I want to update passwords [user's already existing in ldap] of the user by importing data from /etc/passwd & /etc/shadow
How to achieve this ?
I will give the overview of my setup.
nodes user id & password managed by management node [xcat], ldap not used for this purpose.
We have imported the user's from management node to ldap server by following the below given steps:-
Copied /etc/passwd, /etc/group & /etc/shadow from management node.
getent passwd > /tmp/passwd.out getent shadow > /tmp/shadow.out
cd /usr/share/migrationtools/ ./migrate_passwd.pl /tmp/passwd.out > /tmp/passwd.ldif
ldapadd -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Now we want to update the passwords frequently and keep the ldap server sync with out management node. please give me idea how to achive this.
I tried the same way i imported users into ldap but it gives me an error.
[root#iitmserver2 migrationtools]# ldapmodify -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Enter LDAP Password:
ldapmodify: modify operation type is missing at line 2, entry "uid=pharthiphan,ou=People,dc=aadityaldap,dc=com"
Related
My Cpanel licence has expired and I need to enable shell access for account X , Can I do it over ssh as root? I'm able to create account , however I don't know hot to modify it. I was not able to find answer for this question.
Thank You.
You can change user shell through command line using " usermod " command
usermod -s /bin/bash USERNAME
You can check /etc/passwd file to verify user shell.
I have new goal. Be able to create users of openam with ssoadm.
I have read the documentation of Openam
https://wikis.forgerock.org/confluence/display/openam/ssoadm-identity#ssoadm-identity-create-identity
However, I don't know how to create a user and then assign it a password. For now I just can create users by openam web, but is not desirable, I want to automatize.
Somebody know how can I create a normal user with ssoadm?
./ssoadm create-identity ?
./ssoadm create-agent ?
UPDATE: I have continued with my investigation :) I think I'm closer than before
$ ./ssoadm create-identity -u amadmin -f /tmp/pwd.txt -e / -i Test -t User
Minimum password length is 8.
But where is the parameter for password?
Thanks!
To create a new user in the configured data stores you could execute the following ssoadm command:
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -a givenName=Hello sn=World userPassword=changeit
Here you can see that I've defined the password as the userPassword attribute, which is data store dependent really. For my local OpenDJ this is perfectly legal, but if you are using a database or something else, then you'll have to adjust the command accordingly.
If you don't want to provide the attributes on the command line, then you could put all the values into a properties file, for example:
$ echo "givenName=Hello
sn=World
userPassword=changeit" > hello.txt
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -D hello.txt
But I must say that using OpenAM for identity management is not recommended, you should use your data store's own tools to manage identities (i.e. use an LDAP client within your app, or just simply use the ldap* CLI tools). You may find that OpenAM doesn't handle all the different identity management related tasks as normally people would expect, so to prevent surprises use something else for identity management.
I'm writing a shell script that will perform a pg_dump from one server, and later it will restore the dump into a database on another server.
To access the Postgres database on the first server, I use export PGPASSWORD in order to avoid a password prompt.
When I perform the restore on the Postgres database for the second server, I am prompted for a user password. I tried to re-declare export PGPASSWORD (since the password for this database is different), but this does not work. I'm suspecting it has something to do with the fact that I have to double SSH hop in order to access the second database:
export PGPASSWORD=******
perform pg_dump
...
export PGPASSWORD=********
cat out.sql | ssh -i .ssh/server1.pem root#dev.hostname.com "ssh -i .ssh/server2 \
0.0.0.0 psql -U postgres -h localhost -p 5432 DBNAME"
The above results in:
Password for user postgres:
psql: FATAL: password authentication failed for user "postgres"
Does anyone have any suggestions? Thanks!
You can create a file in your home directory with name .pgpass & give the password details there :
like :
cat .pgpass
hostname:port:database:username:password
localhost:2323:test_db:test_user:test123**
Try this one. Hope your problem will be solved.
The .ssh/environment file is what you want. I think that file needs to be on server1, though, and server2 needs to be configured to allow users to modify their environment (via the PermitUserEnvironment option. See man ssh under "ENVIRONMENT" for more details.
How to add user on linux bash script with out using useradd or similar command.
Also copy the startup script which located in /etc/skel/, and change password for the user which you have been added.
user1=$1
read -p "Enter your home name" home_name
read -p "Enter your login shell" loginshell
echo "$user1:x:500:500:$user1:/home/$home_name:$loginshell" >> /etc/passwd
echo "$user1:x:500:" >> /etc/group
mkdir /home/$home_name
chmod 744 /home/$home_name
cp -pr /etc/skel/.bashrc /home/$home_name
echo "$user1: " >> /etc/shadow
echo "`passwd` $user1"
The error i have got it after execute this script
passwd: Authentication token manipulation error
Please could you advice me if there any mistakes?
You should explain why you want to do that. In my opnion, it is a bad idea. In particular, because it does not handle well all the various kind of systems (for instance, some Linux system use LDAP for user authentification, etc).
And I believe that your line echo "$user1: " >> /etc/shadow is wrong. Look (with sudo) at the content of the /etc/shadow file, and you'll understand that entries inside are more than just a username followed by a colon.
But really, you should use useradd or adduser to do that. You are risking to break your system entirely.
You should replace
echo "`passwd` $user1"
with
passwd $user1
for entering the first password.
But besides this problem you add all new users with the same user-id and group-id. So there are technically no new users but one user with several "aliases". You have to replace the 500 when writing /etc/passwd and /etc/group to fix that.
Another big problem is, that the user's new home directory and the startup script do not belong to him but to root. You may add a chown -R $user1:$user1 /home/$homename somewhere.
you should also have something like echo "$user1: " >> /etc/gshadow for the group that you are creating. Same as what you have done for the user and the shadow file.
I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).
From man slapcat (from OpenLDAP 2.3) :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.
(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)
Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.
I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.
For example, dump database from a master server under dc=master,dc=com and load it in a backup server
$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.
Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.
ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.
Export your DB with slapcat:
slapcat > ldif
Import the DB with slapadd (make sure the LDAP server is stopped):
slapadd -l ldif
Some appointments:
Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):
include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.
I prefer copy the database through the protocol:
first of all be sure you have the same schemas on both servers.
dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif
and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif
in one line:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a
By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files
(Not enough reputation to write a comment...)
Ldapsearch opens a connection to the LDAP server.
Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")
Thanks, Vish. Worked like a charm! I edited the command:
ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif
ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif
Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).