Thursday, December 23, 2010

How to create a new user in OpenLDAP

We are going create a new account for John Smith. Here are few simple steps:
  1. We need create a template for a new user account jsmith (file add-user.ldif):
    # User primary group
    dn: cn=jsmith,ou=groups,dc=dev,dc=local
    cn: jsmith
    objectClass: top
    objectClass: posixGroup
    gidNumber: 10000
    
    # User account
    dn: uid=jsmith,ou=people,dc=dev,dc=local
    cn: John Smith
    givenName: John
    sn: Smith
    uid: jsmith
    uidNumber: 10000
    gidNumber: 10000
    homeDirectory: /home/jsmith
    mail: jsmith@dev.local
    objectClass: top
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: inetOrgPerson
    objectClass: organizationalPerson
    objectClass: person
    loginShell: /bin/bash
    userPassword: {CRYPT}*
    
  2. Load user to ldap:
    ldapadd -cxWD cn=admin,dc=dev,dc=local -f add-user.ldif
    
    or if you are authenticated by Kerberos:
    ldapadd -f add-user.ldif
    
  3. Try to find it:
    ldapsearch -x uid=jsmith
    
  4. Set user password (consider store user password in kerberos instead):
    ldappasswd -xWD cn=admin,dc=dev,dc=local -S uid=jsmith,ou=people,dc=dev,dc=local
    
Read more about openldap here.

7 comments :

  1. is openldap ment for only linux ,machines?
    can we set up open ldap on linux machine and access it on windows machine?I have installed open ldap on windows dont know how to add users or see values.request you to throw some light on this.

    ReplyDelete
    Replies
    1. You should probably take a look at http://www.samba.org instead.

      Delete
    2. You can use pGina (pgina.org) for allowing users to log on to Windows machines using LDAP authentication.

      Delete
  2. I'm having a hell of a time. I've got open ldap installed, and i have a client pointed to my ldap server. However, i can't log into an ldap user. I'm kind of lost. On the client machine, if i issue a 'su' command, it will find the user i just created, but always says incorrect password. Is there any documentation out there to help resolve this?

    ReplyDelete
    Replies
    1. John, thank you for the question. Generally speaking it is not recommended to store user password in ldap and it is more natural to use kerberos authentication for this purpose. You should be able get this done using posts with labels kerberos and ldap: (1) you need kerberos server; (2) add user to kerberos; (3) replace openldap authentication with one from kerberos (that impact both client and ldap server).

      Delete
  3. Is it possible to have users auto creation on the client machine on very first login. Similar to active directory. In this way I dont have to create users on each machines.

    ReplyDelete
    Replies
    1. With OpenLDAP you do not need to create local uses, they are taken from central location - ldap server.

      Delete