OpenLDAP operations (ldapadd).

Introduction

This post will cover another important LDAP data manipulation – adding new entries to the directory tree. We will be using ldapadd utility.

Prerequisite

I assume that you have a working OpenLDAP server and OpenLDAP client. You might want to read this post which explains step by step how to install and run OpenLDAP server on Ubuntu 18.04. It also shows the basic configuration for OpenLDAP client which makes it possible to send requests to the server.

How to add a new entry to LDAP?

Step 1. Create an LDIF file.

To add a new entry we first have to create a file in LDIF format which will describe the new entry and then import that file using ldapadd command.

Create a new file add_branch.ldif with the following content:

dn: ou=users,dc=geekstuff,dc=org
objectclass: organizationalunit
ou: users

The first line defines the DN of the new entry in the tree. In my case its DN will be ou=users,dc=geekstuff,dc=org. This means that our branch will be created right under the root of the tree, because ou=users is followed by dc=geekstuff,dc=org which is the root DN. DN is similar to a full path in operating system, each consequent element specifies the path in the tree.

The second line specifies the objectclass of our new entry. We set the objectclass value to organizationalunit. The objectclass value defines which attributes are available for the new entry. The objectclasses with their corresponding attributes are defined in schema files. Schema files for OpenLDAP are located in /etc/ldap/schema (in Ubuntu 18.04).

The third line sets the value of ou attribute to users. We can use ou attribute only because we defined the objectclass as organizationalunit. Below is the excerpt from /etc/ldap/schema/core.schema file, notice how objectclass definition describes which attributes are available:

objectclass ( 2.5.6.5 NAME 'organizationalUnit'
  DESC 'RFC2256: an organizational unit'
  SUP top STRUCTURAL
  MUST ou
  MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $
    x121Address $ registeredAddress $ destinationIndicator $
    preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $
    telephoneNumber $ internationaliSDNNumber $
    facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $
    postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )

Step 2. Add a new branch to LDAP.

Now let’s run ldapadd command which will process LDIF file and add the new entry to the tree.

We provide the bind DN (-D cn=admin,dc=geekstuff,dc=org -W). Besides that we need to provide the name of the file with LDIF data we want to import (-f add_branch.ldif). We see the output telling us that the new entry has been added.

Now, if I perform ldapsearch I can see my new branch users:

Step 3. Add a new user to LDAP.

Let’s add a new user to our users branch(organizational unit). Let’s create an LDIF file add_user.ldif with the following content:

dn: cn=Orkhan Sadigov,ou=users,dc=geekstuff,dc=org
objectclass: inetOrgPerson
objectclass: simpleSecurityObject
cn: Orkhan Sadigov
sn: Sadigov
uid: orkhans
userPassword:password

The first line defines the DN of our new user and as we can see the user will be created under users branch. Again, notice how the DN resembles the full path from the user to the root of the tree.

We also define inetOrgPerson and simpleSecurityObject as objectclasses, so we can have access to their attributes. The following lines specify the attribute values.

Run the ldapadd command to import the data:

Now if you run sudo slapcat command you will find the newly created entry with its attributes in the output:

As you can see userPassword is set to cGFzc3dvcmQ= , though we specified string password in our LDIF file. This is because LDAP stores this password in base64 encoded format(by the way, double colon indicates that the following string is base64 encoded data). You might want to go to
https://www.base64encode.org/ which is an online tool for base64 encoding/decoding, and verify that string password really encodes to
cGFzc3dvcmQ= .

Setting passwords this way and storing them as plaintext is not a wise thing to do, therefore we will now create another user and set its password in a hashed format.

Step 4. Add a user with a hashed password.

Let’s add another user with password password, but this time providing the hash of the password instead of plaintext. First, we need to calculate the hash for our password and to do this we will use slappasswd utility:

After I entered and confirmed the password string the utility returns me the salted SHA hash. Let’s use this salted hash to create a new user. Modify the LDIF file add_user.ldif so it has the following content:

dn: cn=John Doe,ou=users,dc=geekstuff,dc=org
objectclass: inetOrgPerson
objectclass: simpleSecurityObject
cn: John Doe
sn: Doe
uid: jdoe
userPassword: {SSHA}34bDhwKFm7ZKwQ7HmEFRIn0EmQo8fRZe

The LDIF file hasn’t changed much, but instead of plain text we provide the salted hash value {SSHA}34bDhwKFm7ZKwQ7HmEFRIn0EmQo8fRZe .

Add the new user like we previously did using ldapadd:

Now if you use sudo slapcat you will see that the password is represented as our salted hash in Base64 encoding:

We can verify that the password is indeed password by using ldapsearch command, but using our new user’s credentials for binding (authentication):

Please, note that I had to enclose the Bind DN in quotes, because it contained white space. Now we are sure that the password for John Doe is password.

Conclusion

Now you know how to create a new user in OpenLDAP and set its password. Thank you for reading 🙂