Developers Documentation

×

Warning

301 error for file:https://clearos.com/dokuwiki2/lib/exe/css.php?t=dokuwiki&tseed=82873f9c9a1f5784b951644363f20ef8

User Tools

Site Tools


Change Usernames in the OpenLDAP Directory Using Command Line

This document is deprecated by this newer, more inclusive document.

This guide will help you make manual changes to a ClearOS OpenLDAP directory. For this exercise we will assume that you are changing the name of a user.

Making improper or invalid changes directly to your LDAP database can leave your directory in a bad or inoperable state. Use at your own risk.

Requirements

You will need the bind DN name of the manager account and the password to make these changes by hand. You can get those by going to the directory module within Webconfig.

  • ClearOS 5.x
    • Directory » Domain and LDAP
  • ClearOS 6.x
    • Server » Directory Server
    • cat /var/clearos/openldap/config.php

Make note of the 'Bind DN' and the 'Bind DN password' values.

Getting Started

First, backup your database. Run the following to dump your ldap database to a flat file:

slapcat -n3 > /root/ldapdump.todaysdate

Next, we will use this file to identify the user that we are making changes to. While you can use the process to add the individual to groups, it will be easier for us to skip that process and just cover the removal from those groups by hand. Additionally, you can remove the user from the groups in webconfig before hand or alternately you can modify the entries.

Let's take a look at and LDAP entry as recorded in our ldap dump above. From that entry, we identify that the following attributes are involved with the username:

dn: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org
sn: a
uid: testa
cn: test a
homeDirectory: /home/testa
sambaHomePath: \\EXAMPLE\testa
givenName: test

This is what we want to change the username to:

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
sn: Bee
uid: terryb
cn: Terry Bee
homeDirectory: /home/terryb
sambaHomePath: \\EXAMPLE\terryb
givenName: Terry

Using LDAPvi

The command 'ldapvi' is amazingly useful for making casual edits to the backend LDAP database.

Using LDIF

The beauty of this method is that this method can be scripted, If you just need a casual edit, the previous method is much, much quicker.

We will make two ldif files to accomplish this. First we will rename the DN of the user and once we confirm that change is in effect, we will rename the attributes.

Create an ldif file called atest2TerryBee-dn.ldif with the following data (you can use your favorite editor like vi, emacs, pico, et al):

dn: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modrdn
newrdn: cn=Terry Bee
deleteoldrdn: 0

Now call this file and insert your data for your base DN and password (ie: baseDN=“cn=manager,cn=internal,dc=example,dc=org” and password=“abcdEFGHijklMNOP”):

ldapmodify -h localhost -D "cn=manager,cn=internal,dc=example,dc=org" -x -w abcdEFGHijklMNOP -f ./atest2TerryBee-dn.ldif

# This line left blank for easy copy and paste

Now, grab another snapshot of the ldap database and validate the DN change for the user:

slapcat -n3 > /root/ldapdump.todaysdate.1

Once you confirm that the change is good for the DN (edit /root/ldapdump.todaysdate.1 and see if it is changed), we will make changes to the attributes contained in that DN. Make a file called atest2TerryBee-attr.ldif with the following information:

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modify
delete: cn
cn: test a

-

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modify
replace: sn
sn: Bee

-

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modify
replace: uid
uid: terryb

-

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modify
replace: homeDirectory
homeDirectory: /home/terryb

-

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modify
replace: sambaHomePath
sambaHomePath: \\DanburyCO\terryb

-

dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
changetype: modify
replace: givenName
givenName: Terry

-

Now merge this value by running the following:

ldapmodify -h localhost -D "cn=manager,cn=internal,dc=example,dc=org" -x -w abcdEFGHijklMNOP -f ./atest2TerryBee-attr.ldif

# This line left blank for easy copy and paste

Lastly, rename the home directory and validate that the user is a member of the correct groups.

mv /home/testa /home/terryb

You can validate the permissions work by running:

ls -la /home |grep terryb

Cleaning up

During this method we left some bad records in the LDAP database. We can clean those up as well. Find the groups which the old DN was listed. When I search the file I find the following DNs which have 'test a' as a user:

dn: cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org
dn: cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org

The user Terry Bee was NOT added to either of these groups when the modifications were made to the group memberships in Webconfig so they will need to be modified here. Make and LDIF file called atest2TerryBee-groups.ldif

 
dn: cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org
changetype: modify
delete: member
member: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org

-

dn: cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org
changetype: modify
add: member
member: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org

-

dn: cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org
changetype: modify
delete: member
member: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org

-

dn: cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org
changetype: modify
add: member
member: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
ldapmodify -h localhost -D "cn=manager,cn=internal,dc=example,dc=org" -x -w abcdEFGHijklMNOP -f ./atest2TerryBee-groups.ldif

# This line left blank for easy copy and paste

You should get a response like this:

modifying entry "cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org"

modifying entry "cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org"

modifying entry "cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org"

modifying entry "cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org"

Check through your LDAP directory and see if you see any inconsistencies.

content/en_us/kb_o_manually_change_usernames_in_the_openldap_directory_using_command_line.txt · Last modified: 2015/11/13 10:30 by dloper

https://clearos.com/dokuwiki2/lib/exe/indexer.php?id=content%3Aen_us%3Akb_o_manually_change_usernames_in_the_openldap_directory_using_command_line&1710849354