#3

Using OpenLDAP
Doc. v. rc0.1 - 2/06/09

Wildan Maulana | wildan [at] tobethink.com

About Me
Freelance Consultant - Software Developer System Integrator Founder of OpenT !n" #abs OSS $vangel!st Ma!n Developer of OpenT !n" SAS More Info %
Blog % ttp%&&w!ldanm'wordpress'com Y! % aw"!ng()*+ Gtalk % w!ldan'm Mobile Phone % ,-*./..0122*02

Overv!ew
T e bas!c funct!onal d!v!s!on of t e Open#DA3 tools % daemons4 cl!ents4 and ut!l!t!es T e bas!c d!rectory server operat!ons 5u!ld!ng an !n!t!al d!rectory tree !n an #DIF f!le #oad!ng t e data !nto t e d!rectory 6or"!ng w!t t e d!rectory records Searc !ng t e d!rectory Sett!ng passwords and aut ent!cat!ng aga!nst t e d!rectory

A 5r!ef Survey of t e #DA3 Su!te

Daemon #!brar!es Cl!ents ut!l!t!es

#DA3 from t e Server S!de

S#A3D T e 5!nd!ng Operat!on T e Searc Operat!on More Operat!ons % Add!t!ons4 Mod!f!cat!ons4 and Delet!ons Infre7uent Operat!ons S#A3D Summary S#893D spec!al daemon for repl!cat!ng d!rector!es :deprecated;

S#A3D
T e S#A3D server andles all cl!ent !nteract!ons4 !nclud!ng aut ent!cat!on :called binding !n #DA3 parlance;4 process!ng AC#s4 perform!ng searc es4 and andl!ng c anges4 add!t!ons4 and delet!ons of t e data and also manages t e databases t at store #DA3 content

T e 5!nd!ng Operat!on
Typ!cally4 t ere are two d!fferent ways by w !c a cl!ent can aut ent!cate to a server% t roug a S!mple 5!nd4 and t roug an SAS# 5!nd' Typ!cally4 to aut ent!cate a user4 S#A3D loo"s up t e D< :and t e D<=s userPassword attr!bute; !n t e d!rectory and ver!f!es t e follow!ng% )' T e suppl!ed D< e>!sts !n t e d!rectory' *' T e D< !s allowed to connect under t e present cond!t!ons :suc as from t e or!g!nat!ng I3 address4 or w!t t e currently-!mplemented secur!ty features;' +' T e password suppl!ed matc es t e value of t e D<=s userPassword attr!bute'

T e Searc Operat!on
In order to searc t e d!rectory we need to "now t e follow!ng t !ngs% Base DN% 6 ere !n t e d!rectory to start from Scope% ?ow deep !n t e tree to loo" Attributes% 6 at !nformat!on we want retr!eved Filter% 6 at to loo" for $>ample % 5ob wants to get a l!st of all of t e people !n !s organ!@at!on4 $>ample'Com4 w o ave ema!l addresses t at beg!n w!t t e letter m

T e Searc Operat!on A*
6e ave % Base DN% dcBe>ample4dcBcom Scope% $nt!re subtree Attributes% ma!l4 cn4 telep one<umber T e Searc f!lter % :ma!lBmC; T !s s!mple f!lter !s composed of four parts%
First4 t e f!lter !s enclosed !n parent eses' 3arent eses are used for group!ng elements w!t !n t e f!lter' For any f!lter4 t e ent!re f!lter s ould always be enclosed !n parent eses' Second4 t e f!lter beg!ns w!t an attr!bute descr!pt!on% ma!l' Third !s t e matc !ng rule' T ere are four matc !ng rules% e7ual!ty :B;4 appro>!mate matc :DB;4 greater t an or e7ual to :EB;4 and less t an or e7ual to :FB;' ?ow t ese are used :and w et er t ey can be used; !s determ!ned to a large degree by t e d!rectory sc ema' In t !s case t e f!lter performs str!ng matc !ng' Finall 4 we ave t e assert!on valueGt e str!ng or pattern t at we want results to matc ' In t !s case !t !s composed of t e c aracter m and t e w!ldcard c aracter :C;' T !s !nd!cates t at t e str!ng must start w!t !4 and can t en ave @ero or more c aracters follow!ng !t'

T e Searc Operat!on A+ More F!lter $>ample

5ob wants to restr!ct t e l!st to only people w ose off!ces ave room numbers of +HH or above
(& (| (mail = m*) (mail = n*) ) (roomNumber >= 300) )

More Operat!on % Add!t!ons4 Mod!f!cat!ons4 and Delet!ons

In our !llustrat!on of 5ob=s searc for ema!l addresses we covered only b!nd!ng and searc !ng' Of course4 #DA3 supports add!ng4 mod!fy!ng4 and delet!ng4 as well' All t ree of t ese also re7u!re t at t e user f!rst b!nd' And all t ree of t ese are also subIect to AC# restr!ct!ons'

T e Add!t!on Operat!on
An ent!re record for a user to be added m!g t loo" somet !ng l!"e t !s%
dn: uid=bjensen,dc=exam le,dc=com cn: !arbara "ensen mail: bjensen#exam le$com uid: bjensen objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson

T e Mod!f!cat!on Operat!on
Mod!f!cat!on acts on a part!cular record4 spec!f!ed by D<' Any number of c anges can be done on a s!ngle record !n one mod!f!cat!on re7uest' An add 9e7uest A replace re7uest A delete re7uest

T e Delete Operat!on
F!nally4 an ent!re #DA3 record can be deleted' #!"e mod!f!cat!ons4 delet!on operates on a part!cular record4 t e record=s D<' Dur!ng a delete operat!on4 t e ent!re record !s removed from t e d!rectoryGt e D< and all attr!butes' Only records t at do not ave c !ldren can be deleted from t e d!rectory' If an entry as c !ldren4 t e c !ldren must be removed from t e d!rectory :or relocated to anot er part of t e tree; before t e parent entry can be removed'

Infre7uent Operat!ons
Mod!fyD< Compare $>tended Operat!on

Mod!fyD<

T e Mod!fyD< operat!on prov!des a way to c ange Iust t e 9D< or t e ent!re D<' C ang!ng t e latter e7uates to mov!ng t e record to anot er part of t e d!rectory tree'

T e Compare Operat!on
A Compare operat!on ta"es a D< and an attr!bute value assert!on :attribute " #alue;4 and c ec"s to see !f t at attr!bute assert!on !s true or $alse' For e>ample4 !f t e cl!ent suppl!es t e D< cn"Matt%dc"e&a!ple%dc"co! and t e attr!bute value assert!on cn"Matthew4 t en t e server w!ll return true !f t e record as an attr!bute cn w!t t e value Matthew4 or $alse ot erw!se' T !s operat!on can be faster :and also more secure; t an fetc !ng a record and do!ng t e compar!son on t e cl!ent s!de'

T e $>tended Operat!on
F!nally4 Open#DA3 !mplements t e #DA3 v'+ $>tended Operat!on4 w !c ma"es !t poss!ble for a server to !mplement custom operat!ons' T e e>act synta> of an $>tended Operat!on w!ll depend on t e !mplementat!on of t e e>tens!on' T e supported $>tended Operat!ons are l!sted !n t e root DS$ under t e supported'&tension attr!bute' Ta"e a loo" at t e root DS$ at t e end of Sl!de A*' In t at record t ere are two e>tended operat!ons%
)'+'-')'0')'0*H+')'))')% T !s Modi$ Password e>tens!on !s def!ned !n 9FC +H-* : ttp%&&www'rfc-ed!tor'org&rfc&rfc+H-*'t>t;' T !s e>tens!on prov!des an operat!on for updat!ng a password !n t e d!rectory' )'+'-')'0')'0*H+')'))'+% T !s (ho A! )* e>tens!on !s def!ned !n 9FC 01+* : ttp%&&www'rfc-ed!tor'org&rfc&rfc01+*'t>t;' T !s e>tens!on ma"es !t poss!ble for t e currently act!ve D< to f!nd out about !tself from t e server'

S#A3D Summary

S#893D

Creat!ng D!rectory Data

T e #DIF F!le Format Anatomy of an #DIF F!le 9epresent!ng Attr!bute Jalues !n #DIF $>ample'Com !n #DIF Def!n!ng t e 5ase D< 9ecord Structur!ng t e D!rectory w!t Organ!@at!onal 8n!ts Add!ng 8ser 9ecords Add!ng System 9ecords Add!ng Kroup 9ecords T e Complete #DIF F!le

T e #DIF F!le Format

dn: uid=bjensen,dc=exam le,dc=com cn: !arbara "ensen mail: bjensen#exam le$com uid: bjensen objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson
T !s format !s t e standard way of represent!ng #DA3 d!rectory entr!es !n a te>t f!le' It !s an e>ample of a record wr!tten !n t e +DAP Data )nterchange For!at ,+D)F-4 vers!on )' T e #DIF standard def!nes a f!le format not only for represent!ng t e contents of a d!rectory4 but for represent!ng certa!n #DA3 operat!ons4 suc as add!t!ons4 c anges4 and delet!ons' In t e sect!on on t e ldapmod!fy cl!ent4 we w!ll use #DIF to spec!fy c anges to records !n t e d!rectory server4 but r!g t now we are !nterested !n creat!ng a f!le t at represents t e contents of our d!rectory'

Anatomy of an #DIF F!le

9ecords are separated by empty l!nes4 and eac record must beg!n w!t a D<%
# +irs% ,ocumen%: -*n .iber%/- b/ "$0$ 1ill dn: documen%2den%i3ier=004,dc=exam le,dc=com documen%2den%i3ier: 004 documen%5i%le: *n .iber%/ documen%6u%7or: cn="o7n 0%uar% 1ill,dc=exam le,dc=com objec%&lass: documen% objec%&lass: %o # 0econd ,ocumen%: -5rea%ise on 8uman Na%ure- b/ ,a9id 8ume dn: documen%2den%i3ier=00:,dc=exam le,dc=com documen%2den%i3ier: 00: documen%5i%le: 5rea%ise on 8uman Na%ure documen%6u%7or: cn=,a9id 8ume,dc=exam le,dc=com objec%&lass: documen% objec%&lass: %o

T e Document ObIect Class

#DA3 d!rector!es can model a var!ety of d!fferent types of obIects' T e document obIect class4 used !n t e prev!ous e>ample4 represents documents :suc as boo"s4 papers4 and manuals; !n t e d!rectory' T e sc ema for t e document obIect class and t e related documentSer!es obIect class !s conta!ned !n cos!ne'sc ema and def!ned !n sect!on +'* of 9FC 01*0 :ftp%&&ftp'rfc-ed!tor'org&!nnotes&rfc01*0't>t; #et=s loo" at t e l!st of attr!butes for t e document and documentSer!es obIect classes%

9epresent!ng Attr!bute Jalues !n #DIF

dn: documen%2den%i3ier=003,dc=exam le,dc=com documen%2den%i3ier: 003 documentTitle: An essay on the nature and conduct of the passions and affections with illustrations on the moral sense. documen%6u%7or: cn=+rancis 8u%c7ison,dc=exam le,dc=com objec%&lass: documen% objec%&lass: %o dn: documen%2den%i3ier=00;,dc=exam le,dc=com documen%2den%i3ier: 00; documentTitle:: bW9u W!"b#9ne$%% documen%6u%7or: cn=<$ =$ .eibni(,dc=exam le,dc=com objec%&lass: documen% objec%&lass: %o dn: documen%2den%i3ier=00>,dc=exam le,dc=com documen%2den%i3ier: 00> documen%5i%le: ?ssa/s in )ra'ma%ism documen%6u%7or: cn==illiam "ames,dc=exam le,dc=com description:& file:'''home'mbutcher'lon()description.t*t objec%&lass: documen% objec%&lass: %o

9epresent!ng Attr!bute Jalues !n #DIF

dn: documen%2den%i3ier=00@,dc=exam le,dc=com documen%2den%i3ier: 00@ documentTitle+lan()en: ,n #eneration and -orruption documentTitle+lan()la: .e #eneratione et -orruptione documen%6u%7or: cn=6ris%o%le,dc=exam le,dc=com objec%&lass: documen% objec%&lass: %o

$>ample'com #DIF
T ere are two popular ways of def!n!ng t e roots of an organ!@at!onal d!rectory tree% T e f!rst !s to create a root entry t at !nd!cates t e off!c!al name of t e organ!@at!on and t e geograp !c locat!on :usually Iust t e country; of t e organ!@at!on' ?ere are a few e>amples% o=6rius .%d$,c=AB o=6cme <m!8,c=,? o=?xam le$&om,c=A0 In eac of t ese t ree e>amples4 o represents t e organ!@at!on name4 and c !s t e two-c aracter country code' T e second popular model !s to use t e organ!@at!on=s doma!n name' For e>ample4 !f t e company A!r!us as reg!stered t e a!rus'co'u" doma!n name4 t en t e root D< would be composed of t ree doma!n component :dc; attr!butes% dc=airius,dc=co,dc=uC dc=acme,dc=de dc=exam le,dc=com

Def!n!ng t e 5ase D< 9ecord

Our base D< loo"s l!"e t !s%
dn: dc=exam le,dc=com descri %ion: ?xam le$&om, /our %rus%ed nonDexis%en% cor ora%ion$ dc: exam le o: ?xam le$&om objec%&lass: %o objec%&lass: dc*bjec% objec%&lass: or'ani(a%ion

/andlin( !e0uests for !ecords ,utside the .irectory Tree

=7a% i3 a searc7 reEues% comes in%o our ?xam le$&om direc%or/ 3or dc=comF *r G7a% i3 Ge 'e% a reEues% 3or dc=o%7er?xam le,dc=comF 57ese are records no% ex ec%ed %o be in our direc%or/$ Asin' %7e re3erral direc%i9e in %7e sla d$con3 3ile, /ou can direc% reEues%s o3 %7is sor% %o ano%7er ser9er %7a% mi'7% ro9e more au%7ori%a%i9e on %7e ma%%er$ 57e s/n%ax 3or %7e direc%i9e is re3erral Hlda AI.>, 3or exam le: re3erral lda :JJroo%$o enlda $or'$

Structur!ng t e D!rectory w!t Organ!@at!onal 8n!ts

Open#DA3 does not prov!de a default O8 subtree structure4 so you w!ll need to create your own' T !s can be done !n many ways4 but ere we w!ll see t e two prom!nent t eor!es of ow O8s s ould be structured' T eory )% D!rectory as Organ!@at!onal C art

T eory *% D!rectory as IT Serv!ce

$>press!ng t e O8s !n #DIF

<ow we are ready to wr!te out our c osen O8s !n #DIF' 6e w!ll create t ree O8sG8sers4 Kroups4 and SystemGas follows%
# 0ub%ree 3or users dn: ou=Asers,dc=exam le,dc=com ou: Asers descri %ion: ?xam le$&om Asers objec%&lass: or'ani(a%ionalAni% # 0ub%ree 3or 'rou s dn: ou=<rou s,dc=exam le,dc=com ou: <rou s descri %ion: ?xam le$&om <rou s objec%&lass: or'ani(a%ionalAni% # 0ub%ree 3or s/s%em accoun%s dn: ou=0/s%em,dc=exam le,dc=com ou: 0/s%em descri %ion: 0 ecial accoun%s used b/ so3%Gare a objec%&lass: or'ani(a%ionalAni%

lica%ions$

 6!t our O8s !n place we are ready to add a t !rd t!er to our d!rectory tree' 5efore we start creat!ng !nd!v!dual records let=s get an overv!ew of w at t !s ne>t t!er w!ll loo" l!"e' ?ere !s t e d!rectory tree structure w!t a group4 a system account4 and a pa!r of users%

Add!ng 8ser 9ecords

# !arbara "ensen: dn: uid=barbara,ou=Asers,dc=exam le,dc=com ou: Asers uid: !arbara sn: "ensen cn: !arbara "ensen 'i9enName: !arbara dis la/Name: !arbara "ensen mail: barbara#exam le$com user)assGord: secre% objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson

Add!ng 8ser 9ecords

An !netOrg3erson record t at ut!l!@es more of t e ava!lable attr!butes m!g t loo" l!"e t !s%
# 1a%% !u%c7er dn: uid=ma%%,ou=Asers,dc=exam le,dc=com ou: Asers # Name in3o: uid: 1a%% cn: 1a%% !u%c7er sn: !u%c7er 'i9enName: 1a%% 'i9enName: 1a%%7eG dis la/Name: 1a%% !u%c7er # =orC 2n3o: %i%le: 0/s%ems 2n%e'ra%or descri %ion: 0/s%ems 2n%e'ra%ion and 25 3or ?xam le$&om em lo/ee5/ e: ?m lo/ee de ar%men%Number: 004 em lo/eeNumber: 004D0KDLK mail: mbu%c7er#exam le$com mail: ma%%#exam le$com roomNumber: 304 %ele 7oneNumber: M4 >>> >>> ;3:4 mobile: M4 >>> >>> @NKL s%: 2llinois l: &7ica'o s%ree%: 4:3; &icero 69e$ # 8ome 2n3o: 7ome)7one: M4 >>> >>> LKN@ 7ome)os%al6ddress: 4:3; 7ome s%ree% O &7ica'o, 2. O @0@LLD4:3; # 1isc: user)assGord: secre% re3erred.an'ua'e: enDus,enD'b objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson

Add!ng System 9ecords

# 0 ecial 6ccoun% 3or 6u%7en%ica%ion: dn: uid=au%7en%ica%e,ou=0/s%em,dc=exam le,dc=com uid: au%7en%ica%e ou: 0/s%em descri %ion: 0 ecial accoun% 3or au%7en%ica%in' users user)assGord: secre% objec%&lass: accoun% objec%&lass: sim le0ecuri%/*bjec%

Add!ng Kroup 9ecords

# .,6) 6dmin <rou : dn: cn=.,6) 6dmins,ou=<rou s,dc=exam le,dc=com cn: .,6) 6dmins ou: <rou s descri %ion: Asers G7o are .,6) adminis%ra%ors uniEue1ember: uid=barbara,dc=exam le,dc=com uniEue1ember: uid=ma%%,dc=exam le,dc=com objec%&lass: 'rou *3AniEueNames

6 at L!nd of Kroup S ould I 8seM

?ow do you dec!de w et er to use a group.$Na!es group.$/ni0ueNa!es4 or organi1ational2oleM 5y default4 !t !s best to use group.$Na!es4 as !t !s treated as t e default group!ng obIect class by Open#DA3' T e organi1ational2ole obIect class !s !ntended to be used as a way of def!n!ng w at a person does w!t !n an organ!@at!on' T e group.$/ni0ueNa!es obIect class was !ntended for a d!fferent use from group.$Na!es4 but !mplementat!on-w!se4 t ey funct!on !dent!cally on Open#DA3'

T e Complete #DIF F!le basics.ldif

# 57is is %7e roo% o3 %7e direc%or/ %ree dn: dc=exam le,dc=com descri %ion: ?xam le$&om, /our %rus%ed nonDexis%en% cor ora%ion$ dc: exam le o: ?xam le$&om objec%&lass: %o objec%&lass: dc*bjec% objec%&lass: or'ani(a%ion # 0ub%ree 3or users dn: ou=Asers,dc=exam le,dc=com ou: Asers descri %ion: ?xam le$&om Asers objec%&lass: or'ani(a%ionalAni% # 0ub%ree 3or 'rou s dn: ou=<rou s,dc=exam le,dc=com ou: <rou s descri %ion: ?xam le$&om <rou s objec%&lass: or'ani(a%ionalAni% # 0ub%ree 3or s/s%em accoun%s dn: ou=0/s%em,dc=exam le,dc=com ou: 0/s%em descri %ion: 0 ecial accoun%s used b/ so3%Gare a lica%ions$ objec%&lass: or'ani(a%ionalAni% ##

## A0?I0 ## # 1a%% !u%c7er dn: uid=ma%%,ou=Asers,dc=exam le,dc=com ou: Asers # Name in3o: uid: ma%% cn: 1a%% !u%c7er sn: !u%c7er 'i9enName: 1a%% 'i9enName: 1a%%7eG dis la/Name: 1a%% !u%c7er # =orC 2n3o: %i%le: 0/s%ems 2n%e'ra%or descri %ion: 0/s%ems 2n%e'ra%ion and 25 3or ?xam le$&om em lo/ee5/ e: ?m lo/ee de ar%men%Number: 004 em lo/eeNumber: 004D0KDLK mail: mbu%c7er#exam le$com mail: ma%%#exam le$com roomNumber: 304 %ele 7oneNumber: M4 >>> >>> ;3:4 mobile: M4 >>> >>> @NKL s%: 2llinois l: &7ica'o s%ree%: 4:3; &icero 69e$

3
# 8ome 2n3o: 7ome)7one: M4 >>> >>> LKN@ 7ome)os%al6ddress: 4:3; 7ome s%ree% O &7ica'o, 2. O @0@LLD4:3; # 1isc: user)assGord: secre% re3erred.an'ua'e: enDus,enD'b # *bjec% &lasses: objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson # !arbara "ensen: dn: uid=barbara,ou=Asers,dc=exam le,dc=com ou: Asers uid: barbara sn: "ensen cn: !arbara "ensen 'i9enName: !arbara dis la/Name: !arbara "ensen mail: barbara#exam le$com user)assGord: secre% objec%&lass: erson objec%&lass: or'ani(a%ional)erson objec%&lass: ine%*r')erson # .,6) 6dmin <rou : dn: cn=.,6) 6dmins,ou=<rou s,dc=exam le,dc=com cn: .,6) 6dmins ou: <rou s descri %ion: Asers G7o are .,6) adminis%ra%ors uniEue1ember: uid=barbara,dc=exam le,dc=com uniEue1ember: uid=ma%%,dc=exam le,dc=com

;
objec%&lass: 'rou *3AniEueNames # 0 ecial 6ccoun% 3or 6u%7en%ica%ion: dn: uid=au%7en%ica%e,ou=0/s%em,dc=exam le,dc=com uid: au%7en%ica%e ou: 0/s%em descri %ion: 0 ecial accoun% 3or au%7en%ica%in' users user)assGord: secre% objec%&lass: accoun% objec%&lass: sim le0ecuri%/*bjec%

8s!ng t e 8t!l!t!es to 3repare t e D!rectory

slapadd 6 en s ould slapadd be 8sed M 6 at Does slapadd Do M #oad!ng t e #DIF F!le slap!nde> slapcat Operat!onal Attr!butes slapacl slapaut slapdn slappasswd Stor!ng and 8s!ng 3asswords !n Open#DA3 Kenerat!ng a 3assword w!t slappasswd slaptest

slapadd
T e slapadd program !s used to load d!rectory data4 formated as #DIF f!les4 d!rectly !nto Open#DA3' It !s e>ecuted from w!t !n an operat!ng system s ell :for e>ample a command prompt or s ell scr!pt;' T e slapadd program does not use t e #DA3 protocol to connect to a runn!ng server' Instead4 !t wor"s d!rectly w!t t e Open#DA3 bac"end' For t at reason4 w en you run slapadd you must f!rst s ut down t e d!rectory server' Ot erw!se4 you may end up w!t confl!cts between t e slapd server process and t e slapadd process as t ey bot try to e>clus!vely manage t e same databases'

6 en S ould slapadd be 8sed M

slapadd !s !ntended to be used to load large amounts of d!rectory data4 generally for t e purpose of creat!ng a new d!rectory4 or restor!ng a d!rectory from a bac"up' 5ecause !t re7u!res t at t e d!rectory be ta"en offl!ne4 t !s ut!l!ty !s not generally a good cand!date for perform!ng rout!ne updates' T e ldapadd program !s a muc better cand!date for t at sort of operat!on'

6 at Does slapadd Do M
T e slapadd ut!l!ty reads t e slapd'conf f!le :and any !ncluded f!les;4 loads t e appropr!ate bac"end databases4 and t en reads #DIF data :usually from a f!le;' As !t reads t e data4 !t ver!f!es t at all of t e records are correctly constructed :t at t e D<s are !n a tree t at t e server manages4 t at t e records use t e r!g t attr!butes for t e!r obIect classes4 t at all re7u!red f!elds are t ere4 t at t e record !s formatted correctly4 and so on;4 and t en !t loads t e records !nto t e appropr!ate bac"end' S!nce slapadd does not connect over t e #DA3 protocol4 !t does not re7u!re any aut ent!cat!on to t e d!rectory' It does4 owever4 re7u!re wr!te access to t e d!rectory database f!les' So slapadd !s usually run from t e s ell of e!t er t e user t at runs t e d!rectory :often ldap or slapd; or from t e root account'

#oad!ng t e #DIF F!le

Stop t e slapd server Test t e #DIF f!le w!t slapadd #oad t e d!rectory w!t slapadd 9estart t e slapd server

Stopp!ng T e Server
Gildan#* en57inC.abs:PO sudo Je%cJini%$dJsla d s%o

9unn!ng slapadd !n Test Mode

O sudo sla add D9 Du Dc D3 Je%cJlda Jsla d$con3 Dl J%m Jbasics$ldi3
T !s command uses f!ve flags% 3# $lag% T !s puts t e program !nto NverboseN mode4 w ere !t w!ll pr!nt out e>tra !nformat!on about w at !s appen!ng :and4 !f t e process fa!ls4 w at led to t e fa!lure;' 8sually !t !s a good !dea to run slapadd !n verbose mode4 espec!ally w en load!ng an untested #DIF f!le' 3u $lag% T !s tells slapadd to run !n test :or dry-run; mode' 6 en t !s !s enabled4 slapadd w!ll evaluate t e f!le as !f !t were go!ng to load t e f!le !nto t e d!rectory4 but !t won=t actually put any records !n t e d!rectory' 3c $lag% T !s tells slapadd to "eep process!ng t e f!le even !f !t !ts a bad record' 8s!ng t !s flag4 we can run t roug t e f!le once and get a l!st of all of t e records t at are not correctly formatted' 3$ $lag % T !s flag4 w !c ta"es as an argument t e pat to t e server=s conf!gurat!on f!le4 spec!f!es w !c conf!gurat!on f!le s ould be used' In most cases you can om!t t !s4 and slapadd w!ll Iust loo" !n t e default place :usually 4etc4ldap4slapd5con$; 3l $lag% T !s po!nts to t e #DIF f!le we want to load' In t !s case we are load!ng t e bas!cs'ld!f f!le4 w !c !s located !n t e system=s &tmp d!rectory'

9unn!ng slapadd !n Test Mode A*

O sudo sla add D9 Du Dc D3 Je%cJlda Jsla d$con3 Dl basics$ldi3 added: -dc=exam le,dc=comadded: -ou=Asers,dc=exam le,dc=comadded: -ou=<rou s,dc=exam le,dc=comadded: -ou=0/s%em,dc=exam le,dc=comadded: -uid=ma%%,ou=Asers,dc=exam le,dc=comadded: -uid=barbara,ou=Asers,dc=exam le,dc=comadded: -cn=.,6) 6dmins,ou=<rou s,dc=exam le,dc=comadded: -uid=au%7en%ica%e,ou=0/s%em,dc=exam le,dc=comQ#################### 400$00R e%a none ela sed

none 3as%S

<o errors' 6e are ready to proceed to t e t !rd step% !mport!ng t e records !nto t e d!rectory'

Import!ng t e 9ecords 8s!ng slapadd

slap!nde>

slapcat

Operat!onal Attr!butes

slapacl

slapaut

slapdn

slappasswd

Stror!ng and 8s!ng 3asswords !n Open#DA3

Kenerat!ng a 3assword w!t slappasswd

slaptest

3erform!ng D!rectory Operat!ons 8s!ng t e Cl!ents

Common Command-#!ne Flags Common Flags Sett!ng Defaults !n ldap'conf A S!mple Searc 9estr!ct!ng 9eturned F!eld 9e7uest!ng Operat!onal Attr!butes Searc !ng 8s!ng a F!le Add!ng 9ecords from a F!le Add!ng a 9ecord w!t ldapmod!fy Mod!fy!ng $>!st!ng 9ecords Mod!fy!ng t e 9elat!ve D< Delet!ng $nt!re 9ecords

ldapsearc

ldapadd ldapmod!fy

ldapdelete ldapcompare ldapmoddrn Mod!fy!ng t e Super!or D< w!t ldapmoddrn ldapppasswd ldapw oam!

Common Command-#!ne Flags

Common Flags

Sett!ng Defaults !n ldap'conf

ldapsearc

A S!mple Searc

9estr!ct!ng 9eturned F!elds

9e7uest!ng Operat!onal Attr!butes

Searc !ng 8s!ng a F!le

ldapadd

Add!ng 9ecords from a F!le

ldapmod!fy

Add!ng a 9ecord w!t ldapmod!fy

Mod!fy!ng $>!st!ng 9ecords

Mod!fy!ng t e 9elat!ve D<

Delet!ng $nt!re 9ecords

ldapdelete

ldapcompare

ldapmoddrn

Mod!fy!ng t e Super!or D< w!t ldapmodrdn

ldappasswd

ldapw oam!

Summary

OPA

9ererence
Matt 5utc er4 Master!ng Open#DA34 3ACLT 3ubl!s !ng