Scribd Logo
Upload

Welcome to Scribd!

  • 320 views

    LDAP Commands

    Uploaded by

    ptrscribd
    The document provides information on LDAP commands and administration. It discusses LDAP servers, directory information trees, entry administration including adding, modifying and deleting entries, searching for entries, starting and stopping the LDAP server, logs, and troubleshooting client configuration.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd

    LDAP Commands

    Uploaded by

    ptrscribd
    320 views4 pages
    The document provides information on LDAP commands and administration. It discusses LDAP servers, directory information trees, entry administration including adding, modifying and deleting entries, searching for entries, starting and stopping the LDAP server, logs, and troubleshooting client configuration.

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document provides information on LDAP commands and administration. It discusses LDAP servers, directory information trees, entry administration including adding, modifying and deleting entries, searching for entries, starting and stopping the LDAP server, logs, and troubleshooting client configuration.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    320 views4 pages

    LDAP Commands

    Uploaded by

    ptrscribd
    The document provides information on LDAP commands and administration. It discusses LDAP servers, directory information trees, entry administration including adding, modifying and deleting entries, searching for entries, starting and stopping the LDAP server, logs, and troubleshooting client configuration.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as TXT, PDF, TXT or read online from Scribd
    Download as txt, pdf, or txt
    of 4

    LDAP CommandsFMO LDAP

    Servers
    Directory Information Trees (DITs)
    Entry Administration
    Password Resets
    Entry addition, deletion and modification
    Looking for entries
    Starting and Stopping the Server
    Logs
    Troubleshooting
    Is my Server Cliented?
    Clienting your server
    Servers
    The servers are tssp0027 (MPC) and tssp0028 (JGC)
    Access to the GUI using web interface: http://10.4.131.211/dscc. Sign on as
    admin.
    The following dsconf commands are useful for gathering info on the server:
    /opt/product/ldap/dsee/ds6/bin/dsconf info
    /opt/product/ldap/dsee/ds6/bin/dsconf get-server-prop
    /opt/product/ldap/dsee/ds6/bin/dsconf get-suffix-prop dc=uk,dc=tslp
    /opt/product/ldap/dsee/ds6/bin/dsconf list-suffixes
    /opt/product/ldap/dsee/ds6/bin/dsconf list-suffixes -v
    You can also get this from the GUI
    Directory Information Trees
    There are two DIT's:
    dc=uk,dc=tsl for T-Systems servers (tssp*)
    and
    dc=uk,dc=centricaplc,dc=com for Centrica servers (cnsv*)
    The servers will be ldapclient'd to one or other of these.
    The contents of these DIT's are backed up every night to
    /opt/product/ldap/ds/ldif by /opt/product/ldap/ds/backup.sh
    Entry Administration
    Password resets
    This can be done via the GUI if it's working (which it probably isn't).
    There are other methods that can be done on the command line:
    Option 1 : As root on your LDAP client, run passwd -r ldap userid
    Option 2 : As root on tssp0027, run /var/opt/ldap/reset_password userid
    Option 3 : use ldapmodify and an LDIF file. Do this on tssp0027. This is a bit
    more complicated, and is a manual version of option 2.
    Run /var/opt/ldap/generatepw userid
    This will produce an encrypted version of userid
    Create a file containing the following LDIF:
    dn:uid=userid,ou=people,dc=uk,dc=centricaplc,dc=com
    changetype:modify
    replace:userpassword
    userpassword:{crypt}Encrypted userid
    Run ldapmodify -h 10.4.131.21 -D 'cn=directory manager' -w passw
    ord123 <
    Your LDIF file
    Entry addition, deletion and modification
    Scripts are held in /var/opt/ldap, with centrica and tsl subdirectories.
    To update groups, passwd or netgroups you should update the relevant flat file
    in one of those directories and run /var/opt/ldap/ldap_sync.pl
    e.g. to add a passwd entry to Centrica DIT
    cd /var/opt/ldap/centrica
    edit passwd to add your entry
    Note: It's probably worth adding the user to NIS+ first to geta unique UID.
    Edit the netgroup file if necessary
    Note: Your userid must be defined in the netgroup for the server it needs to
    get on to.
    Don't change directories !
    Run /var/opt/ldap/sync-ldap.pl centrica. This will produce up to 3 files
    (add*, delete* modify*) containing LDIF that can be used to update LDAP.
    Run ldapmodify -h 10.4.131.21 -D 'cn=directory manager' -w password123< file
    containing LDIF for all 3 files.
    Looking for Entries
    There are a couple of methods to search for entries defined in LDAP. The easiest
    method is to use ldaplist from the LDAP client. Alternatively, you can used the
    more powerful ldapsearch command, which is a bit harder to use.
    ldaplist
    Note: ldaplist only lists entries for the DIT that the client resides in.
    ldaplist passwd - All password entries
    ldaplist -l passwd watersd - detailed info for watersd
    ldaplist group - All groups
    ldaplist netgroup - All Netgroups
    ldapsearch
    e.g. ldapsearch -D 'cn=directory manager' -w password123 -b 'dc=uk,dc=tsl' uid=*

    where: -b "dc=uk,dc=tsl" Specifies the place to start the search. uid=*


    Specifies all users.
    Netgroups
    The /var/opt/ldap/getusers.pl script shows the relationship between users and
    their netgroup for all users and netgroups.
    Use /var/opt/ldap/getusers.pl userid to find the netgroups for a single user.
    Other examples: ldapsearch -D 'cn=directory manager' -w password123 -b
    'dc=uk,dc=tsl' cn=* List everything
    ldapsearch -D 'cn=directory manager' -w password123 -b
    'ou=people,dc=uk,dc=tsl' cn=* List all users, Which is the same as -b
    'dc=uk,dc=tsl' uid=*
    ldapsearch -D 'cn=directory manager' -w password123 -b
    'dc=uk,dc=centricaplc,dc=com' uid=* uid uidnumber gidnumber
    or
    dapsearch -D 'cn=directory manager' -w password123 -b
    'ou=people,dc=uk,dc=tsl' uid=* uid uidnumber gidnumber List uid uidnumber
    gidnumber for all users in which-ever domain you are interested in.
    ldapsearch -D 'cn=directory manager' -w password123 -b 'dc=uk,dc=tsl'
    cn=tssp0021 Display members of netgroup tssp0021
    Starting and Stopping the server
    The server can be stopped and started using svcadm:
    svcadm disable /application/sun/ds:ds--local-ds
    svcadm enable /application/sun/ds:ds--local-ds
    Note: You must stop the server before you use dsadm commands!
    Logs
    Access and error logs are kept in /var/log/ldap/ds.
    Logs are rotated as per the setting defined using dsconf (or the GUI). Display
    the setting using /opt/product/ldap/dsee/ds6/bin/dsconf get-log-prop access
    Troubleshooting

    Sun may ask you to dump the whole directory:


    ldapsearch -D "cn=Directory Manager" -w ldaptest -b "cn=config" objectclass="*"
    Is my Server Cliented?
    The following command should help determine if your server is configured
    correctly:
    svcs \*ldap\* Check that the ldap_cachemgr service is running (should say
    online)
    STATE STIME FMRI
    online Aug_27 svc:/network/ldap/client:default
    /usr/lib/ldap/ldap_cachemgr -g Get info out of ldap_cachemgr
    cachemgr configuration:
    server debug level 0
    server log file "/var/ldap/cachemgr.log"
    number of calls to ldapcachemgr 1135
    cachemgr cache data statistics:
    Configuration refresh information:
    Previous refresh time: 2009/09/07 12:54:53
    Next refresh time: 2009/09/07 13:54:53
    Server information:
    Previous refresh time: 2009/09/07 13:34:53
    Next refresh time: 2009/09/07 13:54:53
    server: 10.4.131.21, status: UP
    server: 10.4.131.14, status: UP
    Cache data information:
    Maximum cache entries: 256
    Number of cache entries: 0
    ldapclient list Check the Current Profile Information - shows how the
    server was cliented
    NS_LDAP_FILE_VERSION= 2.0
    NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=uk,dc=centricaplc,dc=com
    NS_LDAP_BINDPASSWD= {NS1}ecfa88f3a945c411404d5a
    NS_LDAP_SEARCH_BASEDN= dc=uk,dc=centricaplc,dc=com
    NS_LDAP_AUTH= tls:simple
    NS_LDAP_SEARCH_REF= TRUE
    NS_LDAP_SEARCH_SCOPE= one
    NS_LDAP_SEARCH_TIME= 30
    NS_LDAP_SERVER_PREF= 10.4.131.21, 10.4.131.14
    NS_LDAP_CACHETTL= 3600
    NS_LDAP_PROFILE= uk-centrica-ssl-1
    NS_LDAP_CREDENTIAL_LEVEL= proxy
    NS_LDAP_BIND_TIME= 10
    ldaplist passwd Should list out all the passwd entries

    Clienting your server

    This should be done during installation by the script


    /var/tmp/install-ldap-client.ksh
    The most likely reason for it failing is that the server couldn't reach the LDAP
    server. Do this:
    Check you can ping 10.4.131.21. If not, sort out your network.
    Look at /etc/nsswitch.conf
    If it has refernces to ldap in it:
    Take a backup of /etc/nsswitch.conf
    Run /usr/sbin/ldapclient init -a profileName=uk-centrica-ssl-2 -a
    domainName=uk.centricaplc.com -a
    proxyDN=cn=proxyagent,ou=profile,dc=uk,dc=centricaplc,dc=com -a
    proxyPassword=password123 10.4.131.21
    Restore your copy of /etc/nsswitch.conf
    If it does not have refernces to ldap in it:
    run /var/tmp/install-ldap-client.ksh
    Check your installation: ldaplist passwd

    You might also like