Red Hat Summit Red Hat SummitApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

Chapter 9. Using ldapmodify to manage IdM users externally

You can use the ldapmodify command to manage Identity Management (IdM) user and group entries as an alternative to the ipa command-line utilities. The ldapmodify command supports both interactive input and LDIF files for bulk operations.

9.1. Templates for managing IdM user accounts externally
Copiar enlace

Use LDIF templates with ldapmodify to manage Identity Management (IdM) user accounts from an external provisioning system, enabling automated user creation, modification, enabling, disabling, and preservation.

Update specific LDAP attributes with the ldapmodify utility to manage user accounts and states. Use the provided syntax to perform the following administrative tasks:

  • Adding a new stage user
  • Modifying a user’s attribute
  • Enabling a user
  • Disabling a user
  • Preserving a user

The templates are formatted in the LDAP Data Interchange Format (LDIF). LDIF is a standard plain text data interchange format for representing LDAP directory content and update requests.

Using the templates, you can configure the LDAP provider of your provisioning system to manage IdM user accounts.

Templates for adding a new stage user

A template for adding a user with UID and GID assigned automatically. The distinguished name (DN) of the created entry must start with uid=user_login: 

dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: inetorgperson
uid: user_login
sn: surname
givenName: first_name
cn: full_name

A template for adding a user with UID and GID assigned statically: 

dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: posixaccount
uid: user_login
uidNumber: UID_number
gidNumber: GID_number
sn: surname
givenName: first_name
cn: full_name
homeDirectory: /home/user_login

You are not required to specify any IdM object classes when adding stage users. IdM adds these classes automatically after the users are activated.

Templates for modifying existing users
  • Modifying a user’s attribute: 
dn: distinguished_name
changetype: modify
replace: attribute_to_modify
attribute_to_modify: new_value

  • Disabling a user: 

    dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: TRUE

  • Enabling a user: 

    dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: FALSE

Updating the nssAccountLock attribute has no effect on stage and preserved users. Even though the update operation completes successfully, the attribute value remains nssAccountLock: TRUE.

  • Preserving a user: 

    dn: distinguished_name
changetype: modrdn
newrdn: uid=user_login
deleteoldrdn: 0
newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
Note

Before modifying a user, obtain the user’s distinguished name (DN) by searching using the user’s login. In the following example, the user_allowed_to_modify_user_entries user is a user allowed to modify user and group information, for example activator or IdM administrator. The password in the example is this user’s password: 

# ldapsearch -LLL -x -D "uid=user_allowed_to_modify_user_entries,cn=users,cn=accounts,dc=idm,dc=example,dc=com" -w "Secret123" -H ldap://server.idm.example.com -b "cn=users,cn=accounts,dc=idm,dc=example,dc=com" uid=test_user
dn: uid=test_user,cn=users,cn=accounts,dc=idm,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=example,dc=com

9.2. Templates for managing IdM group accounts externally
Copiar enlace

Use LDAP Data Interchange Format (LDIF) templates with ldapmodify to manage Identity Management (IdM) user group accounts from an external provisioning system, enabling automated group creation, member management, and deletion.

Modify specific LDAP attributes using the ldapmodify utility to manage group configurations. Use the provided syntax to perform the following administrative tasks:

  • Creating a new group
  • Deleting an existing group
  • Adding a member to a group
  • Removing a member from a group

The templates are formatted in LDIF, a standard plain text data interchange format for representing LDAP directory content and update requests.

Using the templates, you can configure the LDAP provider of your provisioning system to manage IdM group accounts.

Creating a new group
dn: cn=group_name,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ipaobject
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
objectClass: posixgroup
uid: group_name
cn: group_name
gidNumber: GID_number
Modifying groups
  • Deleting an existing group: 
dn: group_distinguished_name
changetype: delete

  • Adding a member to a group: 

    dn: group_distinguished_name
changetype: modify
add: member
member: uid=user_login,cn=users,cn=accounts,dc=idm,dc=example,dc=com

    Do not add stage or preserved users to groups. Even though the update operation completes successfully, the users will not be updated as members of the group. Only active users can belong to groups.

  • Removing a member from a group: 
dn: distinguished_name
changetype: modify
delete: member
member: uid=user_login,cn=users,cn=accounts,dc=idm,dc=example,dc=com
Note

Before modifying a group, obtain the group’s distinguished name (DN) by searching using the group’s name. 

# ldapsearch -YGSSAPI -H ldap://<server.idm.example.com> -b "<cn=groups,cn=accounts,dc=idm,dc=example,dc=com>" "cn=<group_name>"
dn: cn=group_name,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1650388524-2605035987-2578146103-11017
cn: testgroup
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: 569bf864-9d45-11ea-bea3-525400f6f085
gidNumber: 1997010017

9.3. Using ldapmodify command interactively
Copiar enlace

Modify LDAP entries in Identity Management (IdM) interactively using ldapmodify by entering LDIF statements directly in the terminal or by loading them from a file.

Procedure

  1. In a command line, enter the LDAP Data Interchange Format (LDIF) statement after the ldapmodify command.

    For example, to change the telephone number for a <testuser>: 

    # ldapmodify -Y GSSAPI -H ldap://<server.example.com>
dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephonenumber: 88888888

    Note that you need to obtain a Kerberos ticket for using -Y option.

  2. Press Ctlr+D to exit the interactive mode.

  3. Alternatively, provide an LDIF file after ldapmodify command:

    The ldapmodify command reads modification data from an LDIF file 

    # ldapmodify -Y GSSAPI -H ldap://<server.example.com> -f ~/example.ldif

9.4. Preserving an IdM user with ldapmodify
Copiar enlace

Deactivate Identity Management (IdM) user accounts using ldapmodify to preserve user data when employees leave your organization. Preserved users retain their information for auditing while preventing authentication.

Prerequisites

  • You can authenticate as an IdM user with a role to preserve users.

Procedure

  1. Log in as an IdM user with a role to preserve users: 

    $ kinit admin

  2. Enter the ldapmodify command and specify the Generic Security Services API (GSSAPI) as the Simple Authentication and Security Layer (SASL) mechanism to be used for authentication: 

    # ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin@IDM.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.

  3. Enter the dn of the user you want to preserve: 

    dn: uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com

  4. Enter modrdn as the type of change you want to perform: 

    changetype: modrdn

  5. Specify the newrdn for the user: 

    newrdn: uid=user1

  6. Indicate that you want to preserve the user: 

    deleteoldrdn: 0

  7. Specify the new superior DN: 

    newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com

    Preserving a user moves the entry to a new location in the directory information tree (DIT). For this reason, you must specify the DN of the new parent entry as the new superior DN.

  8. Press Enter again to confirm that this is the end of the entry: 

    [Enter]

modifying rdn of entry "uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com"
  9. Exit the connection using Ctrl + C.

Verification

  • Verify that the user has been preserved by listing all preserved users: 

    $ ipa user-find --preserved=true
--------------
1 user matched
--------------
  User login: user1
  First name: First 1
  Last name: Last 1
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1@IDM.EXAMPLE.COM
  Principal alias: user1@IDM.EXAMPLE.COM
  Email address: user1@idm.example.com
  UID: 1997010003
  GID: 1997010003
  Account disabled: True
  Preserved user: True
----------------------------
Number of entries returned 1
----------------------------
Red Hat logoGithubredditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar. Explore nuestras recientes actualizaciones.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

Theme

© 2026 Red HatVolver arriba