Common OpenLDAP commands

Source: Internet
Author: User
Tags ldapsearch starttls openldap

The following content is reproduced from http://joyssue.blog.51cto.com/95711/285282

1. Delete the ldapdelete command.
# Ldapdelete-X-D 'cn = root, Dc = it, Dc = com '-W' uid = qq1, Dc = it, Dc = com'

2. Re-index the LDAP database command slapindex
# Slapindex-F slapd. conf

3. Set the User Password
# Ldappasswd-X-d "cn = root, Dc = it, Dc = com"-W "uid = qq1, Dc = it, Dc = com"-S
New password:
Re-enter new password:
Enter bind password:
Result: Success (0)
# "Enter bind password" is "cn = root, Dc = it, Dc = com" Administrator Password

4. Change the Administrator Password
# Slappasswd
New Password
Re-enter new password
{Ssha} 83dj4kvwqlk1uh9k2udb8 + nt1u4rgkes
Next, copy the rootpw to path/to/sldap. conf and restart the configuration file to apply the modification.
5. Modify the directory content
# Ldapmodify-X-d "cn = root, Dc = it, Dc = com"-w-F modify. ldif
Use the ldif file to modify LDAP data. The format of the ldif file is as follows:
DN: Cn = QQ, Dc = it, Dc = com
Changetype: Modify
Replace: Mail
Mail: modme@example.com
-
Add: Title
Title: Grand Poobah
-
Add: jpegphoto
Export photo: <file: // tmp/modme.jpeg
-
Delete: Description
-
6. Enable SASL Verification
The premise is that you have installed the SASL authentication library in the system and supported it when compiling OpenLDAP. It is supported by default. Download To http://asg.web.cmu.edu/cyrus.
# Saslpasswd2-C Test
Configure the slapd. conf file and add the following content.
SASL-Regexp
Uid = (. *), Cn =. *, Cn = auth
Uid = $1, Dc = it, Dc = com
Restart the server to make the configuration file take effect. This configuration is the configuration with the maximum permissions. For details, refer to the relevant documentation. Run the following command to test.
# Ldapsearch-u QQ-B 'uid = QQ, Dc = it, Dc = com'-d' Dc = it, Dc = com '-y DIGEST-MD5
Verify with digest-md5, prompt password, enter the password of saslpasswd2.

7. configure Server replication
In some key application scenarios, we need to set up multiple LDAP server instances and keep the data synchronized. When a server fails or is attacked by hackers, we can continue to maintain the normal operation of the application. By using DNS's round-robin query function, Server Load balancer can also be achieved to increase the response speed. There is a slurpd process in OpenLDAP. Using the slurpd process can help us synchronize data from multiple LDAP servers. The following describes the configuration of the master and slave LDAP servers.
Slurpd runs on the master server, which transfers the changes on the master server to the slave server through LDAP. Changes on the slave server cannot be transmitted to the master server, that is, one-way synchronization. It is best to use the same version as the Master/Slave server to reduce compatibility issues. The Master/Slave server is installed in the same way. The key is that the configuration files are different. My operating system is Debian sarge. perform the following configurations to ensure that the Master/Slave server runs properly:
First, shut down the Master/Slave server. Perform the following three steps to synchronize data on the Master/Slave Server:
Copy all database files under the/var/lib/ldap directory on the master server to the same directory on the slave server to overwrite the original files.
Copy all schema files under the/etc/ldap/Schema directory on the master server to the same directory on the slave server to overwrite the original files.
Copy the/etc/ldap/slapd. conf file on the master server to the same directory on the slave server to overwrite the original file.
Configure the slapd. conf file on the master server and cancel the annotator before the replogfile command. The result is as follows:
# Where to store the replica logs for database #1
Replogfile/var/lib/ldap/replog
Add replica commands, such:
# Replace config
Replica uri = LDAP: // 192.168.6.195: 389 # specify the slave server host name and port number
Binddn = "cn = admin, Dc = com" # specifies the administrator of the DN to be synchronized
Bindmethod = simple credentials = 1 # specify the authentication method and the administrator password of the DN to be synchronized
Configure the slapd. conf file on the slave server and add the updatedn command, for example:
Updatedn "cn = admin, Dc = com" # Corresponds to the binddn of the master server
Do not include the replica and replogfile commands in the slave server configuration file.
First, start slapd and slurpd of the master server, and then start slapd of the slave server.

8. An example of a complete global. ldif file:
DN: DC = info, Dc = Net
Objectclass: Top
Objectclass: Organization
O: info.net
DN: ou = people, Dc = info, Dc = Net
Objectclass: Top
Objectclass: organizationalunit
Ou: People
Description: User Info
DN: Cn = admin, Dc = info, Dc = Net
Objectclass: Top
Objectclass: person
Objectclass: organizationalperson
CN: Admin
SN: Admin
Userpassword: Admin
Description: Administrator for info.net
DN: Id = 1, ou = people, Dc = info, Dc = Net
Objectclass: Top
Objectclass: infoperson
ID: 1
Username: James
Tel: 021-63138990
Card_id: abc001
We can also use the slapadd command to import data. This command can import ldif files containing some system information, such:
DN: DC = it, Dc = com
Objectclass: Top
Objectclass: dcobject
Objectclass: Organization
DC: it
Structuralobjectclass: Organization
Entryuuid: d97b06da-d77e-1028-9866-d4ec7ac00d12
Creatorsname: Cn = anonymous # system information
Createtimestamp: 20041201005115z # system information
O: 5bm/5bee5bic6jmo5as055s15rgg6zug5zui5pyj6zmq5yws5y + 4
Userpassword: e01enx14txbdt0tdnuk0su56rknhyjnxrw13pt0 =
Entrycsn: 2004120603: 50: 08z #0x0001 #0 #0000 # system information
Modifiersname: Cn = admin, Dc = it, Dc = com # system information
Modifytimestamp: 20041206035008z # system information

 
Common OpenLDAP commands (for conversion)
Slapd
4. Use the IPv4 Standard
6. Use IPv6 standards
-D debug mode is generally used-256
-F specifies the path of the configuration file
-H: You can specify the port used to start the service LDAP: //: 2004 to start the service with port 2004.
Slurpd
-D debug mode generally uses 4
-F specifies the configuration file
-R indicates Replication
Ldapadd
-X for simple Authentication
-D is used to bind the server's DN
-H directory service address
-W: the password for binding the DN
-F: The file that uses the ldif file to add entries
Example ldapadd-X-d "cn = root, Dc = starxing, Dc = com"-W secret-F/root/test. ldif
Ldapadd-X-d "cn = root, Dc = starxing, Dc = com"-W secret (in this way, add entries in the command line)
Ldapsearch
-X for simple Authentication
-D is used to bind the server's DN
-W: the password for binding the DN
-B: Specify the root node to be queried.
-H: Specify the server to be queried.
Ldapsearch-X-d "cn = root, Dc = starxing, Dc = com"-W secret-B "DC = starxing, Dc = com"
Simple authentication, binding with "cn = root, Dc = starxing, Dc = com,
The root of the query is "DC = starxing, Dc = com ". In this way, the bound user can access
All data is displayed.
Ldapdelete
The parameter is similar to ldapadd.
Ldapdelete-X-D 'cn = root, Dc = it, Dc = com'-W secert 'uid = ZYX, Dc = it, Dc = com'
In this way, the 'uid = ZYX, Dc = it, Dc = com 'records can be deleted. Note that if there are Members in O or Ou, they cannot be deleted.
Ldappasswd
-X for simple Authentication
-D is used to bind the server's DN
-W: the password for binding the DN
-S indicates the input password.
-S Pass: Set the password to pass
-A Pass: Set old passwd to pass
-Set the old passwd as prompted by
-H indicates the server to be bound.
-I use SASL session Mode
# Ldappasswd-X-D 'cm = root, Dc = it, Dc = com '-W secret' uid = ZYX, Dc = it, Dc = com '-S
New password:
Re-enter new password:
You can change the password. If there is no password in the original record, a userpassword is automatically generated.
Ldapmodify
-A: Add a new entry. The existing entry is modified by default.
-C: automatically tracks references.
-C continues to execute the program after an error and does not stop. By default, the program stops immediately when an error occurs. For example, if your ldif File
An entry does not exist in the Database. By default, the program exits immediately. However, if this parameter is used
Ignore this error in sequence and continue execution.
-N is used to debug the communication to the server. but does not actually execute the search. When the server is closed, an error is returned. The server
When it is enabled, it is often used together with the-V parameter to test whether the server is a channel.
-V runs in the detailed module. Some detailed information is displayed in the standard output. For example,
IP address and port number.
-M [m] Open manage DSA it control.-Mm sets this control as important.
-F file: Read the modification information of the entry from the file instead of the standard input.
-X simple authentication.
-D binddn specifies the user name to be searched (generally a DN value ).
-W specifies this parameter, and the system will pop up a prompt indicating the user's password. It is used relative to the-W parameter.
-W bindpasswd directly specifies the user's password. It is used relative to the-W parameter.
-H ldapuri: Specify the IP address and port number used to connect to the server URI. The common format is
LDAP: // hostname: Port). If-H is used, the-H and-P parameters cannot be used.
-H ldaphost specifies the name/IP address of the host to be connected. It is used with-P.
-P ldapport specifies the port number of the Directory Server to be connected. It is used with-H.
If the-H and-P parameters are used, the-H parameters cannot be used.
-Z [Z] uses the starttls extension. If-ZZ is used, the Command forces the starttls handshake to succeed.
-V enables the certificate authentication function. The directory server uses the client certificate for authentication and must be forcibly enabled with-zz.
TLS is used in combination and anonymously bound to the Directory Server.
-E: Set the client certificate file, for example,-e Cert/client. CRT.
-E: Set the private key file of the client certificate, for example,-e Cert/client. Key.
# Ldapmodify-X-d "cn = root, Dc = it, Dc = com"-w-F modify. ldif
Update the record in modify. ldif to the original record
 
Openldap command operation
 
Manual Input Method
The first step is to establish the DN:
# Ldapadd-X-D 'cn = root, Dc = it, Dc = com'-W
DN: DC = it, Dc = com
Objectclass: dcobject
Objectclass: Organization
DC: it
O: Corporation
Description: D Corporation
Note: If you use the copy/paste function to copy the above content, be sure to note that there is no space behind each line. We recommend that you manually enter it and press Ctrl + D to save the disk.
Step 2: Create rdn:
# Ldapadd-X-D 'cn = root, Dc = it, Dc = com'-W
#-X indicates simple verification,-D indicates the specified directory, and-W indicates that the password input prompt is displayed.
Enter the password. The password here is set in the configuration file rootpw, not the password of the root user in the operating system. After the verification is passed, enter the following content:
DN: uid = QQ, Dc = cs, Dc = tjut
Objectclass: person
Objectclass: organizationalperson
Objectclass: inetorgperson
UID: QQ
CN: QQ
SN: QQ
Telephonenumber: 138888888
Description: OpenLDAP Test
Telexnumber: tex-8888888
Street: My Street
Postofficebox: postofficebox
Displayname: qqdisplay
Homephone: home1111111
Mobile: mobile99999
Mail: qq@qq.com
After entering all the information, press Ctrl + D to end the storage. If an error occurs, check whether the ing between the object class and the attribute is incorrect or the input is incorrect. What is easy for beginners to make mistakes is that the correspondence between object classes and attributes is not well handled. Object classes and attributes are defined in the schema document. The relationship between them is like this. Some attributes in the object class are mandatory, and some attributes are optional. The attributes of input information must be defined in the object class before they can be used.
Enter the following command to query the information you just entered.
# Ldapsearch-X-B 'Dc = it, Dc = com'
-Option B is used to set the directory start point. If the base configuration parameters of the client are set, this option is not required.
If an ACL is set according to the preceding configuration file, the following query command cannot query protected content. The userpassword and mail mentioned above. To query these restricted content, you must pass the Verification:
# Ldapsearch-X-lll-H it.com-B 'Dc = it, Dc = com'-d' uid = QQ, Dc = It, dc = com '-W' uid = QQ'
Then, the system prompts you to enter the password. Enter the password of userpassword and press Enter. All information is displayed.
2.2.2. File Method
The. ldif file method writes the previously manually entered content to A. ldif file, and then imports the content using the-F parameter of the ldapadd command.
# Ldapadd-X-d "cn = root, Dc = it, Dc = com"-w-F test. ldif
An example of a complete global. ldif file:
DN: DC = info, Dc = Net
Objectclass: Top
Objectclass: Organization
O: info.net
 
DN: ou = people, Dc = info, Dc = Net
Objectclass: Top
Objectclass: organizationalunit
Ou: People
Description: User Info
 
DN: Cn = admin, Dc = info, Dc = Net
Objectclass: Top
Objectclass: person
Objectclass: organizationalperson
CN: Admin
SN: Admin
Userpassword: Admin
Description: Administrator for info.net
 
DN: Id = 1, ou = people, Dc = info, Dc = Net
Objectclass: Top
Objectclass: infoperson
ID: 1
Username: James
Tel: 021-63138990
Card_id: abc001
We can also use the slapadd command to import data. This command can import ldif files containing some system information, such:
DN: DC = it, Dc = com
Objectclass: Top
Objectclass: dcobject
Objectclass: Organization
DC: it
Structuralobjectclass: Organization
Entryuuid: d97b06da-d77e-1028-9866-d4ec7ac00d12
Creatorsname: Cn = anonymous # system information
Createtimestamp: 20041201005115z # system information
O: 5bm/5bee5bic6jmo5as055s15rgg6zug5zui5pyj6zmq5yws5y + 4
Userpassword: e01enx14txbdt0tdnuk0su56rknhyjnxrw13pt0 =
Entrycsn: 2004120603: 50: 08z #0x0001 #0 #0000 # system information
Modifiersname: Cn = admin, Dc = it, Dc = com # system information
Modifytimestamp: 20041206035008z # system information
 


Again, note that no spaces are left behind each line.
 
2.2.3. Script Mode
You need to write scripts or download them online. There is a good LDAP management tool written in PHP, called phpldapadmin. You can download it at the following URL: http://phpldapadmin.sourceforge.net. The installation method is also very simple. As long as you extract the package and copy it to the Apache web directory, follow the instructions to configure the configuration document.
2.3. Introduction to Common commands
Next we will introduce several frequently used LDAP commands. If you use the phpldapadmin program, it already has a good graphic interface to help you complete these commands. But it is still very helpful for you to understand, because the command method is the most fundamental.
DELETE command ldapdelete
# Ldapdelete-X-D 'cn = root, Dc = it, Dc = com '-W' uid = qq1, Dc = it, Dc = com'
Reindex the LDAP database command slapindex
# Slapindex-F slapd. conf
Set the user password. Of course, your user must have a userpassword.
# Ldappasswd-X-d "cn = root, Dc = it, Dc = com"-W "uid = qq1, Dc = it, Dc = com"-S
New password:
Re-enter new password:
Enter bind password:
Result: Success (0)
 


"Enter bind password" is the "cn = root, Dc = it, Dc = com" administrator password.
 
Administrator Password Change
# Slappasswd
New Password
Re-enter new password
{Ssha} 83dj4kvwqlk1uh9k2udb8 + nt1u4rgkes
Next, copy the rootpw to path/to/sldap. conf and restart the configuration file to apply the modification.
Use ldapmodify to modify directory content
# Ldapmodify-X-d "cn = root, Dc = it, Dc = com"-w-F modify. ldif
Use the ldif file to modify LDAP data. The format of the ldif file is as follows:
DN: Cn = QQ, Dc = it, Dc = com
Changetype: Modify
Replace: Mail
Mail: modme@example.com
-
Add: Title
Title: Grand Poobah
-
Add: jpegphoto
Export photo: <file: // tmp/modme.jpeg
-
Delete: Description

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.