OpenLDAP associate existing users to an organization unit (OU) - ldap

I created an OpenLDAP server on Ubuntu 22.04, and created users but forgot to add them to a organizational unit (ou). How can I associate them all to an ou now ?
The actual server looks like this:
dn=company
ou=Users
uid=user1
uid=user2
uid=user3
...
What I would like is:
dn=company
ou=Users
uid=user1
uid=user2
uid=user3
...
Concretely, I would like to go from this:
uid=user1,dc=example,dc=fr
to this:
uid=user1,ou=Users,dc=example,dc=fr

Adding an ou attribute to the entry is one thing, moving the entry in the DIT is another thing. For the latter, you need to use the newsuperior directive.
Using ldapmodify -f with changetype: (modrdn|moddn) :
dn: uid=user1,dc=example,dc=fr
changetype: modrdn
# rdn unchanged
newrdn: uid=user1
# deletes old entry
deleteoldrdn: 1
# adds to Users hierarchy
newsuperior: ou=Users,dc=example,dc=com
Using ldapmodrdn -r -s <newsuperior> <dn> <newrdn> :
ldapmodrdn -r -s "ou=Users,dc=example,dc=com" "uid=user1,dc=example,dc=fr" "uid=user1"

Actually I just found an answer on my own.
I simply did a LDIF file modify.ldif:
dn: uid=user1,dc=example,dc=fr
changetype: modify
add: ou
ou: Users
And then ldapmodify -x -D cn=admin,dc=example,dc=fr -W -f ./modify.ldif

Related

Adding user to Wheel Group errors out with No such object (32)

I'm trying to add a user to the "wheel" group and I keep getting this error message (removed dc entries to mask my company:
[root#~]# ldapmodify -x -W -D "cn=Manager,dc=XXX,dc=XXX" -f usergroupadd.ldif
Enter LDAP Password:
modifying entry "cn=wheel,ou=groups,dc=XXX,dc=XXX"
ldap_modify: No such object (32)
matched DN: dc=XXX,dc=XXX
Now I'm sure many will wonder if the 'wheel' group even exists, and that answer is yes. Adjusted user names for security purposes.
[root#~]# getent group| grep wheel
wheel:x:10:USER1,USER2,USER3,USER4,USER5,USER6
[root#~]#
And lastly my ldif file with the usergroup add appears to be correct:
[root#~]# cat usergroupadd.ldif
dn: cn=wheel,ou=groups,dc=XXX,dc=XXX
changetype: modify
add: memberuid
memberuid: USER7
So my question is, what is causing the No such object (32) error?
Thanks,

LDAPMODIFY - LDIF format for modifying DNs of computer objects

I'd like to write a ldapmodify command and pass in a ldif file to move computers to a new OU. This means I need to change the DNs.
Example:
CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
to
CN=joesworkstation,OU=laptops,DC=my,DC=domain,DC=com
The man ldif shows how to rename a CN for a user, but not changing a DN for a computer. Based on their example though, this is my ldif file format guess:
dn: CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
changetype: modify
replace: dn
dn: CN=joesworkstation,OU=laptops,DC=my,DC=domain,DC=com
deleteoldrdn: 1
Is this the most correct way to do this?
Depending on LDAP Server Implementation an LDIF should be something like:
dn: CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
changetype: moddn
newsuperior: OU=laptops,DC=my,DC=domain,DC=com
# remove old RDN entry
deleteoldrdn: 1
There could be restraints on such activities.
Perform due diligence.
There maybe better methods for Microsoft Active Directory.
-jim
I was able to get a solution to work finally today.
To update the DN of computer objects I used the following LDIF formatted file:
dn: CN=joesworkstation,OU=training,OU=computers,DC=my,DC=domain,DC=com
changetype: moddn
newrdn: joesworkstation
deleteoldrdn: 1
newsuperior: OU=laptops,DC=my,DC=domain,DC=com
This worked quite well and kept all the values of the attributes of the computer object in tact as well.

OpenLDAP: Unable to add new LDAP attribute to schema

I am trying to add a new attribute to the OpenLDAP schema
# cat /etc/ldap/pwdResetAttribAdd.ldif
dn: cn={3}inetorgperson,cn=schema,cn=config
add: olcAttributeTypes
##
## The new attribute type
##
olcAttributetypes: ( 1.3.6.1.4.1.42.2.27.8.1.22
NAME 'pwdReset'
DESC 'The indication that the password has been reset'
EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE
USAGE directoryOperation )
The command I am using to add is as under
ldapmodify -D "cn=admin,dc=test" -w somePass -h localhost -p 389 -f /etc/ldap/pwdResetAttribAdd.ldif
However, it fails with below error
modifying entry "cn={3}inetorgperson,cn=schema,cn=config" ldap_modify: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: "1.3.6.1.4.1.42.2.27.8.1.22" is operational
Where am I wrong ?
You don't need to do this. Just add ppolicy.schema to the schemas being loaded, and the ppolicy overlay to the overlays, and all the appropriate ppolicy attributes will appear.
NB pwdReset and its friends that live in user entries are operational attributes and are commented out in this schema, but the ppolicy overlay causes them to be known anyway.

Cannot add uniqueMember with ldapmodify in OpenLDAP

I cannot add uniqueMembers to a static group (objectClass: groupOfUniqueNames)
According to this documentation:
Modifying group entries: In order to add a member to a static group, add the user's distinguished name as an additional value for the member or uniqueMember attribute. Following is an example:
ldapmodify -h 127.0.0.1 -D "cn=admin" -w xxxx -f modStaticGrp.ldif
Where modStaticGrp.ldif contains:
dn: cn=group1, o=Your Company
changetype: modify
add: member
member: cn=jeff, cn=tim, o=Your Company
dn: cn=group2, o=Your Company
changetype: modify
add: uniqueMember
uniqueMember: cn=joe,o=Your Company
When I try to add a uniqueMember with ldapmodify with the following ldif file:
dn: cn=Private,o=My Company
changetype: modify
add: uniqueMember
uniqueMember: uid=1234567890,ou=My Company
I get the error:
ldapmodify: wrong attributeType at line 4, entry "cn=Private,o=My Companyā€¯
What am I missing? Any ideas?
uid=1234567890,ou=My Company
A uniqueMember value is a complete DN. Judging by the rest of your DNs this should be something like
uid=1234567890,o=My Company
although I woudl have expected to see something more like this:
uid=1234567890,ou=Users,o=My Company
actually, depending on exactly how you've designed your DIT. You shouldn't be adding user entries at its top level.

adding objectclass with mandatory attribute to existing LDAP node

I'm trying to setup an LDIF file which shall add a new attribute value to an existing node. The attribute is a mandatory attribute of custom objectclass.
Here is the contents of the LDIF file 'add.ldif':
dn: cn=hna,cn=Users,DC=lan,DC=test,DC=de
changetype: modify
add: objectclass
objectclass: MyCustomObjectClass
-
add: myCustomAttribute
myCustomAttribute: someValue
-
Problem: when I try add that to the LDAP server using
ldapmodify -h ... -D ... -w ... -x -f add.ldif
I get the error message
ldap_modify: Objectclass violation (65)
additional info: 00002014: objectclass_attrs: attribute 'myCustomAttribute'
on entry 'cn=hna,cn=Users,DC=lan,DC=test,DC=de' does not exist in the
specified objectclasses
When I leave out the 'add' of 'myCustomAtribute' then of course then I get:
ldap_modify: Objectclass violation (65)
additional info: 00002014: objectclass_attrs: at least one mandatory attribute
('myCustomAttribute') on entry 'cn=hna,cn=Users,DC=lan,DC=test,DC=de'
wasn't specified!
Any idea what is wrong with my approach?
ldapmodify is the one from OpenLDAP; the server is a Samba V4 LDAP.
This should work:
dn: cn=hna,cn=Users,DC=lan,DC=test,DC=de
changetype: modify
add: objectclass
objectclass: MyCustomObjectClass
add: myCustomAttribute
myCustomAttribute: someValue
There MUST be an empty line after the last line.
The "-" is only needed if you want to perform separate modify operations and have them be atomic. (ie all work or all fail).
As adding the objectclass requires MUST attributes must happen in the same modification.
By the way I have noticed that some ldapmodify programs do not handle these properly.
-jim