OpenLDAP tutorial – Adding data to the directory

In this 6th article of the series «OpenLDAP Tutorial», we will feed the directory with useful data. This will make it possible to actually use the OpenLDAP server.

Prerequisite:

1. Creating a node for people.

A directory must be organized. In an organization concern, we will first create a node (container) that will receive the directory entries of people.

Create an LDIF file for this node:

vi people.ldif

Enter in the editor and save:

dn: ou=People,dc=ldaptuto,dc=net
objectClass: organizationalUnit
ou: People
  • People is a name of your choice.
  • The type of this new entry is organizationalUnit (OU), which is the usual type of container nodes in OpenLDAP.
  • OpenLDAP is case insensitive and does not differentiate between uppercase and lowercase, People or people are equivalent.

We add this entry to the directory:

ldapmodify -a -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -f people.ldif

-a (to add) after ldapmodify means that you want to add the contents of the file.

2. Adding people to the directory

vi dupond.ldif

Enter in the editor and save:

dn: uid=dupond,ou=People,dc=ldaptuto,dc=net
objectClass: inetOrgPerson
givenName: Jean
sn: Dupond
cn: Jean Dupond
uid: dupond
userPassword: dupond

We add this entry to the directory:

ldapmodify -a -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -f dupond.ldif

And we check this addition:

ldapsearch -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -b ou=People,dc=ldaptuto,dc=net

Notice that the password does not appear in plain text. however it is not encrypted.

3. Directory use

Now let’s look at what happens if Jean Dupond tries to connect to the directory and see the people referenced (among others himself).

ldapsearch -x -H ldap://localhost -D uid=dupond,ou=people,dc=ldaptuto,dc=net -w dupond -b ou=people,dc=ldaptuto,dc=net -LLL
ldap_bind: Invalid credentials (49)
  • -D: DN of the user who authenticates, the request uses the read rights of this user.
  • -w: The user password.

The result is an error message which means that the authenticationhas failed. However the data sent is correct (DN and password). The reason is an inadequate access right for authentication. We cannot address this sensitive and complex topic of rights here. We will just add a configuration that will allow directory users to authenticate.

vi acces.ldif

Enter in the editor and save:

dn: olcDatabase={1}mdb,cn=config
changeType: modify
add: olcAccess
olcAccess: to * by users read by anonymous auth by * none

This command adds authentication (by anonymous auth) and read permission to all people in the directory (by users read). Of course, it is not advisable to use such a configuration in real use. It is used here only for simple demonstration.

We add this setting to the directory:

ldapmodify -x -H ldap://localhost -D cn=admin,dc=ldaptuto,dc=net -w admin -f acces.ldif

Now, a query to read the data of the people in the directory by Jean Dupond (same as the previous one) makes it possible to display them.

ldapsearch -x -H ldap://localhost -D uid=dupond,ou=people,dc=ldaptuto,dc=net -w dupond -b ou=people,dc=ldaptuto,dc=net -LLL
dn: ou=People,dc=ldaptuto,dc=net
objectClass: organizationalUnit
ou: People

dn: uid=dupond,ou=People,dc=ldaptuto,dc=net
objectClass: inetOrgPerson
givenName: Jean
sn: Dupond
cn: Jean Dupond
uid: dupond
userPassword:: e1NTSEF9Umk1d0QrWEtmNHRrSHBOelBEMkdqU3NNSUhtRmtNU28=

Finally, the directory served by OpenLDAP allows Jean Dupond, who is referenced there, to authenticate and read all the data it contains. As an exercise you can add another person to the directory: Alain Durand. After that the contents of this directory will have this structure:

dc=ldaptuto,dc=net
├── cn=admin,dc=ldaptuto,dc=net
└── ou=People,dc=ldaptuto,dc=net
    ├── uid=dupond,ou=People,dc=ldaptuto,dc=net
    └── uid=durand,ou=People,dc=ldaptuto,dc=net
Share