Managing LDAP from the Command Line on Linux

44127

 

Managing an LDAP server can be intimidating, but it’s not as difficult as it seems at first glance. You can get started managing LDAP from the command line on Linux with three simple commands.

Recently I wrote an article about a GUI tool that can help the new user get LDAP up and running on their server (see my article “Simplify LDAP with Fedora’s 389 Directory Server“). Eventually, however, you may need to manage your LDAP data from the command line. Whether it is a simple search or adding/deleting/modifying an entry — the time is coming, and when it does you better be ready for it.

The LDAP command line can be a bit frightening at first, but once you get to know it it’s not all that bad. In order to successfully manage your LDAP data from the command line you need to be familiar with three commands: ldapadd, ldapmodify, and ldapsearch. They may be, at first, a challenge to understand, but once you get the basics they are as simple as any other Linux command.

Assumptions

For the sake of simplicity I am going to use my own, small network as an example. The network is wallen.local so the base dn of this network will look like “dc=wallen,dc=local”. That base dn will be used for nearly every LDAP command on my network. Your network, of course, will be different. I am also going to be running the commands on the server that contains the LDAP directory (again for the sake of simplicity).

I will also assume you have LDAP up and running and you are now ready to begin adding entries. For this, we turn to ldapadd.

Using ldapadd

The ldapadd command can be used in a couple of ways. You can add entries one at a time or you can create a text file for which ldapadd will read from. Since the latter method is far more efficient (and can also be implemented to add a single entry), I will demonstrate the addition of an entry using an ldif file.

The basic usage of the ldapadd command is:

ldapadd [OPTIONS] [CREDENTIALS] filename

Before we get into the actual command, let’s build a file first. To illustrate this technique, let’s create a file to add a single, simple entry to your LDAP directory. The file contents will look like:

# USER ENTRY
dn: cn=Jack Wallen,ou=people,dc=wallen,dc=local
cn: Jack Wallen
objectClass: person
sn: Wallen

The above example is a very simple entry which will add the user Jack Wallen (common name) who is listed as a person (objectClass) to the LDAP directory. Save that file as users.ldif in your home (~/) directory and then issue the command:

sudo ldapadd -x -D cn=admin,dc=wallen,dc=local -W -f users.ldif

You will, of course have to modify the above command to match your own LDAP setup. You will also want to issue the above command from within the same directory that houses the users.ldif file.

Say you want to add multiple entries at once. This is equally as simple. Instead of having a single entry in your users.ldif file, you will list out every user you want to add. That multi-user entry file will look something like:

# USER ENTRY
dn: cn=Jack Wallen,ou=people,dc=wallen,dc=local
cn: Jack Wallen
objectClass: person
sn: Wallen

# USER ENTRY
dn: cn=Sheldon Cooper,ou=people,dc=wallen,dc=local
cn: Sheldon Cooper
objectClass: person
sn: Cooper

# USER ENTRY
dn: cn=Leonard Hofstadter,ou=people,dc=wallen,dc=local
cn: Leonard Hofstadter
objectClass: person
sn: Hofstadter

# USER ENTRY
dn: cn=Howard Wolowitz,ou=people,dc=wallen,dc=local
cn: Howard Wolowitz
objectClass: person
sn: Wolowitz

# USER ENTRY
dn: cn=Rajesh Koothrappali,ou=people,dc=wallen,dc=local
cn: Rasjesh Koothrappali
objectClass: person
sn: Koothrappali

The command to add multiple entries is the same as the command to add a single entry.

Now, let’s examine how to modify an entry.

Using ldapmodify

The ldapmodify command is what you use to change an existing ldap entry. The basic usage is a bit different than the ldapadd command. The ldapmodify command can be seen as an almost interactive command and requires these steps:

 

  1. Issue the ldapmodify command (with appropriate options).
  2. Inform ldapmodify what you are modifying.
  3. Modify your data.
  4. Escape with CTRL-d.
  5. ldapmodify will make the changes.

Let’s say we want to change the department Rajesh Koothrappali from Astral Physics to Theoretical Physics. This information might be held in the gecos field (the field that holds general information for an entry). To do this start out by issuing the command:

ldapmodify -h localhost -x -W -D “cn=admin,dc=wallen,dc=local”

Now you need to indicate to LDAP what entry it is you are modifing by entering:

dn: uid=rkoothrappali,ou=People,dc=wallen,dc=local

Now hit the Enter key to move to the next step, wich is indicating to ldapmodify what you plan to do:

changetype: modify

After you type the above hit the Enter key. Now you inform LDAP what you plan to modify in this entry by entering:

replace: gecos

As you would expect, hit Enter when you’ve typed the above. Finally, you enter the text you want to replace the gecos entry with by typing:

gecos: Theoretical Physics Department, Caltech University

That is the last string of text to type for the modification. Now hit the Enter key and then the CTRL-d combination to escape the LDAP prompt. Your LDAP entry has officially been modified. Let’s search that entry to make sure the changes have taken place.

Using ldapsearch

The ldapsearch is the easiest of the commands to use. If you were to enter the command:

ldapsearch -x -b "dc=wallen,dc=local" -s sub "objectclass=*"

You would see Rajesh’s entry like so:

# rkoothrappali, People, wallen.local
dn: uid=rkoothrappali,ou=People,dc=wallen,dc=local
uid: rkoothrappali
cn: Rajesh Koothrappali
objectClass: account
objectClass: posixAccount
objectClass: top
loginShell: /bin/bash
uidNumber: 500
gidNumber: 120
homeDirectory: /home/rkoothrappali
gecos: Theoretical Physics, Caltech University

Final Thoughts

You now have a grasp on one of the more challenging aspects of working with LDAP. As you can see, it’s not all that difficult to work with the LDAP command line. And, of course, you can get more information on the different switches and options by looking at the man pages for each command (ie man ldapadd, man ldapmodify, and man ldapsearch).