Thursday, December 23, 2010

How to create a new user in OpenLDAP

We are going create a new account for John Smith. Here are few simple steps:
  1. We need create a template for a new user account jsmith (file add-user.ldif): 
    # User primary group
dn: cn=jsmith,ou=groups,dc=dev,dc=local
cn: jsmith
objectClass: top
objectClass: posixGroup
gidNumber: 10000

# User account
dn: uid=jsmith,ou=people,dc=dev,dc=local
cn: John Smith
givenName: John
sn: Smith
uid: jsmith
uidNumber: 10000
gidNumber: 10000
homeDirectory: /home/jsmith
mail: jsmith@dev.local
objectClass: top
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
loginShell: /bin/bash
userPassword: {CRYPT}*
  2. Load user to ldap: 
    ldapadd -cxWD cn=admin,dc=dev,dc=local -f add-user.ldif
    or if you are authenticated by Kerberos: 
    ldapadd -f add-user.ldif
  3. Try to find it: 
    ldapsearch -x uid=jsmith
  4. Set user password (consider store user password in kerberos instead): 
    ldappasswd -xWD cn=admin,dc=dev,dc=local -S uid=jsmith,ou=people,dc=dev,dc=local
Read more about openldap here.
Posted by Andriy Kornatskyy at 9:00 PM
Labels: , ,

7 comments :

  1. UnknownJune 7, 2012 at 10:43 AM

    is openldap ment for only linux ,machines?
    can we set up open ldap on linux machine and access it on windows machine?I have installed open ldap on windows dont know how to add users or see values.request you to throw some light on this.

    ReplyDelete
    Replies
    1. Andriy KornatskyyJune 7, 2012 at 5:08 PM

      You should probably take a look at http://www.samba.org instead.

      Delete
    2. Elaborate RuseJuly 23, 2012 at 7:18 PM

      You can use pGina (pgina.org) for allowing users to log on to Windows machines using LDAP authentication.

      Delete
  2. JohnAugust 2, 2012 at 12:31 AM

    I'm having a hell of a time. I've got open ldap installed, and i have a client pointed to my ldap server. However, i can't log into an ldap user. I'm kind of lost. On the client machine, if i issue a 'su' command, it will find the user i just created, but always says incorrect password. Is there any documentation out there to help resolve this?

    ReplyDelete
    Replies
    1. Andriy KornatskyyAugust 2, 2012 at 9:44 AM

      John, thank you for the question. Generally speaking it is not recommended to store user password in ldap and it is more natural to use kerberos authentication for this purpose. You should be able get this done using posts with labels kerberos and ldap: (1) you need kerberos server; (2) add user to kerberos; (3) replace openldap authentication with one from kerberos (that impact both client and ldap server).

      Delete
  3. UnknownNovember 17, 2012 at 12:53 AM

    Is it possible to have users auto creation on the client machine on very first login. Similar to active directory. In this way I dont have to create users on each machines.

    ReplyDelete
    Replies
    1. Andriy KornatskyyNovember 17, 2012 at 9:08 AM

      With OpenLDAP you do not need to create local uses, they are taken from central location - ldap server.

      Delete

Subscribe to: Post Comments ( Atom )