ldapscripts icon indicating copy to clipboard operation
ldapscripts copied to clipboard

Simple shell scripts to handle POSIX entries in an LDAP directory

Ldapscripts - README file


Description :


The ldapscripts are originally designed to be used within Samba 3.x's smb.conf file. They allow to manipulate POSIX entries for users, groups and machines in an LDAP directory. They are written in shell and need ldap client commands to work correctly (ldapadd, ldapdelete, ldapmodify, ldapsearch). Other scripts also are provided as simple tools to (manually) query your LDAP directory : ldapfinger, ldapid, lsldap (...).

They are designed to be used under GNU/Linux or FreeBSD (any other recent UNIX-like should also work) and require several binaries that should come with your OS (uuencode, getent/pw, date, grep, sed, cut...).

Latest version available on http://contribs.martymac.org

Installing and configuring the ldapscripts :


To install the scripts, just type in :

make install

or, to define a special installation directory :

make PREFIX=/target/directory install

Use 'make help' for more options.

All the scripts will be copied (by default) to /usr/local/sbin and ldapscripts.conf will be copied to /usr/local/etc/ldapscripts.

Keep in mind that the scripts are installed with quite restrictive rights. You may have to play with group rights or ACLs (if they are enabled on your system) to make the things work...

Once installed, edit /usr/local/etc/ldapscripts/ldapscripts.conf to configure the ldapscripts.

Then, just type in - e.g. :

ldapadduser foo foogroup

See ldapscripts(5) for more details.

Configuring your OpenLDAP server :


Be sure to include these schemas in your slapd.conf :

  • core.schema
  • cosine.schema (for the account objectClass)
  • nis.schema (for the posixAccount objectClass) or a modified RFC 2307bis compliant version of this file if you plan to use AUXILIARY posixGroup objectClasses together with groupOfNames or groupOfUniqueNames objectClasses (see GCLASS parameter in the ldapscripts.conf file).

Using the ldapscripts with Samba 3.x :


To use the ldapscripts with Samba 3.x (e.g. for a Windows -> Samba migration), just add the following to your smb.conf file :

[...]

add machine script = /usr/local/sbin/ldapaddmachine '%u' sambamachines add user script = /usr/local/sbin/ldapadduser '%u' sambausers add group script = /usr/local/sbin/ldapaddgroup '%g' add user to group script = /usr/local/sbin/ldapaddusertogroup '%u' '%g' delete user script = /usr/local/sbin/ldapdeleteuser '%u' delete group script = /usr/local/sbin/ldapdeletegroup '%g' delete user from group script = /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g' set primary group script = /usr/local/sbin/ldapsetprimarygroup '%u' '%g' rename user script = /usr/local/sbin/ldaprenameuser '%uold' '%unew'

[...]

and make sure sambamachines and sambausers exist before attempting to do a "net rpc vampire"...

Files :


  • Various files :

README : this file ! COPYING : the GPLv2 (or later) license CHANGELOG : the changelog file, of course VERSION : the current version of the ldapscripts TODO : ideas, remaining work Makefile : installation Makefile

  • Man pages :

man/* : man pages

  • Configuration files :

etc/ldapscripts.conf : configuration file etc/ldapadduser.template.sample : user LDIF template file etc/ldapaddgroup.template.sample : group LDIF template file etc/ldapaddmachine.template.sample : machine LDIF template file

  • 'Library' files

lib/runtime : runtime file used by the scripts (contains functions, etc...)

  • Scripts that can be used in Samba configuration file (smb.conf) :

sbin/ldapaddgroup : adds a POSIX group to LDAP sbin/ldapadduser : adds a POSIX user to LDAP sbin/ldapdeletegroup : deletes a POSIX group from LDAP sbin/ldapdeleteuserfromgroup : deletes a member from a group sbin/ldapsetprimarygroup : sets gidNumber of a POSIX user or machine account sbin/ldapaddmachine : adds a POSIX machine (user$) to LDAP sbin/ldapaddusertogroup : adds a member to a group sbin/ldapdeleteuser : deletes a POSIX user from LDAP sbin/ldaprenameuser : renames a POSIX user account in LDAP

  • Additional (useful) scripts not useable by Samba :

sbin/ldapdeletemachine : deletes a POSIX machine account in LDAP sbin/ldapinit : initializes the LDAP tree with a minimal tree sbin/lsldap : performs a big recursive query on the LDAP server from the root dn sbin/ldapmodifyuser : modifies a POSIX user account in LDAP interactively sbin/ldapmodifymachine : modifies a POSIX machine account in LDAP interactively sbin/ldapmodifygroup : modifies a POSIX group account in LDAP interactively sbin/ldaprenamemachine : renames a POSIX machine account in LDAP sbin/ldaprenamegroup : renames a POSIX group in LDAP sbin/ldapsetpasswd : modifies a POSIX user or machine account's password in LDAP sbin/ldapfinger : displays a user/machine/group POSIX account's details sbin/ldapid : displays a user's list of IDs sbin/ldapgid : displays a group's list of IDs

Environment :


You can set the LDAPSCRIPTS_CONF environment variable to override default configuration file's location.

Author / Licence :


These scripts have been written by Ganaël LAPLANCHE ([email protected]) and are available within the GPL license (see COPYING for details).

Thanks for using the ldapscripts... Any feedback welcome :)