UNIX Consulting and Expertise
Golden Apple Enterprises Ltd. » Posts for tag 'java enterprise directory server'

Modifying LDAP entries in Sun’s Directory Server Comments Off on Modifying LDAP entries in Sun’s Directory Server

In this post I’m going to quickly show how to use the tools ldapaddent and ldapmodify to change an existing LDAP entry. Specifically this relates to Sun’s stupidly named Java Enterprise Directory Server 5.2, which I’ve been doing a lot of work with recently. However the ldapmodify command that comes with Solaris basically does the same job regardless of which LDAP server you’re talking to.

If an entry already exists in the LDAP directory, then ldapaddent will fail when trying to add the data. So we need to use another method.

The basic steps are:

  1. use ldapaddent to dump out the existing entry (BACKUPS!)
  2. construct a temporary data file with our changes
  3. use ldapmodify to load this data into LDAP and modify the entry
  4. use ldaplist to see the changes

Let’s look at changing the RBAC profiles that a user has access to.

First we can use ldaplist to check out their details:

bash-3.00$ ldaplist -l passwd tomk
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
SolarisAttrKeyValue: type=normal;profiles=JET
SolarisUserQualifier:
cn: tomk
uidNumber: 1001
gidNumber: 14
gecos: Tom Kranz
homeDirectory: /home/tomk
loginShell: /bin/ksh
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr
uid: tomk
shadowLastChange: 13122
shadowFlag: 0

We can see they have the JET profile – let’s add the System Administrator profile too.

We can redirect the output from ldaplist direct to a text file for direct use as a backup, as this is already in LDIF format:

bash-3.00$ ldaplist -l passwd tomk > /var/tmp/tomk.ldif

If we really got things wrong we could just delete the entry from the directory, and then use ldapddent to add our backed-up entry and get back to where we started.

Now we need to create a change file, which will contain the data we want to modify. Again, this file will be a text file with the LDIF syntax, and it will have some specific keywords that define the type of change and the data that should be modified.

In this instance, we want to add another profile, so we create a file called tomk.ldif with the following contents:

dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
changetype: modify
replace: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator

The format of the file is straightforward. The first line contains the file context of the object to be modified. The second line shows the action to be taken on the object. The third line shows the specific action to be taken for an entry, and the fourth line has the new data.

Note that, within this file, we could modify several entries at once – we would just need multiple ‘replace’ and attribute lines to detail the data.

Once we have this file we can call ldapmodify to load this data into the LDAP directory, modifying the user’s details:

bash-3.00$ ldapmodify -D “cn=Directory Manager” -r -f /tmp/tomk.ldif

ldapmodify will prompt us for the Directory Manager’s password, and then carry out the changes.

We can check this by called ldaplist again and examining the output:

bash-3.00$ ldaplist -l passwd tomk
dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator
SolarisUserQualifier:
cn: tomk
uidNumber: 1001
gidNumber: 14
gecos: Tom Kranz
homeDirectory: /home/tomk
loginShell: /bin/ksh
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
objectClass: SolarisUserAttr
uid: tomk
shadowLastChange: 13122
shadowFlag: 0

ldapmodify will also allow us to edit multiple entries at once. For example, let’s look at not only adding the System Administrator RBAC role, but also adding a title for use with an internal phone book app.

We’d build our file like this:

dn: uid=tomk,ou=people,dc=siliconbunny,dc=org
changetype: modify
replace: SolarisAttrKeyValue
SolarisAttrKeyValue: type=normal;profiles=JET,System Administrator

add: title
title: UNIX dude

By using the fairly simple LDIF syntax in plain text files, it becomes very quick and easy to use ldapmodify from the command line to change LDAP entries in the Directory Server.

Top of page / Subscribe to new Entries (RSS)