Chapter 2. More on users and groups
Prev   Next

Chapter 2. More on users and groups

Table of Contents

Using the command line
Advantages
Input from the command line
Adding and modifying entries from the command line
Deleting entries
LDIF update statements
Password policies
General
iPlanet/SunONE GUI
OpenLDAP
Summary
Exercises

Abstract

This chapter details the following tasks:

  • Adding entries to the directory

  • Deleting entries from the directory

  • Modifying entries

  • Password policies

Using the command line

Advantages

The command-line utilities allow for manipulation of the directory content in an automated way. They are ideally suited for use in scripts to perform bulk operations. Information can be specified from the command-line, or using an LDIF input file.

Input from the command line

The ldapmodify and ldapdelete commands read statements from the command line in the same way as if they were being read from a file. Use the EOF escape character when you have finished (typically Control+D):

userprompt> ldapmodify -D bindDN -w password -h server1
> dn: cn=Niels Nelissen,ou=people,dc=example,dc=com
> changetype: modify
> delete: telephonenumber
> -
> add: manager
> manager: cn=Peter Petersen,ou=people,dc=example,dc=com
> ^D
userprompt>

Note that because both commands use LDIF update statements, ldapmodify can do everything that ldapdelete can do.

Adding and modifying entries from the command line

Schema checking can be enabled to check validity of the data entered.

A typical ldapmodify command for adding a new entry looks like this:

ldapmodify -a -D "cn=Directory Manager,dc=example,dc=com" -w password -h server1 -f new.ldif

Usually, a file containing the LDIF information is specified, rather than providing the data manually.

To modify LDAP entries, we also create a file first containing the LDIF update statements, and then use the following command:

ldapmodify -D "cn=Directory Manager,dc=example,dc=com" -w password -h server1 -f modify_statements.ldif

Deleting entries

Entries cannot be deleted if they have children. First delete the children, then the parent.

For deleting a user entry, this command is advised:

ldapdelete -D "cn=Directory Manager,dc=example,dc=com" -w password -h server1 "cn=Peter Petersen,ou=people,dc=example,dc=com"

LDIF update statements

LDIF format reviewed

The information in an LDIF statement is generally a series of statements specifying the distinguished names that will be affected, the type of change (add, delete, modify or modrdn), and a series of attributes and values.

When specifying the -a option to the ldapmodify, a change type of add is assumed. Other change types override this option.

If a change type of modify is specified, a change operation is required describing how the entry should be changed.

If a change type of modrdn is specified, a change operation is required describing how the relative distinguished name (RDN, the left-most part of the DN) should be changed. This is typically used to rename an entry in the directory.

Change operations are separated in the file by a line containing only a dash (-).

For making an LDIF dump of the directory's database, use the following command on Solaris:

/usr/sbin/directoryserver db2ldif

And with OpenLDAP tools:

slapcat -l my_directory.ldif

[Note]Caution!

Stop the LDAP service before running this command, since it can do damage on a running OpenLDAP system.

Such a dump can be used as a backup of the directory server: the LDIF file can be imported into a restored server.

Adding an entry using an LDIF file

This is a typical example file for adding a new user:

dn: cn=Niels Nelissen,ou=people,dc=example,dc=com
changetype: add
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
host: *
cn: Niels Nelissen
cn: Niels N. Nelissen
sn: Nelissen
uid: nnelisse
uidNumber: 1012
gidNumber: 1012
homeDirectory: /home/nnelisse
mail: nnelisse@example.com
loginShell: /bin/bash
o: example.com
l: Leuven
gecos: Niels Nelissen
ou: People
ou: TechSupport
userPassword:: e2NyeXB0fSQxJDBMe2c2dFBs4EI4WGmaFrFUE10MotiR3h6WDE=
telephonenumber: +32-16-777-777
description: Job Student

The above example assigns all necessary UNIX account attributes.

Adding a new organizational unit (not to be confused with UNIX-style groups) is done using this type of input:

dn: ou=Marketing,dc=example,dc=com
changetype: add
objectclass: top
objectclass: organizationalUnit
ou: Marketing

Adding a group of users is done using these declarations in LDIF:

dn: cn=JobStudents,ou=Groups,dc=example,dc=com
changetype: add
objectclass: top
objectclass: groupOfNames
member: cn=Niels Nelissen,ou=people,dc=example,dc=com
member: cn=Bart Bartolomeusen,ou=people,dc=example,dc=com
cn: JobStudents

Renaming entries

Usually we are not going to recycle LDAP entries, but sometimes they might need renaming, for instance when a spelling mistake occurred in the name of a person. This LDIF update statement renames the entry, but keeps the old name as a backup common name, using the deleteoldrdn: 0 declaration:

dn: cn=Bart Bartolomeusen,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: cn=Bart Bartholomeussen
deleteoldrdn: 0

This results in this user having two common names, of which the most recently changed defines the distinguished name.

If you want the old name to be completely removed from the entry, use the deleteoldrdn: 1 statement.

Note that renaming can never place an entry in a different subtree of the directory. Entries with children can not be renamed.

Adding attributes to existing entries

To change existing entries, use the changetype: modify declaration in an LDIF file. The following example adds a telephone number to an entry:

dn: cn=Bart Bartholomeussen,dc=example,dc=com
changetype: modify
add: telephonenumber
telephonenumber: +32-16-888-888
telephonenumber: 888

Multiple attributes can be added at once if they are separated by a dash (-):

dn: cn=Bart Bartholomeussen,dc=example,dc=com
changetype: modify
add: telephonenumber
telephonenumber: +32-16-888-888
telephonenumber: 888
-
add: physicalDeliveryOfficeName
physicalDeliveryOfficeName: hq
-
add: givenName
givenName: Bart

Changing attribute values

Use the replace statement for changing attribute values. In the case only one instance of an attribute is defined in the entry, the change statements are simple:

dn: cn=Bart Bartholomeussen,dc=example,dc=com
changetype: modify
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName: BXL

If you want to change the telephone number 888 into 999, however, while leaving the full number as it is, a somewhat longer statement is needed:

dn: cn=Bart Bartholomeussen,dc=example,dc=com
changetype: modify
delete: telephonenumber
telephonenumber: 888
-
add: telephonenumber
telephonenumber: 999

If you just want to delete all telephone numbers related to a specific entry, do like this:

dn: cn=Bart Bartholomeussen,dc=example,dc=com
changetype: modify
delete: telephonenumber
Prev Up Next
Exercises Home Password policies