several questions about ldap (adding new groups/users/etc)
 

Sorry for the generic thread title but not sure how to cram my questions into a short subject.


I have successfully set up an ldap server on CentOS 5.2 server. I can log onto a client machine using the user I created. My questions are geared towards maintenance as my user/groups list grow.


Whats the best way to add new users and new groups?


Ive seen several references to migrating the passwd/shadow files into ldap files but Im not sure I want to go that route. I'd rather keep all the users/groups in the ldap directory and away from having them locally on my ldap server and then migrating them into ldap.


I created an initial groups.ldif file and an initial users.ldif file. But if I try to add new users and groups I get errors:

example:
groups.ldif
(current)
dn: cn=users,ou=Group,dc=domain,dc=com
objectClass: posixGroup
objectClass: top
cn: users
userPassword: {crypt}x
gidNumber: 20


then if I add an entry like this to the file:

dn: cn=test,ou=Group,dc=domain,dc=com
objectClass: posixGroup
objectClass: top
cn: test
userPassword: {crypt}x
gidNumber: 21


run this command:

ldapmodify -W -x -D "cn=Manager,dc=domain,dc=com" -f groups.ldif

get this error:
modifying entry "cn=test,ou=Group,dc=domain,dc=com"
ldap_modify: No such object (32)


I can add a new file and run the same command with the new file name and it runs successfully. But I would rather not have a new file every time I create a new user/group.
matched DN: ou=Group,dc=domain,dc=com

IMHO the best way to add entries in openldap is to use ldapadd with the appropriate ldif file.
If you prefer using the ldapmodify utility with the same ldif (by adding entries at the end of the file) then you have to use -ac options (add and continue on errors):
Regards

Ahhh yes... That worked perfectly for a group I added to my groups.ldif file. Thanks!

Decided to install phpldapadmin to see if it would be easier to manage my users/etc. So far I like it, it does make adding users/groups easier. But one thing I can't figure out how to do is add multiple groups to a user.

When I add a user I can add a gidNumber for its primary group. But I can not figure out how to add secondary groups. I have several groups added in their own ou.

Any hints on how to add multiple groups to a user?


Thanks!

Hi,

You might take a look at this discussion if you want to assign multiple groups to a user.

Regards

Hmmmm, I followed the link and wasn't smart enough to figure it out based on the discussion so I googled groupofnames and found a way to add it using phpldapadmin. Upon further review I dont think this is going to work for me. I need to add users to groups so they can perform work on the servers as member of a group. Say I want to my web guy to edit the website, so I add him to the apache group, but I also need him to be a part of the mysql group because some of the website functions run through mysql. He needs to be a member of both groups. Right now I can only assign him to one group.


I think the groupofnames is for organization maybe? And not to grant access.

Actually I've searched for the memberof attribute in openldap and ended up on that link.
I'm aware of this attribute because we also use the Sunone Directory Server where it is available, along with acls defining roles for users depending on this atttribute. Sort of what you want to do with openldap.
You can give it a try as it's free for download and see if it fits your needs.
BTW what happens if you assign more that one member attribute to a user, like the example in the link I gave you? Assuming of course that you have also added the groupOfNames objectclass

Ive already removed those entries. But from what I can remember it created a listing under my Group with the new cn=newgroupname and it had as memebers the 2 members I added. But there was no gidNumber or any number suggesting that it had any group level privileges and when i did an "id username" on one of my ldap clients it just listed its original group.


I think with some combination of ldapmodify and something along this line should work. Ive tried several different combos and keep getting errors.

dn: cn=user1,ou=Group,dc=example,dc=com
changetype: add
objectclass: posixGroup
cn:user1
gidNumber:1000


When I tried that(changing the values for my setup) it actually added a new group under my Group list. There has to be a way to add a group to a user through something similiar.

I don't think this is a good way to proceed. I suggest you to create the various groups, like:
Put the users under ou=people or something like that and add the groups you want them to belong:
and see if it works.

Turns out I was making this much harder than it was.

When I made my groups under
ou=Group,dc=domian,dc=com

I didnt create them right, even though I had created them as Posix Group. I added a new one in phpldapadmin and it let me give it a gidNumber and memberUid. I can just add members to the memberUid and it adds them to that group.


Thanks for your help.