From Wiki

Revision as of 15:50, 16 January 2012 by Admin (Talk | contribs)
Jump to: navigation, search


Lightweight Directory Access Protocol

Ldap commands:

ldapsearch -x  //list all ldap info for users
ldapsearch -x uid=username   //list ldap info for a particular user


echo "dn: uid=$User,ou=People,dc=skynet,dc=ie
loginShell: $Shell
" | ldapmodify -x -D "uid=$User,ou=People,dc=skynet,dc=ie" -W

After a good bit of checking and looking, the -x and -W values make this work. The above code was obtained from /usr/bin/chsh which is a modified/fixed version of chsh especially for ldap. It did need a little modification however.

Debug ldapsearch | ldapmodify

If you are getting errors similar to:

ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

There are problems with your ldap server. Passwd and other commands may work, but ldapsearch or ldapmodify may not work. To debug whats happenning type:

ldapsearch -x -d 9

You will see exactly whats happenning.

ldapmodify - modify privileged user details

The above ldapmodify code will work for changing details which the user themselves have access to. If you want to change privileged information, you need to run ldapmodify with root or Account privileges. The following works fine:

echo "dn: uid=steviewdr,ou=People,dc=skynet,dc=ie
altShell: /bin/bash
" | ldapmodify -x -D "cn=Accounts,dc=skynet,dc=ie" -W

The above will connect as "cn=Accounts" and will prompt for the Accounts password. Run a "ldapsearch -x uid=steviewdr" afterwards to check that altShell was changed. Thats is.

ldapvi - Perform an LDAP search and update results using a text editor.

apt-get install ldapvi

Although I didnt test it fully, it seems nice. You may have to provide a better start command to auth yourself as "Accounts" etc. You also may have to export vi as your editor.

export EDITOR="/usr/bin/vi"
ldapvi --user cn=Accounts,dc=skynet,dc=ie -w`cat /etc/ldap.secret`

Allow users to change their LDAP Password

After an upgrade from hardy to lucid, ldap changed, and no longer used /etc/ldap/slapd.conf, and instead used many smaller ldif files in /etc/ldap/slapd.d/

vi /etc/ldap/slapd.d/cn\=config/olcDatabase\=\{1\}bdb.ldif
#make sure the "by self write" is present in the userPassword line.
olcAccess: {2}to attrs=userPassword by self write by dn.base="cn=admin,dc=skynet,dc=ie" write by anonymous auth by * none
/etc/init.d/slapd restart

Ldap commands

* Authed ldapsearch
ldapsearch -x -D "uid=steviewdr,ou=People,dc=skynet,dc=ie" -W
* UnAuthed ldapsearch
ldapsearch -x
* Change ldap password method 2
ldappasswd -D 'uid=steviewdr,ou=People,dc=skynet,dc=ie' -W -S

Useful links:





Personal tools