i have the following problem: i have installed and OpenLDAP server in which in the people/users tree the distinguished name have the following format:
Distinguished Name: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
The problem is i wish to replace it using the uid (a.k.a. the account username) instead of the CN in order to have something like this
Distinguished Name: uid=lrossi,ou=people,dc=prisma,dc=local
I need this because i'm configuring ldap authentication for Alfresco Community 4.0.d and it need the username
ldap.authentication.userNameFormat=uid=%s,ou=people,dc=prisma,dc=local
Any help?
It's an old post but I ran into this myself. The answer was actually pretty simple. If you're using phpldapadmin to create accounts, you need to edit the posixAccount template. Look for the <rdn></rdn> tags. Replace the cn with uid and save. Your accounts will now be created with a DN in the "uid=%s,dc=example,dc=com" form instead of "cn=%s,dc=example,dc=com"
http://phpldapadmin.sourceforge.net/wiki/index.php/Templates#Template_Header_Configuration
Use the modify DN LDAP request (in this case using the legacy OpenLDAP ldapmodify tool):
The uid attribute may need to be added:
ldapmodify -h host -p port -D bind-dn -w password <<!
dn: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
changetype: modify
add: uid
uid: lrossi
!
ldapmodify -h host -p port -D bind-dn -w password <<!
dn: cn=Luigi Rossi,ou=people,dc=prisma,dc=local
changetype: moddn
newrdn: uid=lrossi,ou=people,dc=prisma,dc=local
deleteoldrdn: 1
!
see also
LDAP: modify DN
How to do this per object (not changing the format globally) in phpLDAPadmin:
click on the object in the hierarchy on the left to show up on the right
the title of the object is shown as: cn=Luigi Rossi
the subtitle just below contains "Distinguished Name: cn=Luigi Rossi,ou=people,dc=prisma,dc=local"
now click on "Rename" link just 4 lines below
change value "cn=Luigi Rossi" to "uid=lrossi"
that's it.
Worth mentioning is the ldapmodrdn tool, which e.g. in Debian is part of the ldap-utils package. It can read in a simple file where on first line is the old CN as a DN, and on the second line the new CN as an RDN. If there are many users to change, they can be all included in the same file, separated with empty lines.
With that tool its quite easy to process all the existing accounts and change their DNs.
Related
I am trying to modify an item in LDAP using entryUUID.
ldapmodify --hostName localhost --port 1389 --bindDN "cn=Directory Manager" --bindPassword password <<+
dn: entryUUID=bf5e7357-90a6-4481-b464-4ed9e153fc44,dc=pm,dc=test,dc=com
changetype: modify
replace: Salary
Salary:100
+
If I use uid it works fine.
How we can use entryUUID to locate the item?
The LDAP ModifyRequest requires the Fully Distinguished Name of the LDAP Entry as described within RFC 4511.
You need to obtain the DN of the entry to make a modification.
I have an OpenLdap Server 2.4 running in my company and I need to permitt people to change their picture in one of our WebApplication.
The function is already present. People in LDAP just don't have any rights to write their own attributes (specially here the "jpegPhoto" attribute needed).
I found this in the Documentation
access to attrs=jpegPhoto
by self =xw
by * read
I don't know how to use theses lines. What command to use or something else.
If someone could help me in the way to process it could be great.
Thanks
The modifications you need to apply are simple, if you are using slapd.conf as the server configuration file, and a bit more complicated if you are using the new cn=config layout. Be careful, anyway, that:
The older style slapd.conf(5) file is still supported, but its use is deprecated and support for it will be withdrawn in a future OpenLDAP release.
as stated in the OpenLDAP documentation.
1) cn=config layout
You need to modify the configuration for the database you are using. Your OpenLDAP server may contain multiple databases, but you are interested only in the one that stores people data and their pictures. To list all your available databases, use:
slapcat -b cn=config
This command must be executed from the OpenLDAP server. It will read the file named cn=config.ldif in your slapd configuration directory. In my case, it is located in
/usr/local/etc/openldap/slapd.d/cn=config.ldif
Be careful that slapcat -b cn=config will work only if the shell user can read this file. In my case, the file is
-rw------- 1 ldap ldap 680 10 mar 21:04 /usr/local/etc/openldap/slapd.d/cn=config.ldif
It belongs to user ldap, group ldap (they have been created during the OpenLDAP server installation). I have never set a password for user ldap, so:
tl;dr a way to read this file and to successfully run slapcat -b cn=config is to be root.
The output of slapcat -b cn=config is huge, but you can consider the last lines only, where the database you are interested in is listed. For example, it could be
dn: olcDatabase={1}mdb,cn=config
This is, for example, the Distinguished Name (dn) of the database containing users pictures. You want to allow users to change their pictures.
You can modify the database configuration running (similarly to the previous case, you need write permissions on the file cn=config.ldif, so you could be root as before):
ldapmodify -f /path/to/yourfile -x -D "cn=config" -W
-f /path/to/yourfile is your configuration file (see below);
-x is Simple Authentication, it is needed if you are not using SASL;
-D "cn=config" is the username you are using to enter the OpenLDAP database. There is usually a super-user for each single database (frequently called Manager), and a global super-user. The user named cn=config is the global super-user. You should have configured its password during the OpenLDAP server installation; if you don't have this password, you could be not able to modify the databases configuration;
-W asks you to type the password for the user cn=config.
The configuration file, located in /path/to/yourfile, must be a plain text file formatted as follows:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
add: olcAccess
olcAccess: to attrs=jpegPhoto
by self write
by * read
I would suggest to you to prefer by self write instead of by self =xw (which would not permit users to read their pictures). Be careful to put two spaces before by, as stated in this answer.
You can now run again slapcat -b cn=config to check if the configuration has been modified, and also if the olcAccess statements are in the correct order. If not, you can delete them and add them again, knowing that each new olcAccess specification will be automatically put after the preceeding ones.
2) slapd.conf layout
If you are using the old slapd.conf configuration file, you simply need the write permissions to it. Usually it is:
-rw------- 1 ldap ldap 2557 Dec 15 2016 slapd.conf
So, you can open it as root, with your preferred text editor. Identify the database section you want to modify (for example the one beginning with:
database mdb
maxsize 1073741824
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
and simply add your lines at the bottom of this section, being careful if other access statements are already present. Again, I would suggest to use by self write instead of self =xw.
Regardless of your configuration, restart the OpenLDAP server (process slapd) after your modifications.
If you need further examples and/or clarifications, please consider:
A cn=config configuration example;
Access Control for OpenLDAP databases;
the OpenLDAP site, with the whole
documentation.
Am new to ApacheDS - am using apacheds-2.0.0-M17.
The default password for admin is secret.
Does anyone know where I can change the value to something else?
Inside:
apacheds/instances/default/conf/config.ldif
Found the following entry:
ads-pwdattribute: userPassword
When googling it, there are a lot of examples that mention doing it using Apache Directory Studio but the particular instance I am trying to configure is running in a Linux shell in a headless (no UI) mode.
Tried using the following command with ldapmodify and the cursor hangs (keeps blinking) after pressing enter. I even tried prepending it with sudo and the same thing happens.
ldapmodify -H ldap://localhost:10389 -D "uid=admin,ou=system" -x -w secret
Does anyone know why it hangs?
What am I possibly doing wrong?
Thanks again,
James
Changing the admin account password is documented in the ApacheDS documentation.
ldapmodify, if not given a file to process with -f parameter, waits for input from standard input, on which it expects a LDIF formatted file with modifications to perform.
In your case such a LDIF file would look something like:
dn: uid=admin,ou=system
changetype: modify
replace: userPassword
userPassword: new-password
BTW, you can still use Apache Directory Studio (or any other graphical LDAP client) to make this change, even if your directory is running on a headless server. LDAP is, after all, a network protocol. Just run the LDAP client on a local machine and connect over the network to your server. (Of course, I leave it to you to figure out if you have to open up some firewall rules or whatever.)
dn: uid=admin,ou=system
changetype: modify
replace: userPassword
userPassword: new-password
-
After each modification, you need to add the end of "-"!!!
In our corporate LDAP structure a 'user' has two attributes:
uid = the id of the user
manager = the DN of the user's manager
Since I'm writing a script to find out the organization chain for a user, I'd like to be able to find the uid of a manager with a single query. Right now, I have to do it in 2 queries:
$ ldapsearch -h ldap.example.com -p 389 -b dc=example,dc=com uid=myuid manager
dn: cn=mycn,L=AMER,DC=EXAMPLE,DC=COM
manager: cn=mymanagercn,L=AMER,DC=EXAMPLE,DC=COM
Parse out the cn value 'mymanagercn', then run another query:
$ ldapsearch -h ldap.example.com -p 389 -b dc=example,dc=com cn=mymanagercn uid
dn: cn=mymanagercn,L=AMER,DC=EXAMPLE,DC=COM
uid: mymanageruid
Is there a way to do this with 1 query? Bonus points if you can do this using the Net::LDAP Perl modules!
No. However, it should be possible with a properly designed API to accomplish this task in one connection, but not in one search request. If you are using the UnboundID Directory Server you can write a plugin using the Server SDK to alter the contents of the search result before it is returned to the client. The plugin could perform the search for the manager entry and append the results to the search result.
The second search can really be a lookup, as you have the complete DN. You shouldn't just strip out the CN, use the whole thing.
Can anyone help me out on this? I'am trying to add another attribute on my LDAP, but i don't know much about this. It returns an error after trying the sample i searched on net. This command will be used on my perl program to add new attribute "status" w/ value "yes"..
Help pls?
/usr/bin/ldapmodify -x -D "cn=Test,ou=mygroup.com,o=group2.com" -a "status=yes"??
the -W doesn't work too.
Error: ldap_bind: Can't contact LDAP server (-1)
Try -v for detail log and -w should be in lower case. As for excluding the password one way is to use '-w -' which you will be prompt to enter the password. Hope this helps.
Ensure that you have the status attribute defined in the schema (the attribute cannot be added to an entry unless the entry has an objectClass attribute value that allows the status attribute). Further, the authentication identity cn=Test,ou=mygroup.com,o=group2.com must have permission to add the attribute.
Use ldapmodify to add the status attribute:
ldapmodify -x -D "cn=Test,ou=mygroup.com,o=group2.com" -h hostname -p port <<!
version: 1
dn: uid=user.0,ou=people,dc=example,dc=com
changetype: modify
add: status
status: first value
status: second value
!
The above example adds two values to the status attribute (assuming it is a multi-valued attribute). For more information about the ldapmodify tool see "Using ldapmodify".