Your LDAP administration toolbox


Author: Brian Jones

Do you have what it takes to manage an LDAP infrastructure? Administration of a directory means having a
thorough knowledge of the directory’s structure, data, security, performance,
and general configuration. It also means knowing how to efficiently respond to
requests for information about any aspect of the directory, and indeed, any
aspect of your environment for which your directory is the canonical source of
information. In this article, I’ll go over some of the standard (and not so
standard) tools that can put you firmly in control of your directory.

OpenLDAP command-line tools

The OpenLDAP tools are the no-brainer tools for LDAP administrators, partly due to the fact that they come with the OpenLDAP software distribution, and partly because you could probably administer an OpenLDAP directory
without the aid of much else.

Let’s start by looking at how to search your directory
using the OpenLDAP ldapsearch utility. Consider the simple command

ldapsearch -x -b'dc=linuxlaboratory,dc=org' '(objectclass=*)'

The -x flag indicates that I wish to use simple authentication, as
opposed to SASL-based authentication, which is the default. The -b flag tells the server where to start looking — in other words, the search base. In this
case, by feeding it the top level of the directory, I specify searching the
entire directory (though there are other flags that control the depth of the
search). The last quoted argument, '(objectclass=*)', is
the search parameter, which says I want to see all
attributes of anything that contains an objectclass attribute.
Since every object stored in a directory has to be defined using an
objectclass attribute, I’m saying I want to see
everything in the directory.

The data returned from this query is standard
LDIF, and will look identical to the LDIF we used to enter the data
into the directory in the first place.

The ldapsearch utility can be a flexible, powerful tool,
allowing you to search any LDAP host for any object or group of objects, using
almost any filter both for matching and output. Here’s a slightly more advanced search:

ldapsearch -x -b'dc=linuxlaboratory,dc=org' '(&(sn=Jones)(givenname=Brian))' -S cn

Note the ampersand, which is a logical AND operator. In order to
match a directory entry, both of the search terms must match. The -S
argument at the end says to sort results by the cn attribute in the returned
entries. If I added a
+ operator at the end of the line the command would return only the
operational attributes stored internally by the server, such as the creation
date, creator’s dn, and modification dates and names for the entry. This can be
a valuable troubleshooting technique.

My favorite tool from the OpenLDAP suite is ldapmodify. To me,
this is the consummate Swiss Army knife for OpenLDAP. It takes a little
getting used to the flags and files involved, but once you’ve mastered
ldapmodify, you can perform additions, changes, deletes, and modifications with
pinpoint accuracy in seconds. For example, suppose I demote user “cartman”
to janitor and take away his right to have a homepage in the process. I create
a quick file, which I name modlab, containing my changes:

dn: cn=cartman,ou=People,dc=linuxlaboratory,dc=org
changetype: modify
replace: loginShell
loginShell: /bin/bash
replace: title
title: janitor
delete: labeledURI

I then run ldapmodify:

ldapmodify -x -W -D'cn=Manager,dc=linuxlaboratory,dc=org' -c -S
modlab.err -f modlab

Upon the command’s completion, cartman’s entry will have an altered loginShell, reflect his new title, and completely remove the labeledURI attribute from his entry. If there are any errors with the modifications, they will be written to
the file modlab.err, as indicated by the -S modlab.err
argument. In cases where many modifications will affect many entries, coupling -S with the -c flag, which tells the utility to continue even if
an error occurs, allows ldapmodify to complete the changes that can be made now and log those that can’t to a file, with the error included as a comment.

I strongly suggest you read the man pages for the OpenLDAP command-line tools. They can be a lifesaver when you’re working from some remote location that doesn’t support the bandwidth necessary for a GUI display, or when you’re
forced to work from an SSH client running on a Windows box with no X server.

Don’t imagine you’re limited to command-line tools, though…

Getting GUI with LDAP: Graphical tools

New graphical tools for LDAP administration seem to come along every day. Some
are Web-based, while others are full-fledged desktop applications running without a
browser. I have tried many of the Web-based tools and nearly all of the desktop applications that run under Linux. Of these, the one
I’ve found most useful is one that I don’t often see recommended on the various
LDAP mailing lists. It’s a humble Java application called LDAP Browser.

In spite of its name, LDAP Browser is far more than a simple browser that lets
you view the data in your directory. It is a full-fledged administration tool,
allowing you to add, delete, and modify entries, with full support for encrypted
sessions as well as specialized support for certain attributes — for example,
it enables you to verify or reset an encrypted userPassword attribute for an
entry. With LDAP Browser you can move an entire
section of your LDAP directory to another part of your directory. In my early
testing, I moved the entire contents of a subtree of my directory, containing
about 1,000 entries, and put it underneath an existing subtree — an operation
I’ve had problems doing using other tools. In addition, if you simply
must have a browser-based tool, LDAP Browser is written in Java and can
run either as an applet or a standalone application. While the
application hasn’t been updated since (apparently) 2001, it is 100%
LDAPv3 aware, and the tool works as well as or better than any other tool out
there that I’ve tried.

GQ, another standalone application that is heavily recommended on the LDAP mailing lists, is a GNOME application that is included on a lot of Linux distribution CDs, usually as an add-on application. Though I’ll probably take heat for saying so, I’ve never made friends with GQ. I’ve turned up
multiple ways of crashing the tool, and I did not find it to be particularly
user-friendly. Add to this my growing resentment of open source
projects that lack anything resembling documentation and you have my less-than-glowing review of the tool. However, the fact that it is so heavily hyped on
the mailing lists leads me to believe that GQ is probably useful for
those who overcome its quirks.

Only two worthwhile Web-based LDAP administration tools spring to mind: phpLDAPadmin and
YALA (Yet Another LDAP
Administrator). (DISCLAIMER: I once contributed to the YALA project, to add support
for TLS connections.)
These tools are equally useful, and are
probably the least buggy of the Web-based administration tools I’ve used (the number of which is nearing a dozen). If you have a relatively small
directory, don’t need connections to multiple directories, and don’t do crazy
things with loads of data at any given time, these tools are fine, assuming
you don’t mind maintaining a Web server to support them. For
enterprise-strength administration, I’ve had more luck with the desktop tools.
On the other hand, if you need a specialty tool for LDAP, like a special
interface just to manage LDAP and Qmail, or LDAP and RADIUS, or some other
configuration, there is probably a Web-based tool to ease your pain. It’s worth
searching for these tools.

In closing

I hope this sampling of my favorite tools helps you narrow your search for LDAP administration software and gives
you a baseline to measure other tools by. There are a million other tools available to ease LDAP administration. The fact that I have some kind of gripe with
about 99% of them should not keep you from trying them out. LDAP
environments can vary greatly in their configuration, and one LDAP admin’s
useless crapware is another’s savior. Find
one that fits your brain and stick with it.

Up to now in this column we’ve covered building and installing OpenLDAP, designed a simple directory, and added some entries. After reading this article, you are now armed with the tools necessary to move
forward as an LDAP administrator. These tools can help you tinker with your
directory — poking and prodding at it to discover (or change, or
destroy) all that it holds. Next time, we’ll learn how to make your Linux
system an LDAP client, using LDAP for authentication as well as user and
group lookups.

Brian Jones is the founder of, and has worked as a *nix
systems, network, and database administrator for the past six years. He
currently works for the Computer Science department at Princeton University.