|
37.4 Data Handling in the LDAP Directory
OpenLDAP offers a series of tools for the
administration of data in the LDAP directory. The four most important tools
for adding to, deleting from, searching through, and modifying the data
stock are briefly explained below.
37.4.1 Inserting Data into an LDAP Directory
Once the configuration of your LDAP server in
/etc/openldap/slapd.conf is correct and ready to go
(it features appropriate entries for suffix,
directory, rootdn,
rootpw, and index), proceed to
entering records. OpenLDAP offers the ldapadd command
for this task. If possible, add the objects to the database in bundles for
practical reasons. LDAP is able to process the LDIF format (LDAP data
interchange format) for this. An LDIF file is a simple text file that can
contain an arbitrary number of attribute and value pairs. Refer to the
schema files declared in slapd.conf for the available
object classes and attributes. The LDIF file for creating a rough framework
for the example in Figure 37-1
would look like that in Example 37-7.
Example 37-7
Example for an LDIF File
# The SUSE Organization
dn: dc=suse,dc=de
objectClass: dcObject
objectClass: organization
o: SUSE AG dc: suse
# The organizational unit development (devel)
dn: ou=devel,dc=suse,dc=de
objectClass: organizationalUnit
ou: devel
# The organizational unit documentation (doc)
dn: ou=doc,dc=suse,dc=de
objectClass: organizationalUnit
ou: doc
# The organizational unit internal IT (it)
dn: ou=it,dc=suse,dc=de
objectClass: organizationalUnit
ou: it
IMPORTANT: Encoding of LDIF Files
LDAP works with UTF-8 (Unicode). Umlauts must be encoded correctly.
Use an editor that supports UTF-8, such as Kate or recent versions of
Emacs. Otherwise, avoid umlauts and other special characters or use
recode to recode the input to UTF-8.
Save the file with the .ldif suffix then
pass it to the server with the following command: ldapadd -x -D <dn of the administrator> -W -f <file>.ldif
-x switches off the authentication
with SASL in this case. -D declares the user
that calls the operation. The valid DN of the administrator is entered here
just like it has been configured in slapd.conf. In the
current example, this is cn=admin,dc=suse,dc=de.
-W circumvents entering the password on the
command line (in clear text) and activates a separate password
prompt. This password was previously determined in
slapd.conf with rootpw.
-f passes the filename. See the details of
running ldapadd in Example 37-8.
Example 37-8
ldapadd with example.ldif
ldapadd -x -D cn=admin,dc=suse,dc=de -W -f example.ldif
Enter LDAP password:
adding new entry "dc=suse,dc=de"
adding new entry "ou=devel,dc=suse,dc=de"
adding new entry "ou=doc,dc=suse,dc=de"
adding new entry "ou=it,dc=suse,dc=de"
The user data of individuals can be prepared in separate
LDIF files. Example 37-9 adds
Tux to the new LDAP directory.
Example 37-9
LDIF Data for Tux
# coworker Tux
dn: cn=Tux Linux,ou=devel,dc=suse,dc=de
objectClass: inetOrgPerson
cn: Tux Linux
givenName: Tux
sn: Linux
mail: [email protected]
uid: tux
telephoneNumber: +49 1234 567-8
An LDIF file can contain an arbitrary number of objects. It is
possible to pass entire directory branches to the server at once or only
parts of it as shown in the example of individual objects. If it is
necessary to modify some data relatively often, a fine subdivision of
single objects is recommended.
37.4.2 Modifying Data in the LDAP Directory
The tool ldapmodify is provided for modifying the
data stock. The easiest way to do this is to modify the corresponding LDIF
file then pass this modified file to the LDAP server. To change the
telephone number of colleague Tux from +49 1234 567-8 to
+49 1234 567-10, edit the LDIF file like in
Example 37-10.
Example 37-10
Modified LDIF File tux.ldif
# coworker Tux
dn: cn=Tux Linux,ou=devel,dc=suse,dc=de
changetype: modify
replace: telephoneNumber
telephoneNumber: +49 1234 567-10
Import the modified file into the LDAP directory with the following
command: ldapmodify -x -D cn=admin,dc=suse,dc=de -W -f tux.ldif
Alternatively, pass the attributes to change directly to
ldapmodify. The procedure for this is described
below:
-
Start ldapmodify and enter your password: ldapmodify -x -D cn=admin,dc=suse,dc=de -W
Enter LDAP password:
-
Enter the changes while carefully complying with the syntax in the
order presented below: dn: cn=Tux Linux,ou=devel,dc=suse,dc=de
changetype: modify
replace: telephoneNumber
telephoneNumber: +49 1234 567-10
Find detailed information about ldapmodify and its
syntax in the ldapmodify man page.
37.4.3 Searching or Reading Data from an LDAP Directory
OpenLDAP provides, with
ldapsearch, a command line tool for searching data
within an LDAP directory and reading data from it. A simple query would
have the following syntax: ldapsearch -x -b dc=suse,dc=de "(objectClass=*)"
The -b option determines the search
base—the section of the tree within which the search should
be performed. In the
current case, this is dc=suse,dc=de. To perform a more
finely-grained search in specific subsections of the LDAP directory (for
example, only within the devel department), pass this
section to ldapsearch with
-b. -x requests
activation of simple authentication. (objectClass=*)
declares that all objects contained in the directory should be read. This
command option can be used after the creation of a new directory tree to
verify that all entries have been recorded correctly and the server
responds as desired. Find more information about the use of
ldapsearch in the corresponding man page
(ldapsearch(1)).
37.4.4 Deleting Data from an LDAP Directory
Delete unwanted entries with ldapdelete. The syntax
is similar to that of the other commands. To delete, for example,
the complete entry for Tux Linux, issue the
following command: ldapdelete -x -D cn=admin,dc=suse,dc=de -W cn=Tux \
Linux,ou=devel,dc=suse,dc=de
|
|