OpenDS is Sun’s open source LDAP directory server. It’s lightweight, fast and – thankfully after Directory Server 5.2 in particular – it’s very easy to install and use.
Have a look through the initial announcement, download OpenDS 2.0 then grab the release notes and have a quick look through the documentation.
As always with OpenDS the install is very straightforward and painless. Once up and running the GUI makes a nice change from the slow, cluttered mess of the old Directory Server. I’d now rate OpenDS is a solid, mature offering, and I’ll be looking at replacing some of my aging DS 5.2 installs with it.
OpenDS qualifies for support from Sun, in it’s Sun OpenDS Standard Edition guise, so there’s no reason not to look at production deployments. For the more esoteric installs, you’ll still want Sun Directory Server (v.7 is being working on at the moment) but for a smaller or more straightforward install, OpenDS will fit the bill nicely.
In this post I’m going to quickly show how to use the tools ldapaddent and ldapmodify to change an existing LDAP entry. Specifically this relates to Sun’s stupidly named Java Enterprise Directory Server 5.2, which I’ve been doing a lot of work with recently. However the ldapmodify command that comes with Solaris basically does the same job regardless of which LDAP server you’re talking to.
If an entry already exists in the LDAP directory, then ldapaddent will fail when trying to add the data. So we need to use another method.
The basic steps are:
- use ldapaddent to dump out the existing entry (BACKUPS!)
- construct a temporary data file with our changes
- use ldapmodify to load this data into LDAP and modify the entry
- use ldaplist to see the changes
Let’s look at changing the RBAC profiles that a user has access to.
First we can use ldaplist to check out their details:
bash-3.00$ ldaplist -l passwd tomk
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
SolarisAttrKeyValue: type=normal;profiles=JET
SolarisUserQualifier:
cn: tomk
uidNumber: 1001
gidNumber: 14
gecos: Tom Kranz
homeDirectory: /home/tomk
loginShell: /bin/ksh
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr
uid: tomk
shadowLastChange: 13122
shadowFlag: 0
We can see they have the JET profile – let’s add the System Administrator profile too.
We can redirect the output from ldaplist direct to a text file for direct use as a backup, as this is already in LDIF format:
bash-3.00$ ldaplist -l passwd tomk > /var/tmp/tomk.ldif
If we really got things wrong we could just delete the entry from the directory, and then use ldapddent to add our backed-up entry and get back to where we started.
Now we need to create a change file, which will contain the data we want to modify. Again, this file will be a text file with the LDIF syntax, and it will have some specific keywords that define the type of change and the data that should be modified.
In this instance, we want to add another profile, so we create a file called tomk.ldif with the following contents:
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
changetype: modify
replace: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator
The format of the file is straightforward. The first line contains the file context of the object to be modified. The second line shows the action to be taken on the object. The third line shows the specific action to be taken for an entry, and the fourth line has the new data.
Note that, within this file, we could modify several entries at once – we would just need multiple ‘replace’ and attribute lines to detail the data.
Once we have this file we can call ldapmodify to load this data into the LDAP directory, modifying the user’s details:
bash-3.00$ ldapmodify -D “cn=Directory Manager” -r -f /tmp/tomk.ldif
ldapmodify will prompt us for the Directory Manager’s password, and then carry out the changes.
We can check this by called ldaplist again and examining the output:
bash-3.00$ ldaplist -l passwd tomk
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator
SolarisUserQualifier:
cn: tomk
uidNumber: 1001
gidNumber: 14
gecos: Tom Kranz
homeDirectory: /home/tomk
loginShell: /bin/ksh
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr
uid: tomk
shadowLastChange: 13122
shadowFlag: 0
ldapmodify will also allow us to edit multiple entries at once. For example, let’s look at not only adding the System Administrator RBAC role, but also adding a title for use with an internal phone book app.
We’d build our file like this:
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
changetype: modify
replace: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator
–
add: title
title: UNIX dude
By using the fairly simple LDIF syntax in plain text files, it becomes very quick and easy to use ldapmodify from the command line to change LDAP entries in the Directory Server.