Ldap

From Wiki

(Difference between revisions)
Jump to: navigation, search
(ldap - users passwords)
Line 35: Line 35:
  ldapvi --user cn=Accounts,dc=skynet,dc=ie -w`cat /etc/ldap.secret`
  ldapvi --user cn=Accounts,dc=skynet,dc=ie -w`cat /etc/ldap.secret`
----
----
 +
 +
=== Allow users to change their LDAP Password ===
 +
After an upgrade from hardy to lucid, ldap changed, and no longer used /etc/ldap/slapd.conf, and instead used many smaller ldif files in /etc/ldap/slapd.d/
 +
vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
 +
#make sure the "by self write" is present in the userPassword line.
 +
olcAccess: {2}to attrs=userPassword '''by self write''' by dn.base="cn=admin,dc=skynet,dc=ie" write by anonymous auth by * none
 +
/etc/init.d/slapd restart
 +
 +
=== Ldap commands ===
 +
 +
* Authed ldapsearch
 +
ldapsearch -x -D "uid=steviewdr,ou=People,dc=skynet,dc=ie" -W
 +
* UnAuthed ldapsearch
 +
ldapsearch -x
 +
* Change ldap password method 2
 +
ldappasswd -D 'uid=steviewdr,ou=People,dc=skynet,dc=ie' -W -S
 +
Useful links:
Useful links:

Revision as of 15:50, 16 January 2012

Contents

Lightweight Directory Access Protocol

Ldap commands:

ldapsearch -x  //list all ldap info for users
ldapsearch -x uid=username   //list ldap info for a particular user

ldapmodify

echo "dn: uid=$User,ou=People,dc=skynet,dc=ie
loginShell: $Shell
" | ldapmodify -x -D "uid=$User,ou=People,dc=skynet,dc=ie" -W

After a good bit of checking and looking, the -x and -W values make this work. The above code was obtained from /usr/bin/chsh which is a modified/fixed version of chsh especially for ldap. It did need a little modification however.

Debug ldapsearch | ldapmodify

If you are getting errors similar to:

ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

There are problems with your ldap server. Passwd and other commands may work, but ldapsearch or ldapmodify may not work. To debug whats happenning type:

ldapsearch -x -d 9

You will see exactly whats happenning.

ldapmodify - modify privileged user details

The above ldapmodify code will work for changing details which the user themselves have access to. If you want to change privileged information, you need to run ldapmodify with root or Account privileges. The following works fine:

echo "dn: uid=steviewdr,ou=People,dc=skynet,dc=ie
altShell: /bin/bash
" | ldapmodify -x -D "cn=Accounts,dc=skynet,dc=ie" -W

The above will connect as "cn=Accounts" and will prompt for the Accounts password. Run a "ldapsearch -x uid=steviewdr" afterwards to check that altShell was changed. Thats is.

ldapvi - Perform an LDAP search and update results using a text editor.

apt-get install ldapvi
ldapvi

Although I didnt test it fully, it seems nice. You may have to provide a better start command to auth yourself as "Accounts" etc. You also may have to export vi as your editor.

export EDITOR="/usr/bin/vi"
ldapvi --user cn=Accounts,dc=skynet,dc=ie -w`cat /etc/ldap.secret`

Allow users to change their LDAP Password

After an upgrade from hardy to lucid, ldap changed, and no longer used /etc/ldap/slapd.conf, and instead used many smaller ldif files in /etc/ldap/slapd.d/

vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
#make sure the "by self write" is present in the userPassword line.
olcAccess: {2}to attrs=userPassword by self write by dn.base="cn=admin,dc=skynet,dc=ie" write by anonymous auth by * none
/etc/init.d/slapd restart

Ldap commands

* Authed ldapsearch
ldapsearch -x -D "uid=steviewdr,ou=People,dc=skynet,dc=ie" -W
* UnAuthed ldapsearch
ldapsearch -x
* Change ldap password method 2
ldappasswd -D 'uid=steviewdr,ou=People,dc=skynet,dc=ie' -W -S


Useful links:

http://docs.sun.com/source/816-6400-10/lsearch.html

http://docs.sun.com/source/816-6400-10/lmodify.html

http://docsrv.sco.com/INT_DirectoryAG/modify.htm#1021458

http://docsrv.sco.com/INT_DirectoryAG/modify.htm#1006755

Personal tools