We have 389-ds directory with many users in a particular group. Does anyone know how I can delete a user from a group called ' clients ' using ldapmodify or ldapdelete command line tools?
Thank You
Using ldapmodify:
ldapmodify -h ldapserver -D "cn=admin" -w password -f modGroup.ldif
where modGroup.ldif is:
dn: cn=clients, o=Your Company
changetype: modify
delete: member
member: cn=user1896576, o=Your Company
-jim
Related
I try to create user, which can read other users password. I try to edit ACL already present in openLDAP, so I wrote:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=playground,dc=test,dc=local" write
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
by * none
the only modification in above olcAccess ACL from my side is:
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
After I do that (via ldapmodify) I loose ability to browse ldap tree as usermanager, but I can login, exmaple:
ldapsearch -x -D "cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" -W -LLL
returns: No such object (32)
ldapwhoami -x -D "cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" -W -LLL
returns: dn:cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local
Question is: how to write this ACL to grant user usermanager rights to read other users password?
SOLVED:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=admin,dc=playground,dc=test,dc=local" write
by dn="cn=usermanager,ou=cloud,o=customer1,dc=playground,dc=test,dc=local" read
by * none
if anyone wants to use that please write it manually instead of copy-paste as ldifs are terribly sensitive on whitespaces and line endings.
I have installed LDAP and I am able to start it.
While I am trying to modify the olcDatabase={2}hdb.ldif file I am getting "ldap_modify: No such object (32)" error.
Steps followed to modify
1) created a db.ldif file with below contains
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcRootDN
olcRootDN: cn=admin,dc= ec2,dc=internal
dn: olcDatabase={2}hdb,cn=config
changeType: modify
add: olcRootPW
olcRootPW: {SSHA}6zHtA20qkTmdLrJSfxo+VV3QLGS7m0CZ
2) ldapmodify -Y EXTERNAL -H ldapi:/// -f db.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: No such object (32)
I am using centos7 and LDAP version openldap-clients-2.4.44-21.el7_6.x86_64
openldap-2.4.44-21.el7_6.x86_64
openldap-servers-sql-2.4.44-21.el7_6.x86_64
openldap-servers-2.4.44-21.el7_6.x86_64
openldap-devel-2.4.44-21.el7_6.x86_64
collectd-openldap-5.8.1-1.el7.x86_64
compat-openldap-2.3.43-5.el7.x86_64
Please help me fix this!!
There are two reasons for this result.
the entry actually doesn't exist,
it exists but you don't have permission to know that.
I suggest you try to search the cn=config database to see what it actually contains:
ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
If the result is No such object (32), then gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth doesn't have access to the config database on your system.
If the search does return output, check whether the entry olcDatabase={2}hdb,cn=config is actually listed.
I had the same problem and to fix it I restarted slapd.service:
systemctl stop slapd.service
systemctl start slapd.service
I'm new to openLdap , I am setting up a module for monitoring using on-line configuration (OLC) based on this guide : https://blog.kmp.or.at/monitoring-openldap/.
i use ldapmodify as bellow :
ldapmodify -x -H ldap:/// -D "cn=config" -W -f module.ldif
result is :
modifying entry "cn=module{0},cn=config"
ldap_modify: No such object (32)
content of module.ldif is :
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: {1}back_monitor
i understand that i can't modify on non-existing entry so i tried to add a new entry for DN = (cn=module,cn=config).
i tried to create new dn using :
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /etc/openldap/libexec/openldap
but i got this error
ldap_add: Invalid syntax (21)
additional info: objectClass: value #0 invalid per syntax
Do i really need to create this DN , or it must be created during setup.
No, this entry is created during setup.
It seems you missed to setup slapd.d directory for online configuration (OLC) :
slapcat -f /path/to/slapd.conf -F /path/to/slapd.d
Also, choose the appropriate SASL mechanism for authentication :
Either use EXTERNAL mechanism with ldapi:/// transport (relies on the client process uid and gid via Unix sockets) :
`ldapmodify -Y EXTERNAL -H ldapi:/// -f module.ldif`
Or LDAP (default) with options -D and -W for binding :
` ldapmodify -x -H ldap://example.com -D cn=manager,dc=example,dc=com -W -f module.ldif`
I am new to working with LDAP, and my ultimate goal is to offer LDAP single sign-on in a web app. In order to achieve this, I'm trying to run ldapwhoami, but I'm running into issues. I am able to run other commands, like ldapsearch and ldapadd.
I'm running OpenLdap on Mac OS High Sierra.
My relevant slapd.conf looks like this:
access to *
by self write
by * read
by anonymous auth
database ldif
suffix "dc=test,dc=com"
directory openldap-data
rootdn "cn=admin,dc=test,dc=com"
## rootpw = secret
rootpw {SSHA}fFjKcZb4cfOAcwSjJer8nCGOEVRUnwCC
I then added a user with ldapadd -x -w secret -f shanson.ldif, where shanson.ldif looks like:
dn: cn=shanson,dc=test,dc=com
objectClass: inetOrgPerson
sn: Hanson
uid: shanson
cn: shanson
userPassword: secret
I am successfully able to search for and find this new user with ldapsearch -x "(cn=shanson)".
Now, I am trying to verify the user's credentials using ldapwhoami, and I keep getting an error:
> ldapwhoami -x -D cn=shanson,dc=test,dc=com -w secret
ldap_bind: Invalid credentials (49)
The same operation with my root admin user succeeds:
> ldapwhoami -x -D cn=admin,dc=test,dc=com -w secret
dn:cn=admin,dc=test,dc=com
I'm sure I'm just making a simple mistake or not understanding what I'm doing, but I don't really know where else to look right now for answers. Thanks!
It seems to have had something to do with the plain text password I set up. I installed Jxplorer and manually updated my user's password and hashed it with MD5, and now the ldapwhoami command works. If I set the password as plain text in JXplorer, ldapwhoami still does not work. Beyond that, I'm not entirely sure what I was doing wrong.
For me, my dn was wrong.
I did an ldapsearch with admin credentials to get the dn: uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx
Then I did an ldapwhoami -x -D "uid=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx" -w secret and it worked fine.
I have an LDIF file that contains a bunch of test users.
I would like to change the password for some of these users and was wondering what would be the best way to do so.
Use ldapmodify with LDIF, for example:
ldapmodify -h hostname -p port -D dn -w password <<!
dn: uid=user,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword: new-password
!
or specify a filename:
ldapmodify -c -a -f file.ldif -h hostname -p port -D dn -w password
Of course, use the correct attribute names, distinguished names, and so forth. The distinguished name used for the bind of the ldapmodify tool must have access rights to modify the password of the distinguished name specified in the LDIF.
see also
LDIF: rfc2849
LDAP: Using ldapmodify