Ldaputils
Last modified: 2001/06/27
Author: Christoph Lukas
This is work in progress.Use at your own risk.
The basic idea for this scripts was taken from ldaputils at sourceforge.
Changelog:
- 2001/06/27:
-
Mirko Manea sent in a two patches:
- Support for qmailUser and abookPerson objects (see below)
- Enhancement of the nextRid sambaConfig entry handling. get_free_account_id now handles gaps in the id range and returns any unused rid/uid it finds. set_free_account_id now has to be called with the uid of the newly created object to be able to check if the nextRid entry has to be increased.
- Moved schema files to a separate directory. The more features we get, the more different do the schema files get. :-( We now provide different schema file directories for ldap v2 and v3 and different schema files to be used for qmail and abook support.
- support for MTA aliases. I have added some schema file extensions and two additional scripts to handle mail aliases in an ldap directory. (You have to use mail_netscape.oc.conf for v2 and misc.schema for v3 to use this feature)
- Removed the basedn from all the schema files
- Modified get_new_dn so that the unique_id attribute from the schema file is used to create the dn for new objects. This results in user object getting a dn of uid=user,ou=...,dc=...,...
- Added some basic 'interactive' mode. (Try running the scripts with the -i option)
- 2001/06/04:
- Modifications to get the scripts working with ldap v3
- fixed some inconsistencies in the schema file
- the defaults for object attributes in the schema file may now contain a '%O' which is replaced with the object name. eg. user-objects: you can set the default for homeDirectory => "/home/%O" now. The %O is replaced with the username when a new user is created.
- this makes the name_attr in the schema file obsolete -- removed
- added README file
- added some comments to the user, group and nt scripts
- 2001/05/28:
- fixed some problems with empty attributes and schemacheck = on
- 2001/05/19:
Basic Ideas:
Our final aim is the creation of an easy to use full featured ldap toolkit. Some of our major goals and ideas are listed below
- Separeted frontend and backend
- Backend written in perl
- Backend usable as commandline tools
- Supply basic backend functions in a separate perl module
- Make this module appliable for arbitrary ldap objects by putting any schema information into a separate file. This should make it easy to add new object types.
- Frontend in php
Tarball content:
The tar archive contains the following files:
- README
- basis.pm - contains some basic routines for logging, reading configfile, ..
- ldaputils.pm - contains the basic ldap functions
- ldaputils.pod - documentation for ldaputils.pm
- ldaputils.conf - configuration file for ldaputils.pm
- schema - directory containing schema files for ldaputils.pm
- schema/v[2|3]/ldaputils.schema - basic schema to support useraccounts, groups and ntaccounts
- schema/v[2|3]/ldaputils.schema.abook - schema to additionaly support abookPerson
- schema/v[2|3]/ldaputils.schema.abook+qmail - schema to additionaly support qmailUser
- ldap_base.ldif - ldif file conaining the basic ldap structure we used
- ldap_useradd.pl
- ldap_userdel.pl
- ldap_usermod.pl (unfinished)
- ldap_groupadd.pl
- ldap_groupdel.pl
- ldap_groupmod.pl (unfinished)
- ldap_ntadd.pl
- ldap_ntdel.pl
- ldap_mailaliasadd.pl
- ldap_mailaliasdel.pl
Requirements:
The scripts were tested using the following software:
- openldap 1.2.11 with slapd.at.conf, slapd.oc.conf, sambatng.schema-v2
- openldap 2.0.7 with core.schema, cosine.schema, nis.schema, sambatng.schema-v3
- samba TNG: CVS from 2001/05/28 with the new ldap v2 schema
- Net::LDAP perl module 0.13
Hints:
- We did not try any installation scenarios. The easiest way to use this scripts is perhaps to extract the tar archive into a single directory, edit the config file (ldaputils.conf) and start every script from within this directory.
- The user, group and nt scripts can be run with the option --help to get some basic usage information.
- We used an ldap structure containing different ou's for users, groups and ntmachines to make it more convenient (Take a look at ldap_base.ldif). If you decide not to use this structure remember adjusting the default_ou parameters in the schema file (ldaputils.schema).
- If the user, group and nt scripts are run from the commandline they normaly use the
corresponding username to bind to the ldap server. If you get a message like:
LDAP-Error: 50 LDAP_INSUFFICIENT_ACCESS
you probably have to run them as root or use --ldap_bind_user=root to bind to the ldap server as root. - You can use --ldap_bind_secret to supply the ldap password on the commandline and avoid the password prompt.
- If you create a new user and do not supply any password for the new user, the username is used as an initial password
- The user and group scripts check the sambaConfig object and the content of it's
nextRid attribute. If you get an error like:
LDAP Database inconsistent (rid)
the nextRid value (which should always contain the next free rid in your database) is probably already in use. You can check this running ldapsearch or gq. - You can use --cyrus_admin_password to supply the cyrus password on the commandline and avoid the password prompt with ldap_useradd.pl and ldap_userdel.pl.
Documentation (generated from ldaputils.pod)
Todo:
- Improve the documentation
- Finish the ldap_usermod.pl and ldap_groupmod.pl scripts (They do not even seem to to anything useful at the moment)
- Add a commandline password changing utility
- Add a password syncing utility
- Add support for abookPerson