Managing Users with Lightweight Directory Access Protocol (LDAP)

SIMP natively uses OpenLDAP for user and group management. Actionable copies of the LDAP Data Interchange Format (.ldif) files can be found on the system in the /usr/share/doc/simp-doc-<Version>/ldifs directory.

Users cannot have any extraneous spaces in .ldif files.

# Use `:set list` in vim to see hidden spaces at the end of lines.

# Use the following to strip out inappropriate characters

sed -i \
  's/\\(^[[:graph:]]\*:\\)[[:space:]]\*\\ ([[:graph:]]\*\\) \\[[:space:]]\*$/\\1\\2/' \
  file.ldif

Note

Use the [ and ] characters to scroll right when using ELinks.

Add Users

Users can be added with or without a password. Follow the instructions in the following sections.

Warning

This process should not be used to create users or groups for daemon processes unless the user has experience.

Adding Users With a Password

To add a user to the system, Secure Shell (SSH) to the LDAP server and use the slappasswd command to generate a password hash for a user.

Create a /root/ldifs directory and add the following information to the /root/ldifs/adduser.ldif file. Replace the information within < > with the installed system’s information.

Example ldif to add a user

dn: uid=<User UID>,ou=People,dc=your,dc=domain
uid: <User UID>
cn: <User UID>
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
shadowMax: 90
shadowMin: 1
shadowWarning: 7
shadowLastChange: 10167
pwdReset: TRUE
sshPublicKey: <User SSH Public Key>
loginShell: /bin/bash
uidNumber: <User UID Number>
gidNumber: <User Primary GID>
homeDirectory: /home/<User UID>
userPassword: <Password Hash from slappasswd>

Type:

`ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f /root/ldifs/adduser.ldif` .

Ensure that an administrative account is created as soon as the SIMP system has been properly configured. Administrative accounts should belong to the administratorsLDAP group (gidNumber 700). Members of this LDAP group can utilize sudo sudosh for privilege escalation.

Note

The pwdReset: TRUE command causes the user to change the assigned password at the next login. This command is useful to pre-generate the password first and change it at a later time.

This command appears to be broken in some versions of nss_ldap. Therefore, to avoid future issues set shadowLastChange to a value around 10000.

Adding Users Without a Password

Create a /root/ldifs directory and add the following information to the /root/ldifs/adduser.ldif file. Replace the information within < > with the installed system’s information.

Example ldif example to add a user

dn: uid=<User UID>,ou=People,dc=your,dc=domain
uid: <User UID>
cn: <User UID>
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: ldapPublicKey
sshPublicKey: <User SSH Public Key>
loginShell: /bin/bash
uidNumber: <User UID Number>
gidNumber: <User Primary GID>
homeDirectory: /home/<User UID>

Type:

ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
 -f /root/ldifs/adduser.ldif

Remove Users

To remove a user, create a /root/ldifs/removeuser.ldif file. Add the information below to the file and replace the text within < > with the installed system’s information.

Example ldif to remove a user

dn: cn=<User UID>,ou=Group,dc=example,dc=domain
changeType: delete

dn: uid=<User UID>,ou=People,dc=example,dc=domain
changeType: delete

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f /root/ldifs/removeuser.ldif

Additional .ldif File Commands

Other useful commands for .ldif files can be found below. Before using these commands, ensure that the /root/ldifs directory has been created.

Changing a Password

To change a password, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to change password

dn: uid=<User UID>,ou=People,dc=your,dc=domain
changetype: modify
replace: userPassword
userPassword: <Hash from slappasswd>

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Adding a Group

To add a group, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to add a group

dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
objectClass: posixGroup
objectClass: top
cn: <Group Name>
gidNumber: <GID>
description: "Some Descriptive Text"

Type:

ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Removing a Group

To remove a group, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to remove a group

dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
changetype: delete

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Adding Users to a Group

To add users to a group, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to add to a group

dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
changetype: modify
add: memberUid
memberUid: <UID1>
memberUid: <UID2>
...
memberUid: <UIDX>

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Removing Users from a Group

To remove users from a group, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to remove a user from a group

dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
changetype: modify
delete: memberUid
memberUid: <UID1>
memberUid: <UID2>
...
memberUid: <UIDX>

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Updating an SSH Public Key

To update an SSH public key, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to update SSH public key

dn: uid=<User UID>,ou=People,dc=your,dc=domain
changetype: modify
replace: sshPublicKey
sshPublicKey: <User OpenSSH Public Key>

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Forcing a Password Reset

To force a password reset, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to reset user’s shadowLastChange

dn: uid=<User UID>,ou=People,dc=your,dc=domain
changetype: modify
replace: pwdReset
pwdReset: TRUE
-
replace: shadowLastChange
shadowLastChange: 10000

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f <.ldif_file>

Note

The ldapmodify command is only effective when using the ppolicy overlay. In addition, the user’s shadowLastChange must be changed to a value prior to the expiration date to force a PAM reset.

Unlocking an LDAP Account

To unlock an LDAP account, add the following information to the /root/ldifs/<.ldif File> file. Replace the information below within < > with the installed system’s information.

Example ldif to Unlock LDAP Account

dn: uid=<User UID>,ou=People,dc=your,dc=domain
changetype: modify
delete: pwdAccountLockedTime

Type:

ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
 -f <.ldif_file>

Note

The ldapmodify command is only effective when using the ppolicy overlay.

Troubleshooting Issues

If a user’s password is changed in LDAP or the user changes it shortly after its initial setup, the “Password too young to change” error may appear. In this situation, apply the pwdReset:TRUE command to the user’s account as described Add Users with a Password section.