LDAP Workstation Authentication

Once you have a working LDAP server, you will need to install libraries on the client that will know how and when to contact it. On Ubuntu, this has been traditionally accomplished by installing the libnss-ldap package, but nowadays you should use SSSD. Please refer to Service - SSSD.

User and Group Management - ldapscripts

Another very common usage case for having an LDAP server is to store unix user and group information in the directory. There are many tools out there, but usually big deployments will have developed their own. Here we will briefly show how to use the ldapscripts package for an easy and quick way to start storing user and group information in OpenLDAP.

Install the package:

sudo apt install ldapscripts

Then edit the file /etc/ldapscripts/ldapscripts.conf to arrive at something similar to the following:

SERVER=ldap://ldap01.example.com
LDAPBINOPTS="-ZZ"
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'

Note

  • Adjust SERVER and related SUFFIX options to suit your directory structure.
  • Note we are forcing START_TLS usage here (-ZZ parameter), please refer to LDAP with TLS for details on how to set the server up with TLS support

Store the cn=admin password in the /etc/ldapscripts/ldapscripts.passwd file and make sure it’s only readable by the root local user:

$ sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd

The scripts are now ready to help manage your directory. Here are some examples of how to use them:

  • Create a new user:

    sudo ldapaddgroup george
    sudo ldapadduser george george
    

    This will create a group and user with name george and set the user’s primary group (gid) to george

  • Change a user’s password:

    $ sudo ldapsetpasswd george
    Changing password for user uid=george,ou=People,dc=example,dc=com
    New Password: 
    Retype New Password: 
    Successfully set password for user uid=george,ou=People,dc=example,dc=com
    
  • Delete a user:

    sudo ldapdeleteuser george
    
    > **Note**
    >
    > This won't delete the user's primary group, but will remove the user from supplementary ones.
    
  • Add a group:

    sudo ldapaddgroup qa
    
  • Delete a group:

    sudo ldapdeletegroup qa
    
  • Add a user to a group:

    sudo ldapaddusertogroup george qa
    

    You should now see a memberUid attribute for the qa group with a value of george.

  • Remove a user from a group:

    sudo ldapdeleteuserfromgroup george qa
    

    The memberUid attribute should now be removed from the qa group.

  • The ldapmodifyuser script allows you to add, remove, or replace a user’s attributes. The script uses the same syntax as the ldapmodify utility. For example:

    sudo ldapmodifyuser george
    # About to modify the following entry :
    dn: uid=george,ou=People,dc=example,dc=com
    objectClass: account
    objectClass: posixAccount
    cn: george
    uid: george
    uidNumber: 10001
    gidNumber: 10001
    homeDirectory: /home/george
    loginShell: /bin/bash
    gecos: george
    description: User account
    userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
    
    # Enter your modifications here, end with CTRL-D.
    dn: uid=george,ou=People,dc=example,dc=com
    replace: gecos
    gecos: George Carlin
    

    The user’s gecos should now be “George Carlin”.

  • A nice feature of ldapscripts is the template system. Templates allow you to customize the attributes of user, group, and machine objects. For example, to enable the user template edit /etc/ldapscripts/ldapscripts.conf changing:

    UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
    

    There are sample templates in the /usr/share/doc/ldapscripts/examples directory. Copy or rename the ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:

    sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
    /etc/ldapscripts/ldapadduser.template
    

    Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:

    dn: uid=<user>,<usuffix>,<suffix>
    objectClass: inetOrgPerson
    objectClass: posixAccount
    cn: <user>
    sn: <ask>
    uid: <user>
    uidNumber: <uid>
    gidNumber: <gid>
    homeDirectory: <home>
    loginShell: <shell>
    gecos: <user>
    description: User account
    title: Employee
    

    Notice the <ask> option used for the sn attribute. This will make ldapadduser prompt you for its value.

There are utilities in the package that were not covered here. This command will output a list:

dpkg -L ldapscripts | grep /usr/sbin

Resources

Last updated 7 months ago. Help improve this document in the forum.