From Wiki

Jump to: navigation, search


Lightweight Directory Access Protocol

Ldap commands:

ldapsearch -x  //list all ldap info for users
ldapsearch -x uid=username   //list ldap info for a particular user


echo "dn: uid=$User,ou=People,dc=skynet,dc=ie
loginShell: $Shell
" | ldapmodify -x -D "uid=$User,ou=People,dc=skynet,dc=ie" -W

After a good bit of checking and looking, the -x and -W values make this work. The above code was obtained from /usr/bin/chsh which is a modified/fixed version of chsh especially for ldap. It did need a little modification however.

Debug ldapsearch | ldapmodify

If you are getting errors similar to:

ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

There are problems with your ldap server. Passwd and other commands may work, but ldapsearch or ldapmodify may not work. To debug whats happenning type:

ldapsearch -x -d 9

You will see exactly whats happenning.

ldapmodify - modify privileged user details

The above ldapmodify code will work for changing details which the user themselves have access to. If you want to change privileged information, you need to run ldapmodify with root or Account privileges. The following works fine:

echo "dn: uid=steviewdr,ou=People,dc=skynet,dc=ie
altShell: /bin/bash
" | ldapmodify -x -D "cn=Accounts,dc=skynet,dc=ie" -W

The above will connect as "cn=Accounts" and will prompt for the Accounts password. Run a "ldapsearch -x uid=steviewdr" afterwards to check that altShell was changed. Thats is.

ldapvi - Perform an LDAP search and update results using a text editor.

apt-get install ldapvi

Although I didnt test it fully, it seems nice. You may have to provide a better start command to auth yourself as "Accounts" etc. You also may have to export vi as your editor.

export EDITOR="/usr/bin/vi"
ldapvi --user cn=Accounts,dc=skynet,dc=ie -w`cat /etc/ldap.secret`

Issues with ldapvi

I was continually getting the error 'ldap_bind: Can't contact LDAP server (-1)'. Commands such as ldapsearch, ldapmodify worked ok. It turns out with an strace and some googling that it was TLS Certs causing the issue.

Solution: to use "--tls allow"

ldapvi -D "uid=steviewdr,ou=People,dc=skynet,dc=ie" -h ldaps://ldap.skynet.ie --tls allow

#To connect as Accounts/root instead of a user:
ldapvi -D "cn=Accounts,dc=skynet,dc=ie" -h ldaps://ldap.skynet.ie --tls allow

The command above, reads /etc/ldap/ldap.conf, and looks for the TLS_Cert. You do need the Cert to connect to ldaps.

#Contents of above file
BASE dc=skynet,dc=ie
URI ldaps://ldap.skynet.ie
TLS_CACERT  /etc/ssl/certs/cacert.class1.pem

So not only can the main accounts user use ldapvi to change other peoples details, the ldap user themselves can change their own details instead of using ldapmodify or patched chsh or chfn.

ldap limit of 500 entries

Another issue I had with ldapvi, albeit not specifically an ldapvi issue, was that it was limited to 500 entries.

   500 entries read
Search failed: Size limit exceeded
Continue anyway? [yn] n

On the old ldap:
vi /etc/ldap/slapd.conf
#add the following:
sizelimit 3000

On the new ldap:
vi /etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif
#Add in olcSizeLimit: 3000 underneath "olcRootPW"
olcRootPW:: xxxx
olcSizeLimit: 3000

/etc/init.d/slapd restart

Allow users to change their LDAP Password

After an upgrade from hardy to lucid, ldap changed, and no longer used /etc/ldap/slapd.conf, and instead used many smaller ldif files in /etc/ldap/slapd.d/

vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
#make sure the "by self write" is present in the userPassword line.
olcAccess: {2}to attrs=userPassword by self write by dn.base="cn=admin,dc=skynet,dc=ie" write by anonymous auth by * none
/etc/init.d/slapd restart

Ldap commands

* Authed ldapsearch
ldapsearch -x -D "uid=steviewdr,ou=People,dc=skynet,dc=ie" -W
* UnAuthed ldapsearch
ldapsearch -x
* Change ldap password method 2
ldappasswd -D 'uid=steviewdr,ou=People,dc=skynet,dc=ie' -W -S

Useful links:





Personal tools