Filling an OpenLDAP database

From SaruWiki
Revision as of 16:51, 25 September 2008 by Saruman! (talk | contribs) (Recreated user addition sections)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Migrating User, Password and Group entries to an LDAP server

It's nice to have an LDAP, but it's much nicer if it is filled with information. We'll try to enter all existing users and groups from the host server into LDAP, using the available migration tools.

Creating new users

If we need new users (e.g. when the server you're setting up is spankin' new) then we can create them in several ways. Let's discuss two of them:

Adding a user with an LDIF file

To add a user with the LDAP command line utilities, we first need to create an LDIF file. This file is a simple text file, that could look something like this: 

# Create the user group
dn: cn=networkusers,ou=groups,dc=saruman,dc=biz
objectClass: posixGroup
description: Internal network users
gidNumber: 10001
cn: TestGroup

# Create a new user:
dn: uid=sixpacjo,ou=people,dc=saruman,dc=biz
objectclass: top
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
cn: Joe Sixpack
description: Your Average Network User
givenName: Joe
sn: Sixpack
mail: joe.sixpack@saruman.biz
# The Unix login-name for the user:
uid: sixpacjo
# The group and user IDs:
gidNumber: 10001
uidNumber: 10001
# The Unix account data:
homeDirectory: /home/sixpacjo
loginShell: /bin/bash
# The encrypted password for the user:
userPassword: {crypt}$1$qs70ynbk$UBuewN7ZdIvqavIxkxdmX0

For a line-by-line explanation of this LDIF file, go here.

AHA! you'll say. But how do I get to this encrypted password? It's simple. Try this: 

openssl passwd -crypt "secret"

The argument -crypt makes openssl generate a password using the standard Unix password algorithm; this is also the default setting. An alternative would be to use -1 instead of -crypt, which'll give you an MD5 encrypted password. Ofcourse, using an MD5 encrypted password means you have to change the last line of the LDIF file to 

userPassword: {MD5}$1$yCuyTf63$NoAjuX/dYBmE29hXrsDb41

Note that prefixing the used encryption method is totally fine with OpenLDAP, but it actually is not according to the LDAP standard; this LDIF file can be understood by OpenLDAP, but not by every other piece of LDAP software out there...

Adding a user with LAM

Retrieved from "https://www.saruman.biz/saruwiki/index.php?title=Filling_an_OpenLDAP_database&oldid=1685"