OpenLDAP offers a series of tools for the administration of data in the LDAP directory. The four most important tools for adding to, deleting from, searching through and modifying the data stock are explained below.
Once your LDAP server
is correctly configured (it features appropriate entries for
suffix
, directory
,
rootdn
, rootpw
and
index
), proceed to entering records. OpenLDAP offers
the ldapadd command for this task. If possible, add
the objects to the database in bundles (for practical reasons). LDAP is
able to process the LDIF format (LDAP data interchange format) for this.
An LDIF file is a simple text file that can contain an arbitrary number
of attribute and value pairs.
The LDIF file for creating a rough framework for the example in
Figure 4.1, “Structure of an LDAP Directory” would look like the one in
Example 4.2, “Example for an LDIF File”.
![]() | Encoding of LDIF Files |
---|---|
LDAP works with UTF-8 (Unicode). Umlauts must be encoded correctly. Otherwise, avoid umlauts and other special characters or use recode to recode the input to UTF-8. |
Example 4.2. Example for an LDIF File
# The Organization dn: dc=example,dc=com objectClass: dcObject objectClass: organization o: Example dc: example # The organizational unit development (devel) dn: ou=devel,dc=example,dc=com objectClass: organizationalUnit ou: devel # The organizational unit documentation (doc) dn: ou=doc,dc=example,dc=com objectClass: organizationalUnit ou: doc # The organizational unit internal IT (it) dn: ou=it,dc=example,dc=com objectClass: organizationalUnit ou: it
Save the file with the .ldif
suffix then pass it to
the server with the following command:
ldapadd -x -D <dn of the administrator> -W -f <file>.ldif
-x
switches off the authentication with SASL in this
case. -D
declares the user that calls the operation.
The valid DN of the administrator is entered here just like it has been
configured in slapd.conf
. In the current example,
this is cn=Administrator,dc=example,dc=com
.
-W
circumvents entering the password on the command
line (in clear text) and activates a separate password prompt.
The -f
option passes the filename. See the details of
running ldapadd in
Example 4.3, “ldapadd with example.ldif”.
Example 4.3. ldapadd with example.ldif
ldapadd -x -D cn=Administrator,dc=example,dc=com -W -f example.ldif Enter LDAP password: adding new entry "dc=example,dc=com" adding new entry "ou=devel,dc=example,dc=com" adding new entry "ou=doc,dc=example,dc=com" adding new entry "ou=it,dc=example,dc=com"
The user data of individuals can be prepared in separate LDIF files.
Example 4.4, “LDIF Data for Tux” adds
Tux
to the new LDAP directory.
Example 4.4. LDIF Data for Tux
# coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com objectClass: inetOrgPerson cn: Tux Linux givenName: Tux sn: Linux mail: tux@example.com uid: tux telephoneNumber: +49 1234 567-8
An LDIF file can contain an arbitrary number of objects. It is possible at once to pass directory branches (entirely or in part) to the server as shown in the example of individual objects. If it is necessary to modify some data relatively often, a fine subdivision of single objects is recommended.
The tool ldapmodify is provided for modifying the
data stock. The easiest way to do this is to modify the corresponding
LDIF file then pass this modified file to the LDAP server. To change the
telephone number of colleague Tux from +49 1234 567-8
to +49 1234 567-10
, edit the LDIF file like in
Example 4.5, “Modified LDIF File tux.ldif”.
Example 4.5. Modified LDIF File tux.ldif
# coworker Tux dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10
Import the modified file into the LDAP directory with the following command:
ldapmodify -x -D cn=Administrator,dc=example,dc=com -W -f tux.ldif
Conversely, pass the attributes to change directly to ldapmodify. The procedure for this is described below:
Start ldapmodify and enter your password:
ldapmodify -x -D cn=Administrator,dc=example,dc=com -W Enter LDAP password:
Enter the changes while carefully complying with the syntax in the order presented below:
dn: cn=Tux Linux,ou=devel,dc=example,dc=com changetype: modify replace: telephoneNumber telephoneNumber: +49 1234 567-10
Find detailed information about ldapmodify and its syntax in the ldapmodify man page.
OpenLDAP provides, with ldapsearch, a command line tool for searching data within an LDAP directory and reading data from it. A simple query would have the following syntax:
ldapsearch -x -b dc=example,dc=com "(objectClass=*)"
The -b
option determines the search base (the section
of the tree within which the search should be performed). In the current
case, this is dc=example,dc=com
. To perform a more
finely-grained search in specific subsections of the LDAP directory (for
example, only within the devel
department), pass this
section to ldapsearch with -b
.
-x
requests activation of simple authentication.
(objectClass=*)
declares that all objects contained
in the directory should be read. This command option can be used after
the creation of a new directory tree to verify that all entries have
been recorded correctly and the server responds as desired. Find more
information about the use of ldapsearch in the
corresponding man page (ldapsearch(1)
).