NSS LDAP Templates
Below are example command and LDIFs for various common NSS LDAP operations. To run the below examples, you can either run the command and paste the LDIF contents into the terminal or you can place the contents into a file and run the command with the
-f <filename> argument.getent group <groupname>
To get and LDAP entry, you can use the following command:
ldapsearch -h openldap1 -Y GSSAPI -b <dn>
The following templates are used for creating new instances of various types of objects. These examples should be run with the following command:
ldapadd -h openldap1 -Y GSSAPI
This template is for creating a general-purpose user account; for example a new staff member or a guest account. By convention, we normally use the ID of the account's AFS user (if applicable) as the uidNumber. This can be retrieved using:
pts examine ahamilto
dn: uid=ahamilto,ou=2009,ou=students,ou=people,dc=csl,dc=tjhsst,dc=edu
cn: Andrew Hamilton
description: 2009
displayName: Hamilton, Andrew
givenName: Andrew
uid: ahamilto
sn: Hamilton
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
objectClass: posixAccount
uidNumber: 1748
gecos: Andrew Hamilton
gidNumber: 2009
homeDirectory: /afs/csl.tjhsst.edu/students/2009/ahamilto
loginShell: /bin/bash
If the account is for a staff member/non-student, put 1984 (faculty group) as the gidNumber.
This template is similar to the previous one except this user account is valid for servers and other restricted-access systems. By convention, we use the same uidNumber for this account as for the user's general access account.
dn: uid=ahamilto,ou=sysadmins,dc=csl,dc=tjhsst,dc=edu
objectClass: posixAccount
objectClass: shadowAccount
objectClass: account
objectClass: top
uid: ahamilto
cn: ahamilto
uidNumber: 1748
gidNumber: 100
homeDirectory: /home/ahamilto
loginShell: /bin/bash
gecos: Andrew Hamilton
This template is for creating a new group. These groups exist on both general and restricted access systems.
# allaccess, group, csl.tjhsst.edu
dn: cn=allaccess,ou=group,dc=csl,dc=tjhsst,dc=edu
memberUid: root
memberUid: ahamilto
gidNumber: 1337
cn: allaccess
objectClass: posixGroup
objectClass: top
This template is for creating a new organizational unit.
dn: ou=2006,ou=students,ou=people,dc=csl,dc=tjhsst,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: 2006
The following templates are for modifying existing objects. These examples should be run with the following command:
ldapmodify -h openldap1
This template is for adding a user to an existing group.
dn: cn=allaccess,ou=group,dc=csl,dc=tjhsst,dc=edu
changetype: modify
add: memberUid
memberUid: ahamilto
This template removes a single user from a group. NOTE - be very careful when using this template via copy-paste as if you accidentally miss the last line, you will delete all of the memberUid attributes instead of the single targetted instance.
dn: cn=allaccess,ou=group,dc=csl,dc=tjhsst,dc=edu
changetype: modify
delete: memberUid
memberUid: ahamilto
If you accidentally insert a wrong attribute when creating an LDAP entry, you can use the following to change an attribute:
dn: uid=2017ewang,ou=2020,ou=students,ou=people,dc=csl,dc=tjhsst,dc=edu
changetype: modify
replace: sn
sn: Wang
To delete an object from LDAP, use the following command and LDIF.
ldapdelete -h openldap1
cn=allaccess,ou=group,dc=csl,dc=tjhsst,dc=edu
Last modified 4yr ago