LDAP
Introduction
The Lightweight Directory Access Protocol accesses a directory service over a network. We currently use OpenLDAP to store information about accounts (except password hashes which are in Kerberos).
Definition of an OCF account
Attributes that define an OCF account (group or individual). Some of these
attributes cannot be seen without the proper permissions, such as mail
:
dn
: distinguished name; primary key for the entry. Should be in the formuid=[uid],ou=People,dc=OCF,dc=Berkeley,dc=EDU
, whereuid
is the user's username.objectClass
:account
,ocfAccount
, andposixAccount
for accounts.cn
: common name; full name for users, group name for group accountsuid
: usernameuidNumber
: POSIX user ID number (sequentially-assigned starting at 1000)gidNumber
: primary POSIX group ID number (For example, 1000 if in groupocf
, or 2390 for groupsorry
)homeDirectory
: location of home directoryloginShell
: shell (usually/bin/bash
)mail
: Email address. Usually a @berkeley.edu email, but any email address works. Some OCF staff have @g.ocf.berkeley.edu emails (Google Apps)calnetUid
: CalNet ID number (for individuals)callinkOid
: CalLink organization ID number (for student groups)userPassword
: Not actually a password, this is only used for pass-through authentication with Kerberos, so that the LDAP server can be authenticated with directly for things that don't support Kerberos.creationTime
: Account creation time in ISO 8601 format
Definition of a POSIX group
Attributes that define a POSIX group:
dn
: distinguished name; primary key for the entry. Should be in the formcn=[gid],ou=Group,dc=OCF,dc=Berkeley,dc=EDU
, wheregid
is the group's name.objectClass
:posixGroup
for groupscn
: common name; full namedescription
: description of the groupgidNumber
: POSIX group ID number (greater than 1000, less than 1000 is reserved for system groups)memberUid
: A member of the group (will often have multiple memberUid attributes)
Utilities
ldapsearch
For most staff, their primary interface to LDAP will be ldapsearch
.
ldapsearch
is a powerful program that allows queries of the LDAP database.
For most usage, you want to type in -x
, which skips authentication. After
that you provide a search filter (in this case UID).
Searching for an account:
$ ldapsearch -x uid=sanjayk
dn: uid=sanjayk,ou=People,dc=OCF,dc=Berkeley,dc=EDU
objectClass: ocfAccount
objectClass: account
objectClass: posixAccount
cn: Sanjay Krishnan
uid: sanjayk
uidNumber: 18298
gidNumber: 20
homeDirectory: /home/s/sa/sanjayk
gecos: Sanjay Krishnan
loginShell: /bin/tcsh
calnetUid: 646431
Searching for an account in a group:
$ ldapsearch -x memberUid=sanjayk | grep cn:
cn: ocfstaff
cn: admin
Searching for all accounts created after a certain time:
$ ldapsearch -x '(creationTime>=20160101000000Z)'
<many lines of output>
ldapvi
ldapvi
is a "text editor" for LDAP which can generate LDIF change records to
pass to ldapadd
(or modify directly if you have the proper permissions). The easiest way to edit a single record with ldapvi
is to
just run kinit [username]/admin ldapvi [record]
, which will authenticate with
Kerberos and then run ldapvi
all in one step.
$ ldapvi uid=daradib
0 uid=daradib,ou=People,dc=OCF,dc=Berkeley,dc=EDU
objectClass: ocfAccount
objectClass: account
objectClass: posixAccount
cn: Dara Adib
uid: daradib
uidNumber: 19892
gidNumber: 20
homeDirectory: /home/d/da/daradib
loginShell: /bin/bash
calnetUid: 872544
Now if you make changes to some attributes (say, change the shell to tcsh
)
and try to save the temporary file which has been opened in a text editor:
1 entry read
add: 0, rename: 0, modify: 1, delete: 0
Action? [yYqQvVebB*rsf+?]
You can enter v
to view the LDIF change record (or ?
for help).
dn: uid=daradib,ou=People,dc=OCF,dc=Berkeley,dc=EDU
changetype: modify
replace: loginShell
loginShell: /bin/tcsh
You can enter y
to apply changes, q
to save the LDIF change record as a
file in your current directory, or Q
to discard.
ldapadd
ldapadd
is a utility to add entries to the LDAP directory if you have the
proper permissions.
To add an account, first create a file (we call it user_file
):
dn: uid=asdf,ou=People,dc=OCF,dc=Berkeley,dc=EDU
objectClass: ocfAccount
objectClass: account
objectClass: posixAccount
cn: asdf
uid: asdf
uidNumber: 25444
gidNumber: 20
homeDirectory: /home/a/as/asdf
loginShell: /bin/bash
calnetUid: 758472
Then authenticate with Kerberos:
$ kinit myusername/admin
Finally run ldapadd
:
$ ldapadd < user_file
This also works on lists of entries to add separated by empty newlines.