< Previous | Contents | Next >

1.11. User and Group Management

The ldap-utils package comes with enough utilities to manage the directory but the long string of options needed can make them a burden to use. The ldapscripts package contains wrapper scripts to these utilities that some people find easier to use.

Install the package:

sudo apt install ldapscripts

Then edit the file /etc/ldapscripts/ldapscripts.conf to arrive at something similar to the following:

SERVER=localhost BINDDN='cn=admin,dc=example,dc=com' BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd" SUFFIX='dc=example,dc=com'

GSUFFIX='ou=Groups' USUFFIX='ou=People' MSUFFIX='ou=Computers' GIDSTART=10000 UIDSTART=10000 MIDSTART=10000

Now, create the ldapscripts.passwd file to allow rootDN access to the directory:

sudo sh -c "echo -n 'secret' > /etc/ldapscripts/ldapscripts.passwd" sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

Replace “secret” with the actual password for your database's rootDN user.

The scripts are now ready to help manage your directory. Here are some examples of how to use them:

• Create a new user:

sudo ldapadduser george example

This will create a user with uid george and set the user's primary group (gid) to example

• Change a user's password:

sudo ldapsetpasswd george

Changing password for user uid=george,ou=People,dc=example,dc=com

New Password:

New Password (verify):

• Delete a user:

sudo ldapdeleteuser george

• Add a group:

sudo ldapaddgroup qa

• Delete a group:

sudo ldapdeletegroup qa

• Add a user to a group:

sudo ldapaddusertogroup george qa

You should now see a memberUid attribute for the qa group with a value of george.

• Remove a user from a group:

sudo ldapdeleteuserfromgroup george qa

The memberUid attribute should now be removed from the qa group.

• The ldapmodifyuser script allows you to add, remove, or replace a user's attributes. The script uses the same syntax as the ldapmodify utility. For example:

sudo ldapmodifyuser george

# About to modify the following entry : dn: uid=george,ou=People,dc=example,dc=com objectClass: account

objectClass: posixAccount cn: george

uid: george uidNumber: 1001

gidNumber: 1001 homeDirectory: /home/george loginShell: /bin/bash gecos: george

description: User account

userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=

# Enter your modifications here, end with CTRL-D. dn: uid=george,ou=People,dc=example,dc=com replace: gecos

gecos: George Carlin

The user's gecos should now be “George Carlin”.

• A nice feature of ldapscripts is the template system. Templates allow you to customize the attributes of user, group, and machine objects. For example, to enable the user template edit /etc/ldapscripts/ ldapscripts.conf changing:

UTEMPLATE="/etc/ldapscripts/ldapadduser.template"

There are sample templates in the /usr/share/doc/ldapscripts/examples directory. Copy or rename the

ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:

sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \

/etc/ldapscripts/ldapadduser.template

Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:

dn: uid=<user>,<usuffix>,<suffix> objectClass: inetOrgPerson objectClass: posixAccount

cn: <user> sn: <ask> uid: <user>

uidNumber: <uid> gidNumber: <gid> homeDirectory: <home> loginShell: <shell> gecos: <user> description: User account title: Employee

Notice the <ask> option used for the sn attribute. This will make ldapadduser prompt you for its value.

There are utilities in the package that were not covered here. Here is a complete list:

ldaprenamemachine5 ldapadduser6 ldapdeleteuserfromgroup7 ldapfinger8

ldapid9 ldapgid10 ldapmodifyuser11 ldaprenameuser12 lsldap13

ldapaddusertogroup14 ldapsetpasswd15 ldapinit16 ldapaddgroup17 ldapdeletegroup18

5 http://manpages.ubuntu.com/manpages/en/man1/ldaprenamemachine.1.html

6 http://manpages.ubuntu.com/manpages/en/man1/ldapadduser.1.html

7 http://manpages.ubuntu.com/manpages/en/man1/ldapdeleteuserfromgroup.1.html

8 http://manpages.ubuntu.com/manpages/en/man1/ldapfinger.1.html

9 http://manpages.ubuntu.com/manpages/en/man1/ldapid.1.html

10 http://manpages.ubuntu.com/manpages/en/man1/ldapgid.1.html

11 http://manpages.ubuntu.com/manpages/en/man1/ldapmodifyuser.1.html

12 http://manpages.ubuntu.com/manpages/en/man1/ldaprenameuser.1.html

13 http://manpages.ubuntu.com/manpages/en/man1/lsldap.1.html

14 http://manpages.ubuntu.com/manpages/en/man1/ldapaddusertogroup.1.html

15 http://manpages.ubuntu.com/manpages/en/man1/ldapsetpasswd.1.html

16 http://manpages.ubuntu.com/manpages/en/man1/ldapinit.1.html

17 http://manpages.ubuntu.com/manpages/en/man1/ldapaddgroup.1.html

18 http://manpages.ubuntu.com/manpages/en/man1/ldapdeletegroup.1.html

ldapmodifygroup19 ldapdeletemachine20 ldaprenamegroup21 ldapaddmachine22 ldapmodifymachine23 ldapsetprimarygroup24 ldapdeleteuser25

< Previous | Contents | Next >