OpenLDAP offers a series of tools for the administration of data in the LDAP directory. The four most important tools for adding to, deleting from, searching through and modifying the data stock are explained below.
Once the configuration of your LDAP server in
/etc/openldap/slapd.conf
is correct and ready to go
(it features appropriate entries for suffix
,
directory
, rootdn
,
rootpw
and index
), proceed to
entering records. OpenLDAP offers the ldapadd command
for this task. If possible, add the objects to the database in bundles for
practical reasons. LDAP is able to process the LDIF format (LDAP data
interchange format) for this. An LDIF file is a simple text file that can
contain an arbitrary number of attribute and value pairs. Refer to the
schema files declared in slapd.conf
for the available
object classes and attributes. The LDIF file for creating a rough framework
for the example in Figure 20.1, “Structure of an LDAP Directory” would look like that
in Example 20.7, “Example for an LDIF File”.
![]() | Encoding of LDIF Files |
---|---|
LDAP works with UTF-8 (Unicode). Umlauts must be encoded correctly. Use an editor that supports UTF-8, such as Kate or recent versions of Emacs. Otherwise, avoid umlauts and other special characters or use recode to recode the input to UTF-8. |
Example 20.7. Example for an LDIF File
# The Organization dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example dc: example # The organizational unit development (devel) dn: ou=devel,dc=example,dc=com objectClass: organizationalUnit ou: devel # The organizational unit documentation (doc) dn: ou=doc,dc=example,dc=com objectClass: organizationalUnit ou: doc # The organizational unit internal IT (it) dn: ou=it,dc=example,dc=com objectClass: organizationalUnit ou: it
Save the file with the .ldif
suffix then
pass it to the server with the following command:
ldapadd -x -D <dn of the administrator> -W -f <file>.ldif
-x
switches off the authentication
with SASL in this case. -D
declares the user
that calls the operation. The valid DN of the administrator is entered here
just like it has been configured in slapd.conf
. In the
current example, this is cn=Administrator,dc=example,dc=com
.
-W
circumvents entering the password on the
command line (in clear text) and activates a separate password
prompt. This password was previously determined in
slapd.conf
with rootpw
.
The -f
option passes the filename. See the details of
running ldapadd in Example 20.8, “ldapadd with example.ldif”.
Example 20.8. ldapadd with example.ldif
ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif Enter LDAP password: adding new entry "dc=example,dc=com" adding new entry "ou=devel,dc=example,dc=com" adding new entry "ou=doc,dc=example,dc=com" adding new entry "ou=it,dc=example,dc=com"
The user data of individuals can be prepared in separate
LDIF files. Example 20.9, “LDIF Data for Tux” adds
Tux
to the new LDAP directory.
Example 20.9. LDIF Data for Tux
# coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com objectClass: inetOrgPerson cn: Tux Linux givenName: Tux sn: Linux mail: tux@example.com uid: tux telephoneNumber: +49 1234 567-8
An LDIF file can contain an arbitrary number of objects. It is possible to pass entire directory branches to the server at once or only parts of it as shown in the example of individual objects. If it is necessary to modify some data relatively often, a fine subdivision of single objects is recommended.
The tool ldapmodify is provided for modifying the
data stock. The easiest way to do this is to modify the corresponding LDIF
file then pass this modified file to the LDAP server. To change the
telephone number of colleague Tux from +49 1234 567-8
to
+49 1234 567-10
, edit the LDIF file like in
Example 20.10, “Modified LDIF File tux.ldif”.
Example 20.10. Modified LDIF File tux.ldif
# coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10
Import the modified file into the LDAP directory with the following command:
ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif
Alternatively, pass the attributes to change directly to ldapmodify. The procedure for this is described below:
Start ldapmodify and enter your password:
ldapmodify -x -D cn=Administrator,dc=example,dc=com -W Enter LDAP password:
Enter the changes while carefully complying with the syntax in the order presented below:
dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10
Find detailed information about ldapmodify and its syntax in the ldapmodify man page.
OpenLDAP provides, with ldapsearch, a command line tool for searching data within an LDAP directory and reading data from it. A simple query would have the following syntax:
ldapsearch -x -b dc=example,dc=com "(objectClass=*)"
The -b
option determines the search base—the
section of the tree within which the search should be performed. In the
current case, this is dc=example,dc=com
. To perform a
more finely-grained search in specific subsections of the LDAP directory
(for example, only within the devel
department), pass
this section to ldapsearch with -b
.
-x
requests activation of simple authentication.
(objectClass=*)
declares that all objects contained in
the directory should be read. This command option can be used after the
creation of a new directory tree to verify that all entries have been
recorded correctly and the server responds as desired. Find more
information about the use of ldapsearch in the
corresponding man page (ldapsearch(1)).