This blog is my effort to put together a list of ldap commands that can be used for most common of tasks like create a user, backup ldap, change the password etc. from command line.
I hope this would especially help folks who are not exactly LDAP admins but are still required to work with active directory/ldap on and off.
Please make sure to replace the {passwd} in below commands with your actual password
Create a new ldap user :
1) Search for existing users
/opt/ibm/ldap/V6.3.1/bin/idsldapsearch -D cn=root -w {passwd} -s sub -b "ou=users,ou=abc,c=xyz" objectclass=*
2) Create a addusers.ldif file in /tmp directory. Here we are adding two users. /tmp/addusers.ldif
dn: cn=ldapuser1,ou=users,ou=internal,o=abc,c=xyz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: ePerson cn: ldapuser1 sn: ldapuser1 userPassword: password1 uid: ldapuser1 dn: cn=ldapuser2,ou=users,ou=internal,o=abc,c=xyz objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: ePerson cn: ldapuser2 sn: ldapuser2 userPassword: password2 uid: ldapuser2
3) Now execute following command :
/opt/ibm/ldap/V6.3.1/bin/idsldapadd -D cn=root -w {passwd} -i /tmp/addusers.ldif -k
4) At this point the users should be successfully added to the ldap. However if you have pwdreset policy set to true, the newly created user would have to reset their password on the first time login. This is because ldap might be enforcing an "pwdreset=true" policy on all the users. This behavior can be suppressed by applying "pwdreset=false" policy just for the newly added users in ldap. Given below is
Execute this :
/opt/IBM/ldap/V6.3.1/bin/idsldapmodify -k -D cn=root -w {passwd}
Paste this
dn:cn=ldapuser1,ou=users,ou=internal,o=upr,c=us changetype: modify replace: PWDRESET PWDRESET: false dn:cn=ldapuser2,ou=users,ou=internal,o=upr,c=us changetype: modify replace: PWDRESET PWDRESET: false
CTRL+D out of it
5) Now do a search for all the users with PWDRESET set to true. our two users should no longer be part of that list :
/opt/ibm/ldap/V6.3.1/bin/idsldapsearch -D cn=root -w {passwd} -b "ou=users,ou=internal,o=abc,c=xyz" objectclass=* PWDRESET
Changing a ldap user's password
1) Search for existing users
/opt/ibm/ldap/V6.3.1/bin/idsldapsearch -D cn=root -w {passwd} -s sub -b "ou=users,ou=abc,c=xyz" objectclass=*
2) Create a updatePasswd.ldif file in /tmp directory
/tmp/updatePasswd.ldif
dn:cn=ldapuser1,ou=users,ou=internal,o=abc,c=xyz
changetype: modify
replace: userPassword
userPassword: {newPassword}
Notice the {newPassword} field in the above file. Replace it with the new password.
3) Now execute Following command to update the password :
/opt/ibm/ldap/V6.3.1/bin/ldapmodify -D cn=root -w {passwd} -i /tmp/updatePasswd.ldif -k
Stop/Start LDAP
1) Stop LDAP
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I {ldapInstanceName} -k
For eg, in my case,
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I isamldap -k
2) Start LDAP
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I {ldapInstanceName}
For eg, in my case,
/opt/IBM/ldap/V6.3.1/sbin/ibmslapd -I isamldap
Backup LDAP
/opt/IBM/ldap/V6.3.1/sbin/idsdbback -I {ldapInstanceName} -k {backupDirectory}
For eg, in my case,
/opt/IBM/ldap/V6.3.1/sbin/idsdbback -I isamldap -k /tmp/ldapBackup
The above command takes a full backup, however if you wish to do a ldif only backup, use this :
/opt/IBM/ldap/V6.3.1/sbin/idsdb2ldif -I isamldap -o without-j.ldif
Comments
comments powered by Disqus