How to set up LDAP users and groups¶
Once you have a working LDAP server, you will need to install libraries on the client that know how and when to contact it. On Ubuntu, this can be done with nslcd or SSSD.
User and group management - ldapscripts¶
A common use case for an LDAP server is to store UNIX user and group information in the directory. There are many tools out there, and big deployments will usually develop their own. However, as a quick and easy way to get started with storing user and group information in OpenLDAP, you can use the ldapscripts package.
Install ldapscripts¶
You can install ldapscripts by running the following command:
$ Then edit the file /etc/ldapscripts/ldapscripts.conf to arrive at something similar to the following:
SERVER=ldap://ldap01.example.com
LDAPBINOPTS="-ZZ"
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
Note
Adjust SERVER and related SUFFIX options to suit your directory structure.
Here, we are forcing use of START_TLS (-ZZ parameter). Refer to LDAP with TLS to learn how to set up the server with TLS support.
Store the cn=admin password in the /etc/ldapscripts/ldapscripts.passwd file and make sure it’s only readable by the root local user:
$ $ Note
The password file must contain exactly and only the password characters, no end-of-line or anything else. The echo command above with the -n parameter achieves that by suppressing the EOL character \n. And in order to prevent the password from appearing in the shell history, the echo command line is prefixed by a space.
The scripts are now ready to help manage your directory.
Manage users and groups with ldapscripts¶
Here are some brief examples you can use to manage users and groups using ldapscripts.
Create a new user¶
$ $ This will create a group and user with name “george” and set the user’s primary group (GID) to “george” as well.
Change a user’s password¶
$ Changing password for user uid=george,ou=People,dc=example,dc=com
New Password:
Retype New Password:
Successfully set password for user uid=george,ou=People,dc=example,dc=com
Delete a user¶
$ Note that this won’t delete the user’s primary group, but will remove the user from supplementary ones.
Add a group¶
$ Delete a group¶
$ Add a user to a group¶
$ You should now see a memberUid attribute for the qa group with a value of george.
Remove a user from a group¶
$ The memberUid attribute should now be removed from the qa group.
Manage user attributes with ldapmodifyuser¶
The ldapmodifyuser script allows you to add, remove, or replace a user’s attributes. The script uses the same syntax as the ldapmodify utility. For example:
sudo ldapmodifyuser george
# About to modify the following entry :
dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: george
uid: george
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com
replace: gecos
gecos: George Carlin
The user’s gecos should now be “George Carlin”.
ldapscripts templates¶
A nice feature of ldapscripts is the template system. Templates allow you to customize the attributes of user, group, and machine objects. For example, to enable the user template, edit /etc/ldapscripts/ldapscripts.conf by changing:
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
There are sample templates in the /usr/share/doc/ldapscripts/examples directory. Copy or rename the ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:
$ Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:
dn: uid=<user>,<usuffix>,<suffix>
objectClass: inetOrgPerson
objectClass: posixAccount
cn: <user>
sn: <ask>
uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee
Notice the <ask> option used for the sn attribute. This will make ldapadduser prompt you for its value.
There are utilities in the package that were not covered here. This command will output a list of them:
$ Next steps¶
Now that you know how to set up and modify users and groups, it’s a good idea to secure your LDAP communication by setting up Transport Layer Security (TLS).