To add something to the LDAP directory, you need to first create a LDIF file.
The ldif file should contain definitions for all attributes that are required for the entries that you want to create.
With this ldif file, you can use ldapadd command to import the entries into the directory as explained in this tutorial.
If you are new to OpenLDAP, you should first install OpenLDAP on your system.
Create a LDIF file for New User
The following is a sample LDIF file that will be used to create a new user.
# cat adam.ldif dn: uid=adam,ou=users,dc=tgs,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: adam uid: adam uidNumber: 16859 gidNumber: 100 homeDirectory: /home/adam loginShell: /bin/bash gecos: adam userPassword: {crypt}x shadowLastChange: 0 shadowMax: 0 shadowWarning: 0
Add a LDAP User using ldapadd
Now, use ldapadd command and the above ldif file to create a new user called adam in our OpenLDAP directory as shown below:
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f adam.ldif Enter LDAP Password: adding new entry "uid=adam,ou=users,dc=tgs,dc=com"
Assign Password to LDAP User
To set the password for the LDAP user we just created above, use ldappasswd command as shown in the below example:
# ldappasswd -s welcome123 -W -D "cn=ramesh,dc=tgs,dc=com" -x "uid=adam,ou=users,dc=tgs,dc=com" Enter LDAP Password:
In the above command:
- -s specify the password for the username entry
- -x The username entry for which the password is changed
- -D specify your DN here. i.e Distinguished name to authenticate in the server
Create LDIF file for New Group
Similar to adding user, you’ll also need a ldif file to add a group.
To add a new group to the LDAP groups OU, you need to create a LDIF with the group information as shown in the example ldif file below.
# cat group1.ldif dn: cn=dbagrp,ou=groups,dc=tgs,dc=com objectClass: top objectClass: posixGroup gidNumber: 678
Add a LDAP Group using ldapadd
Just like adding user, use ldapadd command to add the group from the group1.ldif file that we created above.
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f group1.ldif Enter LDAP Password: adding new entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"
Create LDIF file for an existing Group
To add an existing user to a group, we should still create an ldif file.
First, create an ldif file. In this example, I am adding the user adam to the dbagrp (group id: 678)
# cat file1.ldif dn: cn=dbagrp,ou=groups,dc=tgs,dc=com changetype: modify add: memberuid memberuid: adam
Add an User to an existing Group using ldapmodify
To add an user to an existing group, we’ll be using ldapmodify. This example will use the above LDIF file to add user adam to dbagrp.
# ldapmodify -x -W -D "cn=ramesh,dc=tgs,dc=com" -f file1.ldif Enter LDAP Password: modifying entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"
Verify LDAP Entries
Once you’ve added an user or group, you can use ldapsearch to verify it.
Here is a simple example to verify if the users exists in the LDAP database:
# ldapsearch -x -W -D "cn=ramesh,dc=tgs,dc=com" -b "uid=adam,ou=users,dc=tgs,dc=com" "(objectclass=*)" Enter LDAP Password: # extended LDIF # # LDAPv3 # base <uid=adam,ou=users,dc=tgs,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # adam, users, tgs.com dn: uid=adam,ou=users,dc=tgs,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: shadowAccount cn: adam uid: adam uidNumber: 16859 gidNumber: 100 homeDirectory: /home/adam loginShell: /bin/bash gecos: adam shadowLastChange: 0 shadowMax: 0 shadowWarning: 0 userPassword:: e1NTSEF9b0lPd3AzYTBmT2xQcHBPNDcrK0VHRndEUjdMV2hSZ2U= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Delete an Entry from LDAP using ldapdelete
If you’ve made a mistake while adding an user or group, you can remove the entry using ldapdelete.
To delete an entry, you don’t need to create an ldif file. The following will delete user “adam” that we created earlier.
# ldapdelete -W -D "cn=ramesh,dc=tgs,dc=com" "uid=adam,ou=users,dc=tgs,dc=com" Enter LDAP Password:
Comments on this entry are closed.
Thnx a lot. I have waited for this since the first part.
Dear Sir,
This is kiran sir, I already contact with gmail.My request could you please post a ldap migration from on server to another it is also important
do you have tutorial on how to understand structure of ldap? it is hard to understand the cn and ou and other tags
Dear Sir,
Please continue your next openldap article. It is very simple and interesting. Show us how to authenticate users via nfs and how use phpldapadmin utility. Above you have showed how to add user adam to directory-I am confusing here. should we use useradd command to create a user before adding user to directory? Kindly continue…
With best wishes
Venkatesh
Bangalore
Hi Ramesh!
Many many thanks for your OpenLDAP article. I am very new to Openldap. I was searching this type of basic article. I found many and old-requires previous versions of centos or redhat systems and requires previous knowledge about ldap. Yours is very basic and following step by step. As I told I am very new to openldap, I am facing lot of problems and no-one around me to solve the basic doubts. I have a small doubt, please guide me.
in your above “How to Add LDAP Users and Groups in OpenLDAP on Linux” article, ‘Add a LDAP User using ldapadd ‘ section, should we create a ‘adam user’ by using useradd command before running the command->
ldapadd -x -W -D “cn=ramesh,dc=tgs,dc=com” -f adam.ldif ?
because after running above command, I am not finding a adam directory in /home directory.
Please clarify. I am eagerly waiting for your reply..
Sorry for the grammatical errors.
Thanks
Venkatesh
India
First of all thumbs on both this and the previous article!
I’m getting very confused with setting this up. I’ve got the following user
[root@localhost ldap]# ldapadd -x -W -D “cn=gmullin,dc=lava,dc=com” -f newusers.ldif
Enter LDAP Password:
adding new entry “uid=hduser,ou=users,dc=lava,dc=com”
ldap_add: Invalid syntax (21)
additional info: objectClass: value #1 invalid per syntax
[root@localhost ldap]# cat newusers.ldif
dn: uid=hduser,ou=users,dc=lava,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: hduser
uid: hduser
uidNumber: 16860
gidNumber: 100
homeDirectory: /home/hduser
loginShell: /bin/bash
gecos: hduser
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
After a quick Google, I’m told I need to load my schema (how come yours is already loaded?), with something like the following:
ldapadd -Y EXTERNAL -H ldapi:// -f /usr/local/etc/openldap/schema/nis.ldif
How do I get the appropriate schema for this article?
Help is greatly appreciated!
Hello Ramesh,
Very very good tutorial. Thanks !
I am sure that it will be suitable for a lot of people. but i think there is a little mistake with the option of ldapadd.
indeed, you should use -l and not -f when you use ldapadd, as the manual says it :
SLAPADD(8)
/usr/sbin/slapadd [-b suffix] [-c] [-d debug-level] [-f slapd.conf] [-F confdir] [-g] [-j lineno] [-l ldif-file] [-n dbnum] [-o option[=value]] [-q] [-s] [-S SID] [-u] [-v] [-w]
Hope it will be useful ! 😉
MaxiReglisse.
Question. In our dev environment I need to add many test dummy accounts in order to test the impact on our system. How can I go about adding in 20k, 50, 100k users into OpenLdap? Do I really have to have to build a custom JAVA project that calls the add command that many times or is there another way to get this job done?
Do we need to add group and users in *nix systems before creating and executing add-user.ldif file LDAP
how to create sub-ou in ldap