Red Hat Summit Red Hat SummitSuporteConsoleDesenvolvedoresComeçar um testeContato

Este conteúdo não está disponível no idioma selecionado.

Chapter 10. Using ldapmodify to manage IdM users externally

As an IdM administrators you can use the ipa commands to manage your directory content. Alternatively, you can use the ldapmodify command to achieve similar goals. You can use this command interactively and provide all the data directly in the command line. You also can provide data in the file in the LDAP Data Interchange Format (LDIF) to ldapmodify command.

10.1. Templates for managing IdM user accounts externally
Copiar o link

The following templates can be used for various user management operations in IdM. The templates show which attributes you must modify using ldapmodify to achieve the following goals:

  • Adding a new stage user
  • Modifying a user’s attribute
  • Enabling a user
  • Disabling a user
  • Preserving a user

The templates are formatted in the LDAP Data Interchange Format (LDIF). LDIF is a standard plain text data interchange format for representing LDAP directory content and update requests.

Using the templates, you can configure the LDAP provider of your provisioning system to manage IdM user accounts.

For detailed example procedures, see the following sections:

Templates for adding a new stage user

  • A template for adding a user with UID and GID assigned automatically. The distinguished name (DN) of the created entry must start with uid=user_login: 

    dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: inetorgperson
uid: user_login
sn: surname
givenName: first_name
cn: full_name
    Copy to Clipboard Toggle word wrap

  • A template for adding a user with UID and GID assigned statically: 

    dn: uid=user_login,cn=staged users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetorgperson
objectClass: organizationalperson
objectClass: posixaccount
uid: user_login
uidNumber: UID_number
gidNumber: GID_number
sn: surname
givenName: first_name
cn: full_name
homeDirectory: /home/user_login
    Copy to Clipboard Toggle word wrap

    You are not required to specify any IdM object classes when adding stage users. IdM adds these classes automatically after the users are activated.

Templates for modifying existing users

  • Modifying a user’s attribute: 

    dn: distinguished_name
changetype: modify
replace: attribute_to_modify
attribute_to_modify: new_value
    Copy to Clipboard Toggle word wrap

  • Disabling a user: 

    dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: TRUE
    Copy to Clipboard Toggle word wrap

  • Enabling a user: 

    dn: distinguished_name
changetype: modify
replace: nsAccountLock
nsAccountLock: FALSE
    Copy to Clipboard Toggle word wrap

    Updating the nssAccountLock attribute has no effect on stage and preserved users. Even though the update operation completes successfully, the attribute value remains nssAccountLock: TRUE.

  • Preserving a user: 

    dn: distinguished_name
changetype: modrdn
newrdn: uid=user_login
deleteoldrdn: 0
newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap
Note

Before modifying a user, obtain the user’s distinguished name (DN) by searching using the user’s login. In the following example, the user_allowed_to_modify_user_entries user is a user allowed to modify user and group information, for example activator or IdM administrator. The password in the example is this user’s password: 

[...]
# ldapsearch -LLL -x -D "uid=user_allowed_to_modify_user_entries,cn=users,cn=accounts,dc=idm,dc=example,dc=com" -w "Secret123" -H ldap://r8server.idm.example.com -b "cn=users,cn=accounts,dc=idm,dc=example,dc=com" uid=test_user
dn: uid=test_user,cn=users,cn=accounts,dc=idm,dc=example,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
Copy to Clipboard Toggle word wrap

10.2. Templates for managing IdM group accounts externally
Copiar o link

The following templates can be used for various user group management operations in IdM. The templates show which attributes you must modify using ldapmodify to achieve the following aims:

  • Creating a new group
  • Deleting an existing group
  • Adding a member to a group
  • Removing a member from a group

The templates are formatted in the LDAP Data Interchange Format (LDIF). LDIF is a standard plain text data interchange format for representing LDAP directory content and update requests.

Using the templates, you can configure the LDAP provider of your provisioning system to manage IdM group accounts.

Creating a new group

dn: cn=group_name,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
changetype: add
objectClass: top
objectClass: ipaobject
objectClass: ipausergroup
objectClass: groupofnames
objectClass: nestedgroup
objectClass: posixgroup
uid: group_name
cn: group_name
gidNumber: GID_number
Copy to Clipboard Toggle word wrap

Modifying groups

  • Deleting an existing group: 

    dn: group_distinguished_name
changetype: delete
    Copy to Clipboard Toggle word wrap

  • Adding a member to a group: 

    dn: group_distinguished_name
changetype: modify
add: member
member: uid=user_login,cn=users,cn=accounts,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

    Do not add stage or preserved users to groups. Even though the update operation completes successfully, the users will not be updated as members of the group. Only active users can belong to groups.

  • Removing a member from a group: 

    dn: distinguished_name
changetype: modify
delete: member
member: uid=user_login,cn=users,cn=accounts,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap
Note

Before modifying a group, obtain the group’s distinguished name (DN) by searching using the group’s name. 

# ldapsearch -YGSSAPI -H ldap://server.idm.example.com -b "cn=groups,cn=accounts,dc=idm,dc=example,dc=com" "cn=group_name"
dn: cn=group_name,cn=groups,cn=accounts,dc=idm,dc=example,dc=com
ipaNTSecurityIdentifier: S-1-5-21-1650388524-2605035987-2578146103-11017
cn: testgroup
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
objectClass: ipantgroupattrs
ipaUniqueID: 569bf864-9d45-11ea-bea3-525400f6f085
gidNumber: 1997010017
Copy to Clipboard Toggle word wrap

10.3. Using ldapmodify command interactively
Copiar o link

You can modify Lightweight Directory Access Protocol (LDAP) entries in the interactive mode.

Procedure

  1. In a command line, enter the LDAP Data Interchange Format (LDIF) statement after the ldapmodify command.

    Example 10.1. Changing the telephone number for a testuser

    # ldapmodify -Y GSSAPI -H ldap://server.example.com
dn: uid=testuser,cn=users,cn=accounts,dc=example,dc=com
changetype: modify
replace: telephoneNumber
telephonenumber: 88888888
    Copy to Clipboard Toggle word wrap

    Note that you need to obtain a Kerberos ticket for using -Y option.

  2. Press Ctlr+D to exit the interactive mode.

  3. Alternatively, provide an LDIF file after ldapmodify command:

    Example 10.2. The ldapmodify command reads modification data from an LDIF file

    # ldapmodify -Y GSSAPI -H ldap://server.example.com -f ~/example.ldif
    Copy to Clipboard Toggle word wrap

10.4. Preserving an IdM user with ldapmodify
Copiar o link

You can use ldapmodify to preserve an IdM user; that is, how to deactivate a user account after the employee has left the company.

Prerequisites

  • You can authenticate as an IdM user with a role to preserve users.

Procedure

  1. Log in as an IdM user with a role to preserve users: 

    $ kinit admin
    Copy to Clipboard Toggle word wrap

  2. Enter the ldapmodify command and specify the Generic Security Services API (GSSAPI) as the Simple Authentication and Security Layer (SASL) mechanism to be used for authentication: 

    # ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: admin@IDM.EXAMPLE.COM
SASL SSF: 256
SASL data security layer installed.
    Copy to Clipboard Toggle word wrap

  3. Enter the dn of the user you want to preserve: 

    dn: uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

  4. Enter modrdn as the type of change you want to perform: 

    changetype: modrdn
    Copy to Clipboard Toggle word wrap

  5. Specify the newrdn for the user: 

    newrdn: uid=user1
    Copy to Clipboard Toggle word wrap

  6. Indicate that you want to preserve the user: 

    deleteoldrdn: 0
    Copy to Clipboard Toggle word wrap

  7. Specify the new superior DN: 

    newsuperior: cn=deleted users,cn=accounts,cn=provisioning,dc=idm,dc=example,dc=com
    Copy to Clipboard Toggle word wrap

    Preserving a user moves the entry to a new location in the directory information tree (DIT). For this reason, you must specify the DN of the new parent entry as the new superior DN.

  8. Press Enter again to confirm that this is the end of the entry: 

    [Enter]

modifying rdn of entry "uid=user1,cn=users,cn=accounts,dc=idm,dc=example,dc=com"
    Copy to Clipboard Toggle word wrap
  9. Exit the connection using Ctrl + C.

Verification

  • Verify that the user has been preserved by listing all preserved users: 

    $ ipa user-find --preserved=true
--------------
1 user matched
--------------
  User login: user1
  First name: First 1
  Last name: Last 1
  Home directory: /home/user1
  Login shell: /bin/sh
  Principal name: user1@IDM.EXAMPLE.COM
  Principal alias: user1@IDM.EXAMPLE.COM
  Email address: user1@idm.example.com
  UID: 1997010003
  GID: 1997010003
  Account disabled: True
  Preserved user: True
----------------------------
Number of entries returned 1
----------------------------
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat