23.4.8 Adding a User to LDAP

Note

This procedure assumes that:

To create an account for a user on the LDAP server:

  1. If the LDAP server does not already export the base directory of the users' home directories, perform the following steps on the LDAP server:

    1. Create the base directory for user directories, for example /nethome:

      # mkdir /nethome
    2. Add an entry such as the following to /etc/exports:

      /nethome    *(rw,sync)

      You might prefer to restrict which clients can mount the file system. For example, the following entry allows only clients in the 192.168.1.0/24 subnet to mount /nethome:

      /nethome    192.168.1.0/24(rw,sync)
    3. Use the following command to export the file system:

      # exportfs -i -o ro,sync *:/nethome
  2. Create the user account, but do not allow local logins:

    # useradd -b base_dir -s /sbin/nologin -u UID -U username

    For example:

    # useradd -b /nethome -s /sbin/nologin -u 5159 -U arc815

    The command updates the /etc/passwd file and creates a home directory under /nethome on the LDAP server.

    The user's login shell will be overridden by the LoginShell value set in LDAP.

  3. Use the id command to list the user and group IDs that have been assigned to the user, for example:

    # id arc815
    uid=5159(arc815) gid=5159(arc815) groups=5159(arc815)
  4. Create an LDIF file that defines the user, for example arc815-user.ldif:

    # UPG arc815
    dn: cn=arc815,ou=Groups,dc=mydom,dc=com
    cn: arc815
    gidNumber: 5159
    objectclass: top
    objectclass: posixGroup
    
    # User arc815
    dn: uid=arc815,ou=People,dc=mydom,dc=com
    cn: John Beck
    givenName: John
    sn: Beck
    uid: arc815
    uidNumber: 5159
    gidNumber: 5159
    homeDirectory: /nethome/arc815
    loginShell: /bin/bash
    mail: johnb@mydom.com
    objectClass: top
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
    userPassword: {SSHA}x

    In this example, the user belongs to a user private group (UPG), which is defined in the same file. The user’s login shell attribute LoginShell is set to /bin/bash. The user's password attribute userPassword is set to a placeholder value. If you use Kerberos authentication with LDAP, this attribute is not used.

  5. If you have configured LDAP authentication, use the following command to add the user to LDAP:

    # ldapadd -cxWD cn=admin,dc=mydom,dc=com -f arc815-user.ldif
    Enter LDAP Password: admin_password
    adding new entry "cn=arc815,ou=Groups,dc=mydom,dc=com"
    
    adding new entry "uid=arc815,ou=People,dc=mydom,dc=com"

    If you have configured Kerberos authentication, use kinit to obtain a ticket granting ticket (TGT) for the admin principal, and use this form of the ldapadd command:

    # ldapadd -f arc815-user.ldif
  6. Verify that you can locate the user and his or her UPG in LDAP:

    # ldapsearch -LLL -x -b "dc=mydom,dc=com" '(|(uid=arc815)(cn=arc815))'
    dn: cn=arc815,ou=Groups,dc=mydom,dc=com
    cn: arc815
    gidNumber: 5159
    objectClass: top
    objectClass: posixGroup
    
    dn: uid=arc815,ou=People,dc=mydom,dc=com
    cn: John Beck
    givenName: John
    sn: Beck
    uid: arc815
    uidNumber: 5159
    gidNumber: 5159
    homeDirectory: /home/arc815
    loginShell: /bin/bash
    mail: johnb@mydom.com
    objectClass: top
    objectClass: inetOrgPerson
    objectClass: posixAccount
    objectClass: shadowAccount
  7. If you have configured LDAP authentication, set the user password in LDAP:

    # ldappasswd -xWD "cn=admin,dc=mydom,dc=com" \
      -S "uid=arc815,ou=people,dc=mydom,dc=com"
    New password: user_password
    Re-enter new password: user_password
    Enter LDAP Password: admin_password

    If you have configured Kerberos authentication, use kinit to obtain a ticket granting ticket (TGT) for the admin principal, and use the kadmin command to add the user (principal) and password to the database for the Kerberos domain, for example:

    # kadmin -q "addprinc alice@MYDOM.COM"

For more information, see the kadmin(1), ldapadd(1), ldappasswd(1), and ldapsearch(1) manual pages.