4.8.1.2.8. Add a Group to OpenLDAP

Note

Before getting started, take a look at how to prepare SIMP LDIFs to make sure you understand the basics of LDIF files.

SIMP systems are preconfigured with two groups:

  • administrators (700): Group that has ssh and privilege escalation privileges

  • users (100): Group that does not have ssh or privilege escalation privileges

To add another group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/add_group.ldif shown below.

    dn: cn=<groupname>,ou=Group,dc=your,dc=domain
objectClass: posixGroup
objectClass: top
cn: <groupname>
gidNumber: <Unique GID number>
description: "<Some useful group description>"

  3. Type the following, substituting your DN information for dc=your,dc=domain:

    ldapadd -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f /root/ldifs/add_group.ldif

4.8.1.2.8.1. Remove a Group

To remove a group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/del_group.ldif shown below.

    dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
changetype: delete

  3. Type the following, substituting your DN information for dc=your,dc=domain:

    ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f /root/ldifs/del_group.ldif

4.8.1.2.8.2. Add Users to a Group

To add users to a group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/add_to_group.ldif shown below.

    dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
changetype: modify
add: memberUid
memberUid: <UID1>
memberUid: <UID2>
...
memberUid: <UIDX>

  3. Type the following, substituting your DN information for dc=your,dc=domain:

    ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
-f /root/ldifs/add_to_group.ldif

4.8.1.2.8.3. Remove Users from a Group

To remove users from a group:

  1. Login to the LDAP server as root.

  2. Edit the /root/ldifs/del_to_group.ldif shown below.

    dn: cn=<Group Name>,ou=Group,dc=your,dc=domain
changetype: modify
delete: memberUid
memberUid: <UID1>
memberUid: <UID2>
...
memberUid: <UIDX>

  3. Type the following, substituting your DN information for dc=your,dc=domain:

    ldapmodify -Z -x -W -D "cn=LDAPAdmin,ou=People,dc=your,dc=domain" \
  -f /root/ldifs/del_from_group.ldif