Created at: 2017-08-02

LDAP notes

Basic reference

Basic command for searching LDAP:

ldapsearch -h <host> -b baseDN -D bindDN -W

LDIF operations

Changing a user password with LDIF

First of all, avoid using plain text passwords. To create a hash of a password, use the slappasswd tool

Stack Overflow post about changing password using ldif file

Then, create the LDIF file:

dn: CN=John Smith, OU=Users,DC=Fabrikam,DC=com
changetype: modify
replace: userPassword
userPassword: newPassword

Modifying a user password using LDIF

Finally, call ldapmodify and pass credentials for the user that have permissions to make the change:

ldapmodify -f $path_to_ldif -h $host -D $dn -W

LDAP Troubleshooting

I needed to add an attribute to an entry. It is atributo5 and the LDIF looks like that:

    dn: uid=test,ou=foo,dc=example,dc=com
    changetype: modify
    add: atributo5
    atributo5: bla

When trying to add it with ldapmodify I got this error:

    ldap_modify: Object class violation (65)
            additional info: attribute 'atributo5' not allowed

I'm not a LDAP expert. After some research and talking to the local LDAP administrator, I discovered that LDAP entries had classes attached to them. I discovered that the class that implemented it is otherAttributesClass so I had to add it to the entry first. So I did that with the following LDIF:

    dn: uid=test,ou=foo,dc=example,dc=com
    changetype: modify
    add: objectClass
    objectClass: otherAttributesClasS

And, after that, adding the attribute to the entry worked.