Skip to main content
openLDAP

OpenLDAP OUs

By January 11, 2018September 12th, 2022No Comments

OpenLDAP OUsIn the last post we looked at installing openLDAP on Ubuntu 16.04. We now move unto creating some structure in the tree and creating openLDAP OUs, or Organisational Units.

Now that we have the example.com directory up and running we start to build on what we have. We need to create entries in the directory and those entries will have attributes. If we will be dealing only with a small number of users and groups and, perhaps, no other entries then we may find that a flat directory without and structure may be sufficient. Normally, we will want to, at least, organize the directory based on entry type. We can create OUs or organizationalUnits to provide this functionality. These act, almost as folders do in a file system. Giving shape and structure to the tree. For our tree, we will create a groups OU and users OU.

Create an LDIF File For The Upper Layers

Modifications to the tree are made via LDIF files mostly. This is a text file that defines the entry that we want to work with and the modifications we need. Consider the following file:

 dn: ou=users,dc=example,dc=com
 objectClass: organizationalUnit
 ou: users 
 
 dn:  ou=groups,dc=example,dc=com
 objectClass: organizationalUnit
 ou: groups

Each entry that we work with is defines by the dn: value. This is distinguished or full name of the LDAP entry. We continue to define the attributes of each entry. The attribute objectClass defines what type of entry we are creating. The ou attribute specifies the name we want to assign. A clear line delineates each entry.

The directory tree formed by LDAP is said to be inverted. An upside down tree with the root entry at the top and it branching out from the top to the bottom.

Wit the LDIF file created we can use the command ldapadd to create the entries from the file. This can be executed as a standard Linux user, but we will need to authenticate to LDAP as the admin user. The option -D specifies the user to authenticate as, -w supplies the password. We could also use -W if we prefer to be prompted for the password.

 ubuntu@ldap1:~$ ldapadd -x -D cn=admin,dc=example,dc=com -wPassword1 -f ou.ldif
 adding new entry "ou=users,dc=example,dc=com"
 adding new entry "ou=groups,dc=example,dc=com"

We have omitted the -H option to specify the URI to connect to, as the default is ldap on the localhost or -H ldap:/// .

Listing The Structure

Having created the new containers we can list them as before with the command slapcat.

ubuntu@ldap1:~$ sudo slapcat

Whilst slapcat is ok it is more of a legacy command and more flexbility can be supplied using ldapsearch. We will see more on searching the directory as we progress into differnet modules. A lot of this is just getting good hands on experience. To search the tree with ldapsearch we can issue commands similar to those we used before:

ubuntu@ldap1:~$ ldapsearch -x -LLL -b dc=example,dc=com dn

We should now see 4 entries in the tree and we only display the entry name. If we want to list ONLY the organizationalUnits we can issue the following command:

 ubuntu@ldap1:~$ ldapsearch -x -LLL -b dc=example,dc=com "(ou=*)"
 dn: ou=users,dc=example,dc=com
 objectClass: organizationalUnit
 ou: users
 
 dn: ou=groups,dc=example,dc=com
 objectClass: organizationalUnit
 ou: groups

Troubleshooting LDIF Files

Even though LDIF files are text files, they can be a little troublesome. Make sure that you have clear empty line between entries in the file. Also make sure that you do  not have trailing white space at the end of a line. Trailing whitespaces instructs  LDAP the encode the data and shows with two colons after the attribute name. In the following output, the ou attribute of the groups entry is encoded. Double check the LDIF file for extra characters after the line that sets the ou attribute for the groups organizationalUnit

 ubuntu@ldap1:~$ ldapsearch -x -LLL -b dc=example,dc=com "(ou=*)"
 dn: ou=users,dc=example,dc=com
 objectClass: organizationalUnit
 ou: users
 
 dn: ou=groups,dc=example,dc=com
 objectClass: organizationalUnit
 ou:: Z3JvdXBzIA==

You can use the command od (Octal Dump) to help diagnose file issues. Using the option -a we can see ASCII output and spaces denoted by the sequence sp

 ubuntu@ldap1:~$ od -a ou.ldif

Once the issues have been isolated save the LDIF as a new file, groupsou.ldif,  with only the entry that you want to edit. In this case it would be  ou=groups,dc=example,dc=com. Edit the file so it looks like the following:

 dn: ou=groups,dc=example,dc=com
 replace: ou
 ou: groups

The LDIF file now states that we want to replace the ou attribute from the groups entry. We make the change by executing the following command:

ubuntu@ldap1:~$ ldapmodify -x -D cn=admin,dc=example,dc=com -wPassword1 -f groupsou.ldif

We could delete the entry and recreate it, however, as we only need to change one attribute then modify is the best option.

By executing the search again, we should now see the data dispayed correctly and not encoded. We can also drill down to just the ou we want by modifying the base DN:

 ubuntu@ldap1:~$ ldapsearch -x -LLL -b ou=groups,dc=example,dc=com 
 dn: ou=groups,dc=example,dc=com
 objectClass: organizationalUnit
 ou: groups