDAP Password:
adding new entry "uid=cent,ou=People,dc=server,dc=world"
adding new entry "cn=cent,ou=Group,dc=server,dc=world"
[2]
Add users and groups in local passwd/group to LDAP directory.
[root@dlp ~]# vi ldapuser.sh
# extract local users and groups who have 1000-9999 digit UID
# replace "SUFFIX=***" to your own domain name
# this is an example
#!/bin/bash
SUFFIX='dc=server,dc=world'
LDIF='ldapuser.ldif'
echo -n > $LDIF
GROUP_IDS=()
grep "x:[1-9][0-9][0-9][0-9]:" /etc/passwd | (while read TARGET_USER
do
USER_ID="$(echo "$TARGET_USER" | cut -d':' -f1)"
USER_NAME="$(echo "$TARGET_USER" | cut -d':' -f5 | cut -d' ' -f1,2)"
[ ! "$USER_NAME" ] && USER_NAME="$USER_ID"
LDAP_SN="$(echo "$USER_NAME" | cut -d' ' -f2)"

LASTCHANGE_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f3)"


[ ! "$LASTCHANGE_FLAG" ] && LASTCHANGE_FLAG="0"
SHADOW_FLAG="$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f9)"
[ ! "$SHADOW_FLAG" ] && SHADOW_FLAG="0"
GROUP_ID="$(echo "$TARGET_USER" | cut -d':' -f4)"
[ ! "$(echo "${GROUP_IDS[@]}" | grep "$GROUP_ID")" ] && GROUP_IDS=("${GROUP_
IDS[@]}" "$GROUP_ID")
echo "dn: uid=$USER_ID,ou=People,$SUFFIX" >> $LDIF
echo "objectClass: inetOrgPerson" >> $LDIF
echo "objectClass: posixAccount" >> $LDIF
echo "objectClass: shadowAccount" >> $LDIF
echo "sn: $LDAP_SN" >> $LDIF
echo "givenName: $(echo "$USER_NAME" | awk '{print $1}')" >> $LDIF
echo "cn: $USER_NAME" >> $LDIF
echo "displayName: $USER_NAME" >> $LDIF
echo "uidNumber: $(echo "$TARGET_USER" | cut -d':' -f3)" >> $LDIF
echo "gidNumber: $(echo "$TARGET_USER" | cut -d':' -f4)" >> $LDIF
echo "userPassword: {crypt}$(grep "${USER_ID}:" /etc/shadow | cut -d':' -f2)
" >> $LDIF
echo "gecos: $USER_NAME" >> $LDIF
echo "loginShell: $(echo "$TARGET_USER" | cut -d':' -f7)" >> $LDIF
echo "homeDirectory: $(echo "$TARGET_USER" | cut -d':' -f6)" >> $LDIF
echo "shadowExpire: $(passwd -S "$USER_ID" | awk '{print $7}')" >> $LDIF
echo "shadowFlag: $SHADOW_FLAG" >> $LDIF
echo "shadowWarning: $(passwd -S "$USER_ID" | awk '{print $6}')" >> $LDIF
echo "shadowMin: $(passwd -S "$USER_ID" | awk '{print $4}')" >> $LDIF
echo "shadowMax: $(passwd -S "$USER_ID" | awk '{print $5}')" >> $LDIF
echo "shadowLastChange: $LASTCHANGE_FLAG" >> $LDIF
echo >> $LDIF
done
for TARGET_GROUP_ID in "${GROUP_IDS[@]}"
do
LDAP_CN="$(grep ":${TARGET_GROUP_ID}:" /etc/group | cut -d':' -f1)"
echo
echo
echo
echo

"dn: cn=$LDAP_CN,ou=Group,$SUFFIX" >> $LDIF


"objectClass: posixGroup" >> $LDIF
"cn: $LDAP_CN" >> $LDIF
"gidNumber: $TARGET_GROUP_ID" >> $LDIF

for MEMBER_UID in $(grep ":${TARGET_GROUP_ID}:" /etc/passwd | cut -d':' -f1,


3)
do
UID_NUM=$(echo "$MEMBER_UID" | cut -d':' -f2)
[ $UID_NUM -ge 1000 -a $UID_NUM -le 9999 ] && echo "memberUid: $(echo "$
MEMBER_UID" | cut -d':' -f1)" >> $LDIF
done
echo >> $LDIF
done
)
[root@dlp ~]# sh ldapuser.sh
[root@dlp ~]# ldapadd -x -D cn=Manager,dc=server,dc=world -W -f ldapuser.ldif
Enter LDAP Password:

adding
adding
adding
adding
adding
adding
adding
adding

new
new
new
new
new
new
new
new

entry
entry
entry
entry
entry
entry
entry
entry

"uid=cent,ou=People,dc=server,dc=world"
"uid=redhat,ou=People,dc=server,dc=world"
"uid=ubuntu,ou=People,dc=server,dc=world"
"uid=debian,ou=People,dc=server,dc=world"
"cn=cent,ou=Group,dc=server,dc=world"
"cn=redhat,ou=Group,dc=server,dc=world"
"cn=ubuntu,ou=Group,dc=server,dc=world"
"cn=debian,ou=Group,dc=server,dc=world"

[3]
If you'd like to delete LDAP User or Group, Do as below.
[root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=server,dc=world' "uid=cent,ou=P
eople,dc=server,dc=world"
Enter LDAP Password:
[root@dlp ~]# ldapdelete -x -W -D 'cn=Manager,dc=server,dc=world' "cn=cent,ou=Gr
oup,dc=server,dc=world"
Enter LDAP Password:

You might also like