Linux – How to modify the value of an attribute with OpenLDAP

ldaplinuxopenldap

We have installed a mail server which comes with an OpenLDAP schema and some additional attributes. One of the attributes controls which users have administration rights on the calendar and public folders feature of the server. How do I set these attributes on our existing users in the LDAP database?

Best Answer

ldapmodify is your friend.

Create a "modify" ldif file.

Ex:

dn: cn=Elmer Fudd,o=company.com
changetype: modify
add: isAdmin
isAdmin: 1

Save file and use it with ldapmodify:

ldapmodify -v -D "cn=manager,o=company.com" -h <host> -W -f changes.ldif

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

Ldap – How to update the memberOf attributes of existing objects after adding the OpenLDAP Reverse Group Membership Maintenance overlay

The only time when the memberOf overlay will be activated is if you modify a member in a group. So, the only way to "trick" it into updating the memberOf attributes would indeed be to remove all users from their groups and re-add them, as you suggested.

An alternative would be to use an external tool to synchronize groups and their members's entries.

You could write your own script for this - something along the lines of "for each group, read the members, for each member, run a LDAP "modify" operation to "add" a value to the memberOf attribute of that member's entry.

Or, probably more reliable, you could use a tool like LSC (LDAP Synchronization Connector) which has pretty much everything already done: you just need to configure the mapping you want. The trick with LSC is to use the same LDAP server as both source and destination, and running through all users to make sure that the memberOf attribute contains the list of groups that results from searching all groups for member=. The LSC website has a tutorial to do this, sort of, but it's a bit outdated.

Best Answer

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

Ldap – How to update the memberOf attributes of existing objects after adding the OpenLDAP Reverse Group Membership Maintenance overlay

Related Topic