LDAP workstation authentication
Once you have a working LDAP server, you will need to install libraries on the client that know how and when to contact it. On Ubuntu, this has been traditionally accomplished by installing the libnss-ldap
package, but nowadays you should use the System Security Services Daemon (SSSD). Please refer to SSSD and LDAP for more details.
User and group management - ldapscripts
Another very common usage case for having an LDAP server is to store Unix user and group information in the directory. There are many tools out there, but usually big deployments will have developed their own. Here we will briefly show how to use the ldapscripts
package for a quick and easy way to start storing user and group information in OpenLDAP.
Install the package
You can install ldapscripts
by running the following command:
sudo apt install ldapscripts
Then edit the file /etc/ldapscripts/ldapscripts.conf
to arrive at something similar to the following:
SERVER=ldap://ldap01.example.com
LDAPBINOPTS="-ZZ"
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
Note:
- Adjust SERVER and related SUFFIX options to suit your directory structure.
- Note we are forcing START_TLS usage here (
-ZZ
parameter), please refer to LDAP with TLS for details on how to set up the server with TLS support.
Store the cn=admin password in the /etc/ldapscripts/ldapscripts.passwd
file and make sure it’s only readable by the root local user:
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
The scripts are now ready to help manage your directory.
Examples – how to use the scripts
Create a new user
sudo ldapaddgroup george
sudo ldapadduser george george
This will create a group and user with name george and set the user’s primary group (gid) to george.
Change a user’s password
$ sudo ldapsetpasswd george
Changing password for user uid=george,ou=People,dc=example,dc=com
New Password:
Retype New Password:
Successfully set password for user uid=george,ou=People,dc=example,dc=com
Delete a user
sudo ldapdeleteuser george
Note that this won’t delete the user’s primary group, but will remove the user from supplementary ones.
Add a group
sudo ldapaddgroup qa
Delete a group
sudo ldapdeletegroup qa
Add a user to a group
sudo ldapaddusertogroup george qa
You should now see a memberUid attribute for the qa group with a value of george.
Remove a user from a group
sudo ldapdeleteuserfromgroup george qa
The memberUid attribute should now be removed from the qa group.
The ldapmodifyuser
script
This script allows you to add, remove, or replace a user’s attributes. The script uses the same syntax as the ldapmodify
utility. For example:
sudo ldapmodifyuser george
# About to modify the following entry :
dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: george
uid: george
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com
replace: gecos
gecos: George Carlin
The user’s gecos should now be “George Carlin”.
ldapscripts
templates
A nice feature of ldapscripts
is the template system. Templates allow you to customise the attributes of user, group, and machine objects. For example, to enable the user template, edit /etc/ldapscripts/ldapscripts.conf
by changing:
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
There are sample templates in the /usr/share/doc/ldapscripts/examples
directory. Copy or rename the ldapadduser.template.sample
file to /etc/ldapscripts/ldapadduser.template
:
sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
/etc/ldapscripts/ldapadduser.template
Edit the new template to add the desired attributes. The following will create new users with an objectClass of inetOrgPerson:
dn: uid=<user>,<usuffix>,<suffix>
objectClass: inetOrgPerson
objectClass: posixAccount
cn: <user>
sn: <ask>
uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee
Notice the <ask> option used for the sn attribute. This will make ldapadduser
prompt you for its value.
There are utilities in the package that were not covered here. This command will output a list of them:
dpkg -L ldapscripts | grep /usr/sbin