using ldapsearch to return only a value - linux

using an OPENLDAP server i want to retrieve informations from it with ldapsearch. I created a custom class called iduriclass, this class is used to store an id and an uri. in my ldapsearch command i want it to return only the uri for a specified id.
EXAMPLE : the directory contain now two entries id=test uri=server.com/test and id=test2 uri=server.com/test2
Trying it i get an ldif file that contains all uris in the server
I want to have an ldapsearch command that takes test as argument and returns only a value that is : server.com/test

Here's how you query your ldap server.
HOSTNAME=<your ladap hostname>
USERNAME=<your ldap username>
PASSWORD=<your ldap username's password>
SEARCHBASE=<your ldap's search base DN>
QUERYSTRING=test1
PORT=<your ldap port>
ldapsearch -LLL -h ${HOSTNAME} -p $PORT -D cn=${USERNAME} -w ${PASSWORD} -b "${SEARCHBASE}" "(id=${QUERYSTRING})" uri | sed -n 's/^[ \t]*uri:[ \t]*\(.*\)/\1/p'
The option -LLL will not print ldap comments on output. Your ldap may require -x (simple authentication) if it doesn't support SASL.

Adding the parameter -tt writes a file with ONLY the requested attribute(s) value as the OP requested. No preceding field name or anything else. Path is configurable with -T, otherwise is /tmp

Related

How do I use a wildcard in an attribute with ldapsearch and Active Directory?

I have users in AD with memberOf attributes having either cn=ad-users103,ou=hr,ou=groups,dc=mycorp,dc=com or cn=ad-users203,ou=hr,ou=groups,dc=mycorp,dc=com. I'd like to use a filter like cn=ad-users* but it's not returning results. I'm using ldapsearch in Linux to test my filter.
I've tried using a filter like this which returns user info:
ldapsearch -D "cn=admin..." -b "dc=mycorp,dc=com" -x -H ldaps://ldap.mycorp.com -w $PASS -E pr=100/noprompt "memberOf=cn=ad-users203,ou=hr,ou=groups,dc=mycorp,dc=com"
When I add a wildcard (taking example here), I don't get any results:
ldapsearch -D "cn=admin..." -b "dc=mycorp,dc=com" -x -H ldaps://ldap.mycorp.com -w $PASS -E pr=100/noprompt "memberOf=cn=ad-users*"
I've tried moving the splat to different positions in the filter to no avail. Should a search work this way or do I need to use something like (&(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...)) instead?
The memberOF is a distinguishedName attribute value and wildcards are not supported on distinguishedNames as shown here: https://stackoverflow.com/a/28984362/88122
And I think your AND search of
(&(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...))
Should be and OR search:
(|(memberOf=cn=ad-users103...)(memberOf=cn=ad-users203...))

how to import passwords only and update on ldap server?

I want to update passwords [user's already existing in ldap] of the user by importing data from /etc/passwd & /etc/shadow
How to achieve this ?
I will give the overview of my setup.
nodes user id & password managed by management node [xcat], ldap not used for this purpose.
We have imported the user's from management node to ldap server by following the below given steps:-
Copied /etc/passwd, /etc/group & /etc/shadow from management node.
getent passwd > /tmp/passwd.out getent shadow > /tmp/shadow.out
cd /usr/share/migrationtools/ ./migrate_passwd.pl /tmp/passwd.out > /tmp/passwd.ldif
ldapadd -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Now we want to update the passwords frequently and keep the ldap server sync with out management node. please give me idea how to achive this.
I tried the same way i imported users into ldap but it gives me an error.
[root#iitmserver2 migrationtools]# ldapmodify -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Enter LDAP Password:
ldapmodify: modify operation type is missing at line 2, entry "uid=pharthiphan,ou=People,dc=aadityaldap,dc=com"

openam - create a user with ssoadm

I have new goal. Be able to create users of openam with ssoadm.
I have read the documentation of Openam
https://wikis.forgerock.org/confluence/display/openam/ssoadm-identity#ssoadm-identity-create-identity
However, I don't know how to create a user and then assign it a password. For now I just can create users by openam web, but is not desirable, I want to automatize.
Somebody know how can I create a normal user with ssoadm?
./ssoadm create-identity ?
./ssoadm create-agent ?
UPDATE: I have continued with my investigation :) I think I'm closer than before
$ ./ssoadm create-identity -u amadmin -f /tmp/pwd.txt -e / -i Test -t User
Minimum password length is 8.
But where is the parameter for password?
Thanks!
To create a new user in the configured data stores you could execute the following ssoadm command:
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -a givenName=Hello sn=World userPassword=changeit
Here you can see that I've defined the password as the userPassword attribute, which is data store dependent really. For my local OpenDJ this is perfectly legal, but if you are using a database or something else, then you'll have to adjust the command accordingly.
If you don't want to provide the attributes on the command line, then you could put all the values into a properties file, for example:
$ echo "givenName=Hello
sn=World
userPassword=changeit" > hello.txt
$ openam/bin/ssoadm create-identity -e / -i helloworld -t User -u amadmin -f .pass -D hello.txt
But I must say that using OpenAM for identity management is not recommended, you should use your data store's own tools to manage identities (i.e. use an LDAP client within your app, or just simply use the ldap* CLI tools). You may find that OpenAM doesn't handle all the different identity management related tasks as normally people would expect, so to prevent surprises use something else for identity management.

Write to stdin which asks for password

I am working on a bash script to configure openldap and add ldif script with users and groups.
How can I write the password from the bash script ?
This is the script I run when it asks for password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif
EDIT:
I tried this and created a passwd.txt file with the password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -y'passwd.txt' -f /etc/ldap/base.ldif
But gets this error:
Warning: Password file passwd.txt is publicly readable/writeable
ldap_bind: Invalid credentials (49)
man ldapadd.
-W
Prompt for simple authentication. This is used instead of specifying the password on the command line.
-w passwd
Use passwd as the password for simple authentication.
-y passwdfile
Use complete contents of passwdfile as the password for simple authentication.
So seems you are looking for option of -w or -y, not -W
There're two possibilities:
ldapadd reads the password from the standard input.
ldapadd reads the password directly from the current TTY.
In the first case it's enough to use something like this echo 'MySecretPassword' | ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif. The second one is more complicated because you need a tool like expect. Check if the simple redirection works first.

How do I clone an OpenLDAP database

I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
The problem with SourceRebels' answer is that slapcat(8) does not guarantee that the data is ordered for ldapadd(1)/ldapmodify(1).
From man slapcat (from OpenLDAP 2.3) :
The LDIF generated by this tool is suitable for use with slapadd(8).
As the entries are in database order, not superior first order, they
cannot be loaded with ldapadd(1) without first being reordered.
(FYI: In OpenLDAP 2.4 that section was rephrased and expanded.)
Plus using a tool that uses the backend files to dump the database and then using a tool that loads the ldif through the ldap protocol is not very consistent.
I'd suggest to use a combination of slapcat(8)/slapadd(8) OR ldapsearch(1)/ldapmodify(1). My preference would go to the latter as it does not need shell access to the ldap server or moving files around.
For example, dump database from a master server under dc=master,dc=com and load it in a backup server
$ ldapsearch -Wx -D "cn=admin_master,dc=master,dc=com" -b "dc=master,dc=com" -H ldap://my.master.host -LLL > ldap_dump-20100525-1.ldif
$ ldapadd -Wx -D "cn=admin_backup,dc=backup,dc=com" -H ldap://my.backup.host -f ldap_dump-20100525-1.ldif
The -W flag above prompts for ldap admin_master password however since we are redirecting output to a file you wont see the prompt - just an empty line. Go ahead and type your ldap admin_master password and enter and it will work. First line of your output file will need to be removed (Enter LDAP Password:) before running ldapadd.
Last hint, ldapadd(1) is a hard link to ldapmodify(1) with the -a (add) flag turned on.
ldapsearch and ldapadd are not necessarily the best tools to clone your LDAP DB. slapcat and slapadd are much better options.
Export your DB with slapcat:
slapcat > ldif
Import the DB with slapadd (make sure the LDAP server is stopped):
slapadd -l ldif
Some appointments:
Save your personalized schemas and objectclasses definitions on your new server. You can look for your included files at slapd.conf to obtain it, for example (this is a part of my slapd.conf):
include /etc/ldap/schema/core.schema
Include your personalized schemas and objectclasses in your new openLDAP installation.
Use slapcat command to export your full LDAP tree to a single/various ldif files.
Use ldapadd to import the ldif files on to your new LDAP installation.
I prefer copy the database through the protocol:
first of all be sure you have the same schemas on both servers.
dump the database with ldapsearch:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" > domain.ldif
and import it in the new server:
ldapmodify -Wx -D "cn=admin,dc=domain" -a -f domain.ldif
in one line:
ldapsearch -LLL -Wx -D "cn=admin,dc=domain" -b "dc=domain" | ldapmodify -w pass -x -D "cn=admin,dc=domain" -a
By using the bin/ldap* commands you are talking directly with the server while using bin/slap* commands you are dealing with the backend files
(Not enough reputation to write a comment...)
Ldapsearch opens a connection to the LDAP server.
Slapcat instead accesses the database directly, and this means that ACLs, time and size limits, and other byproducts of the LDAP connection are not evaluated, and hence will not alter the data. (Matt Butcher, "Mastering OpenLDAP")
Thanks, Vish. Worked like a charm! I edited the command:
ldapsearch -z max -LLL -Wx -D "cn=Manager,dc=domain,dc=fr" -b "dc=domain,dc=fr" >/tmp/save.ldif
ldapmodify -c -Wx -D "cn=Manager,dc=domain,dc=fr" -a -f /tmp/save.ldif
Just added the -z max to avoid the size limitation and the -c to go on even if the target domain already exists (my case).

Resources