How to set up LDAP users and groups
Once you have a working LDAP server, you will need to install libraries on the client that know how and when to contact it. On Ubuntu, this was traditionally done by installing the libnss-ldap package, but nowadays you should use the System Security Services Daemon (SSSD). To find out how to use LDAP with SSSD, refer to our SSSD and LDAP guide.
User and group management - ldapscripts
A common use case for an LDAP server is to store Unix user and group information in the directory. There are many tools out there, and big deployments will usually develop their own. However, as a quick and easy way to get started storing user and group information in OpenLDAP, you can use the ldapscripts package.
Install ldapscripts
You can install ldapscripts by running the following command:
sudo apt install ldapscripts
Then edit the file /etc/ldapscripts/ldapscripts.conf to arrive at something similar to the following:
SERVER=ldap://ldap01.example.com
LDAPBINOPTS="-ZZ"
BINDDN='cn=admin,dc=example,dc=com'
BINDPWDFILE="/etc/ldapscripts/ldapscripts.passwd"
SUFFIX='dc=example,dc=com'
GSUFFIX='ou=Groups'
USUFFIX='ou=People'
MSUFFIX='ou=Computers'
Notes:
- Adjust SERVER and related SUFFIX options to suit your directory structure.
- Here, we are forcing use of START_TLS (
-ZZparameter). Refer to LDAP with TLS to learn how to set up the server with TLS support.
Store the cn=admin password in the /etc/ldapscripts/ldapscripts.passwd file and make sure it’s only readable by the root local user:
sudo chmod 400 /etc/ldapscripts/ldapscripts.passwd
The scripts are now ready to help manage your directory.
Manage users and groups with ldapscripts
Here are some brief examples you can use to manage users and groups using ldapscripts.
Create a new user
sudo ldapaddgroup george
sudo ldapadduser george george
This will create a group and user with name “george” and set the user’s primary group (gid) to “george” as well.
Change a user’s password
$ sudo ldapsetpasswd george
Changing password for user uid=george,ou=People,dc=example,dc=com
New Password:
Retype New Password:
Successfully set password for user uid=george,ou=People,dc=example,dc=com
Delete a user
sudo ldapdeleteuser george
Note that this won’t delete the user’s primary group, but will remove the user from supplementary ones.
Add a group
sudo ldapaddgroup qa
Delete a group
sudo ldapdeletegroup qa
Add a user to a group
sudo ldapaddusertogroup george qa
You should now see a memberUid attribute for the “qa” group with a value of “george”.
Remove a user from a group
sudo ldapdeleteuserfromgroup george qa
The memberUid attribute should now be removed from the “qa” group.
Manage user attributes with ldapmodifyuser
The ldapmodifyuser script allows you to add, remove, or replace a user's attributes. The script uses the same syntax as the ldapmodify` utility. For example:
sudo ldapmodifyuser george
# About to modify the following entry :
dn: uid=george,ou=People,dc=example,dc=com
objectClass: account
objectClass: posixAccount
cn: george
uid: george
uidNumber: 10001
gidNumber: 10001
homeDirectory: /home/george
loginShell: /bin/bash
gecos: george
description: User account
userPassword:: e1NTSEF9eXFsTFcyWlhwWkF1eGUybVdFWHZKRzJVMjFTSG9vcHk=
# Enter your modifications here, end with CTRL-D.
dn: uid=george,ou=People,dc=example,dc=com
replace: gecos
gecos: George Carlin
The user’s gecos should now be “George Carlin”.
ldapscripts templates
A nice feature of ldapscripts is the template system. Templates allow you to customise the attributes of user, group, and machine objects. For example, to enable the user template, edit /etc/ldapscripts/ldapscripts.conf by changing:
UTEMPLATE="/etc/ldapscripts/ldapadduser.template"
There are sample templates in the /usr/share/doc/ldapscripts/examples directory. Copy or rename the ldapadduser.template.sample file to /etc/ldapscripts/ldapadduser.template:
sudo cp /usr/share/doc/ldapscripts/examples/ldapadduser.template.sample \
/etc/ldapscripts/ldapadduser.template
Edit the new template to add the desired attributes. The following will create new users with an objectClass of “inetOrgPerson”:
dn: uid=<user>,<usuffix>,<suffix>
objectClass: inetOrgPerson
objectClass: posixAccount
cn: <user>
sn: <ask>
uid: <user>
uidNumber: <uid>
gidNumber: <gid>
homeDirectory: <home>
loginShell: <shell>
gecos: <user>
description: User account
title: Employee
Notice the <ask> option used for the sn attribute. This will make ldapadduser prompt you for its value.
There are utilities in the package that were not covered here. This command will output a list of them:
dpkg -L ldapscripts | grep /usr/sbin
Next steps
Now that you know how to set up and modify users and groups, you may wish to learn more about how access control works. If you’re already familiar with this topic, it’s a good idea to secure your LDAP communication by setting up Transport Layer Security (TLS).