Once LDAP is installed you have, at your fingertips, plenty of tools to add, edit, and delete data on that server. One of those tools is critical to keeping data current. That tool is ldapmodify. In this article I am going to show you how to use this tool to modify an entry in an LDAP server.

Command basics

The ldapmodify command isn’t exactly like all other commands. Instead of just running a single command and being done with it, you issue the command, do you work, and then escape out of the command. The actual modification of the data doesn’t happen until you escape the command. The sequence goes like this:

1. Issue the ldapmodify command (with appropriate options).
2. Inform ldapmodify what you are modifying.
3. Modify your data.
4. Escape with CTRL-d.
5. ldapmodify will make the changes.

Yes, it does seem like a fairly complex process…and yes it is a complex, but a very necessary process.

Let’s take a look at the actual process. As an example I am going to modify the gecos entry of an already existing directory entry. The gecos entry is a general information field that can be used for just about anything). Let’s have some fun and change the gecos entry for user scooper and indicate that Sheldon Cooper is a Theoretical Physicist at Caltech University. We’ll assume the gecos entry only contains the information “Sheldon Cooper” and the LDAP server’s is on 192.168.1.10 and the full dc is wallen.local. Here is the actual process for this task:

Issue the command:

ldapmodify -h localhost -x -W -D "cn=admin,dc=wallen,dc=local"

It will now seem like the command is stuck. It’s actually just waiting for input. The input will look like this (hit Enter after each line):

dn: uid=scooper,ou=People,dc=wallen,dc=local
changetype: modify
replace: gecos
gecos: Theoretical Physicist, Caltech University

Once you have completed entering this text, hit Enter, and then hit CTRL-d to escape the command and then you should see something like:

modifying entry "uid=scooper,ou=People,dc=wallen,dc=local"

Now if you issue the ldapsearch command you will see the changes made. The ldapsearch command would look something like:

ldapsearch -x -b "dc=wallen,dc=local" -s sub "objectclass=*"

You should see Sheldon’s listing like this:

# scooper, People, wallen.local
dn: uid=scooper,ou=People,dc=wallen,dc=local
uid: scooper
cn: Sheldon Cooper
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 500
gidNumber: 120
homeDirectory: /home/scooper
gecos: Theoretical Physicist Caltech University

You now have modified the entry. Of course you aren’t limited to the gecos entry. You can actually modify any entry you want using the same technique.

Final thoughts

Hopefully LDAP is getting easier and easier for you. You can now add and modify entries. We will keep digging and eventually you will have the LDAP basics mastered.

So, yeah…LDAP comes with it’s own set of management tools and, in this article, we are going to take a look at the primary tool for adding entries to your LDAP databases: ldapadd.

From file or command?
One of the best things about the ldapadd command is that you can have it read all of your entries from files. That way you don’t have to issue lengthy commands every time you want to add an entry. This also means you can add multiple entries at once. I will show you how to add entries this way so your LDAP administration life is much simpler. And from that process you should be able to glean enough to know the full command-line process.

ldapadd

When you see an ldapadd command for the first time, you might cringe, thinking it far too difficult to use. But once you understand the usage, it becomes quite easy. Now, you must have admin rights to issue the ldapadd command; so, depending up your distribution, you will either have to su to the root user or use sudo to issue the command.

The basic usage of the ldapadd command is:

ldapadd [OPTIONS] [CREDENTIALS] filename

Any file name you read into the ldapadd command should be in the form of an .ldif file. Now, let’s take a look at the more common options you will use with ldapadd:

• x: Use simple authentication, instead of SASL authentication.
• D: This options means you are going to use the Distinguished Name (binddn) to bind to the LDAP directory.
• W: Prompt for simple authentication.
• f: The file name you want to read into ldapadd.

Using the D option means you are going to be using a Distinguished Name. What this means is that you are going to authenticate in the form of:

cn=admin,dc=wallen,dc=local

The above entry means you are using the admin user on the domain wallen.local.

Now, let’s take a look at the format of the file you will use. Let’s examine a very basic entry. Let’s say I want to add the user Willow Wallen to my LDAP address book. I will do that within the file users.ldif. The entry looks like:

# Willow's Entry
dn: cn=Willow Wallen,ou=people,dc=wallen,dc=local
cn: Willow Wallen
objectClass: person
sn: Wallen

This will add the user Willow Wallen to the group people and she will be labeled as a person. Save that file and now let’s add her with the command:

sudo ldapadd -x -D cn=admin,dc=wallen,dc=local -W -f users.ldif

You will have to enter both your sudo password and your ldap password.

Final thoughts

You have taken one major step forward in your usage of LDAP. This is a very powerful, very complex tool you have at your finger tips. It’s important to understand the basics and learn one step at a time. We’ll continue our journey into LDAP in upcoming articles.

But here’s the thing – the slapd server can be a real pain to set up. It didn’t used to be. The old fashion way was to install slapd and then edit the /etc/ldap/slapd.conf file to suite your needs. Thing is, the slapd.conf configuration file has been deprecated and now, trying to figure out how to configure slapd is like finding the proverbial needle in the proverbial haystack. Fortunately, in my desperate scouring to work out an easy method of doing this, I have found some tools to make the job easier. And that’s what this article is all about, getting slapd up and running on a Ubuntu machine so you too can have LDAP running.

Installation

Of course there is a bit of installation to take care of before you do anything. But the installation isn’t challenging and there isn’t too much to install. Here are the steps you need to follow:

1. Open up a terminal window.
2. Issue the command sudo apt-get install slapd ldap-utils php5-ldap.
3. Type your sudo password and hit Enter.
4. Accept any dependencies necessary.

And that’s it. You are now ready for the configuration of slapd. But what to do? This article isn’t about a fancy GUI tool. Instead I have found a script floating around the web (who’s author I can not name because I have seen this script on a number of sites) which actually makes this process amazingly easy. I have posted the script here on pastebin for you to either download or copy and paste.

No matter if you download or copy and paste the script, name it something like ldap_script.sh and save it in your home directory. Once you have it saved give it executable permissions with the command:

chmod u+x ldap_script

Now the script is almost ready. You do have to make a few simple changes. Near the top of the script you will see:

passwd=pleaseeditme
dc1=pleaseeditme
dc2=pleaseeditme

Obviously you need to change each pleaseeditme entry to suit your needs. For my LDAP server that section lookes like:

passwd=mypassword
dc1=wallen
cd2=local

You will also notice, near the end of the script, it adds a user. The section #Adding user can be edited to suit your needs, or it can be left alone so that at least one correct user is added at first.

When you have the script ready, it’s time to execute. Issue the command sudo ./ldap_script and watch the magic fly by. When all is said and done you should then be able to check out your LDAP server with one of the means mentioned in previous articles, or you can issue the command:

ldapsearch -x -h localhost -b "dc=EXAMPLE,dc=COM" "(objectClass=*)"

Where EXAMPLE and COM match your dc entires.

Final thoughts

You should now have your LDAP server up and running. You can start adding entries and managing it with whatever tool (or command line) you want. NOTE: We’ll take a look at the management of LDAP via the command line in later articles. Enjoy your LDAP server!

Naturally, what is nice about phpldapadmin is that it allows you to manage your LDAP server from anywhere you have access to a browser (so long as your LDAP server can be reached form anywhere. In this article I am going to show you how to install, configure, and begin to use the phpldapadmin tool.

Installation

Before you install phpLDAPAdmin (also known as PLA), you will need to have your LDAP server up and running. Once that is achieved you can then proceed with your installation of this management tool. You will also need to have a web server installed and running (it is a web-based tool after all).  If you do not already have php5-ldap installed, install that package now.

The first step for installation is to download the source from Sourceforge. You can install from a pre-compiled binary, but I recommend you do the installation from source.

Once you have the .tgz file downloaded move that file to your web servers’ document root. In Fedora this will be /var/www/html and in Ubuntu this will be /var/www. The next step is to unpack the tar file and then rename the newly created directory. You will need administrative privileges for these tasks. Follow these steps:

1. Open up a terminal window.
2. Change to your document root.
3. Su to root (if using Fedora or a Fedora-like distribution).
4. Issue the command tar xvfz phpldapadmin-XXX.tgz (If using a Ubuntu-like distribution you will have to add sudo to the beginning of that command) Where XXX is the release number.
5. Rename the directory with the command mv phpldapadmin-XXX phpldapadmin (If using Ubuntu-like distribution you will have to add sudo to the beginning of that command) Where XXX is the release number.
6. Change into the phpldapadmin/config and rename the config file with the command mv config.php.sample config.php (If using Ubuntu-like distribution you will have to add sudo to the beginning of that command).

Now it’s time to fire up your web browser and head to your installation. Point your browser to http://ADDRESS_TO_SERVER/phpldapadmin/ and you will see a page similar to that in Figure 1.

The first thing you need to do is click on the Login link (in the left navigation tree). The credentials you need will be those that were created to administer your LDAP server. But don’t think you can just log in with a username of “admin” and a password. You have to use the standard format of LDAP. So a typical administrator login username will look like cn=admin,dc=wallen,dc=local.

Once you have logged in, the main page will look like that shown in Figure 2. Expand the navigation tree on the left nav and you can see where you can start creating new entries.

Final thoughts

You are now ready to rock your LDAP server from anywhere you can access a web browser. The phpLDAPAdmin tool makes LDAP as easy as phpMyAdmin makes MySQL. This is one of the best LDAP admin tools you will find.

That is, until I discovered a very handy little tool, just for this purpose, called Luma. Luma is an LDAP manager that is pure graphical ease. If you already have your LDAP server up and running, you won’t have any problem managing your data with this tool. In this article I am going to show you how to install Luma and how to connect to your LDAP server.

Installation

I’m going to show you how to install Luma on both Ubuntu and Fedora. It’s actually quite simple. Just follow these steps:

Fedora

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install luma.
4. Okay any dependencies (if necessary).
5. Once installation is complete, you can close the terminal.

Ubuntu

1. Open up a terminal window.
2. Issue the command sudo apt-get install luma.
3. Enter your sudo (user) password.
4. Okay any dependencies (if necessary).
5. Once the installation is complete, you can close the terminal.

Now that you have Luma installed, let’s open it up and connect to a server.

Usage

Figure 1

To start up Luma you will not find a menu entry, so you will have to run Luma from command line (or create a menu entry). To do this click Alt-F and then enter luma in the run dialog. Or you can leave that terminal window open and then just issue the command from within there.

Once started you will see a simple window (see Figure 1) where you can choose from any one of the available plugins. In order to add a server you need to click Settings > Edit Server List. From this window click the Add button to create a new server.

The first step is to give this new server a name. This is a human readable name so it does not need to be a hostname or IP address.  After you create a name click OK to move on to the real work.

Figure 2

Once you have created the server you have three configurations to take care of (see Figure 2):

• Network options: Hostname, Port, Encryption type.
• Authentication: Mechanism for authentication (simple, or SASL type), Bind as (login authentication), and Password.
• LDAP options: Follow aliases and/or Use Base DNs provided by the server.

The trickiest option for most is going to be the Authentication “Bind as” setting. You do not just log in with a plain username. Instead (as you can see in Figure 2), you log in with username and domain in the form of cn=USERNAME,dc=DOMAIN, dc=NAME. In the case of my example it’s cn=admin,dc=wallen,dc=local.

Figure 3

Once you have logged in you can then use the plugins like Browse (see Figure 3). This examples illustrates how you can manage the various aspects of your LDAP entries.

Final thoughts

In upcoming articles we will deal with more LDAP administration with Luma as it is, by far, one of the easiest front ends for the LDAP server I have come across.

But because LDAP is fairly complex, it is not often used except by those who have the lengthy period of time it takes to understand the task of getting an LDAP server up and running. That doesn’t need to be the case, if you happen to have a Fedora server lying around. There is a tool, 389 Directory Server, that helps you to get this up and running quickly and easily.  In this article I am going to show you how to install and set up the 389 Directory Server.

Installation

The installation of 389 DS is simple. Just follow these steps:

1. Open up a terminal window.
2. Su to the root user.
3. Issue the command yum install fedora-ds.
4. Accept all of the dependencies.
5. Wait for the installation to finish.

Now you are ready to begin. The configuration of 389 is done via command line. Once that is complete you can then manage your LDAP server with a nice GUI tool.

Configuration

Figure 1

The configuration takes place in the terminal window. To begin the process issue the command (as root) setup-ds-admin.pl. This will begin a process that will take about 14 steps. Each step looks similar to that in Figure 1.

The steps for the setup are:

1. Agree to license.

2. Set up warning alert.

3. Choose type of installation.

4. Configure fully qualified domain name for name.

5. Server user name.

6. Do you want to register this software with an existing configuration directory server?

7. Administrator ID.

8. Administration domain.

9. Server network port.

10. Directory server identifier (name).

11. Valid DN for your directory suffix.

12. Directory Manager DN.

13. Administration network port.

14. Save configuration and set up server.

The final step is basically writing your configurations to the config script and then starting the server. Once you have completed these steps, the hard part is over! Don’t worry about not understanding any of the above explanations, as each step is clearly explained on its own screen (as shown in Figure 1).

Now that your setup is complete, you are ready to fire up the GUI admin tool.

The admin tool

Figure 2

The administration tool is started (as the root user) with the command 389-console. When you login to the admin tool you will need to use your admin username and password you created during the setup and the URL (including port number) you created (see Figure 2).

Figure 3

Once you have successfully logged in you will now be in the 389 Directory Server Management Console (see Figure 3). It is from within this console that you actually take care of all of the LDAP management (we’ll save that for another article).

Final thoughts

If you’ve ever tried to set up LDAP manually then you know it can be a real pain. With tools like 389 Directory Server, this process has become exponentially easier. Give this a try and see if you have better luck setting up your LDAP server.

Of course it is not just a matter of working on the Linux end of things. There is one issue to settle on the MS end. You have to activate Secure LDAP on your AD Server. This process goes beyond the scope of this article, but the steps are pretty clear.

Enable SLDAP

Here are the steps to enable Secure LDAP on your Windows 2003 AD server (I will leave out the details):

1. Create an Active Directory domain controller certificate request.
2. Create a Certification Authority.
3. Sign the certificate request by the Certification Authority.
4. Export the root certificate Certification Authority.
5. Import the root certificate Certification Authority onto the Domain Controller.
6. Import the LDAP Server certificate onto the Domain Controller.
7. Set up the UMRA (LDAP Client) computer.
8. Verify Secure LDAPS using SSL.

Installing adtool

Fortunately adtool will be found in your distributions’ repositories. So all you have to do is follow these steps:

1. Fire up Synaptic (or whichever Add/Remove Software utility you use).
2. Do a search for “adtool” (no quotes).
3. Mark the results for installation.
4. Click Apply to install.
5. Close Synaptic.

Configuring adtool

This is a bit of configuration you need to handle before you can use adtool on your AD server. First create the file (if it doesn’t exist) /etc/adtool.cfg and add the following contents:

uri ldaps://YOUR.DOMAIN.HERE
binddn cn=Administrator,cn=Users,dc=domain,dc=tld
bindpw $PASSWORD
searchbase dc=domain,dc=tld

Where YOUR.DOMAIN.HERE is the actual address to your Active Directory server.

Where PASSWORD is the password for the AD user that has proper permissions to manage the AD server.

You will also need to make sure the following is in your /etc/ldap/ldap.conf file:

BASE    dc=YOUR,dc=DOMAIN,dc=HERE
URI     ldaps://YOUR.DOMAIN.HERE
TLS_REQCERT allow

Without the above configuration you will not be able to accept the SSL certificates from the server.

Basic usage

The basic usage of the adtool command is simple. Of course you will have to understand Active Directory in order to really understand the usage of this tool. Below I will give you samples of commands to handle the basic tasks for AD. Any information in ALL CAPS would be altered to fit your needs.

Create a new organizational unit:

adtool oucreate ORGANIZATION NAME ou=user,dc=DOMAIN,dc=COM

Add a user:

adtool useradd USER ou=ORGANIZATION ou=user,cd=DOMAIN,dc=COM

Set a user password:

adtool setpass USER PASSWORD

Unlock a user:

adtool unlock USER

Create a group

adtool groupcreate GROUP ou=user,cd=DOMAIN,dc=COM

Add a user to a group:

adtool groupadd allusers USER

Add an email address for the user:

adtool attributereplace USER mail EMAIL@ADDRESS

Final thoughts

We’ve only really scratched the surface of this powerful tool. But from this you should be able to see how easy adtool can be as well as how helpful it is.