Change Usernames in the OpenLDAP Directory Using Command Line
This guide will help you make manual changes to a ClearOS OpenLDAP directory. For this exercise we will assume that you are changing the name of a user.
Requirements
You will need the bind DN name of the manager account and the password to make these changes by hand. You can get those by going to the directory module within Webconfig.
- ClearOS 5.x
- Directory » Domain and LDAP
- ClearOS 6.x
- Server » Directory Server
- cat /var/clearos/openldap/config.php
Make note of the 'Bind DN' and the 'Bind DN password' values.
Getting Started
First, backup your database. Run the following to dump your ldap database to a flat file:
slapcat -n3 > /root/ldapdump.todaysdate
Next, we will use this file to identify the user that we are making changes to. While you can use the process to add the individual to groups, it will be easier for us to skip that process and just cover the removal from those groups by hand. Additionally, you can remove the user from the groups in webconfig before hand or alternately you can modify the entries.
Let's take a look at and LDAP entry as recorded in our ldap dump above. From that entry, we identify that the following attributes are involved with the username:
dn: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org sn: a uid: testa cn: test a homeDirectory: /home/testa sambaHomePath: \\EXAMPLE\testa givenName: test
This is what we want to change the username to:
dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org sn: Bee uid: terryb cn: Terry Bee homeDirectory: /home/terryb sambaHomePath: \\EXAMPLE\terryb givenName: Terry
Using LDAPvi
The command 'ldapvi' is amazingly useful for making casual edits to the backend LDAP database.
Using LDIF
The beauty of this method is that this method can be scripted, If you just need a casual edit, the previous method is much, much quicker.
We will make two ldif files to accomplish this. First we will rename the DN of the user and once we confirm that change is in effect, we will rename the attributes.
Create an ldif file called atest2TerryBee-dn.ldif with the following data (you can use your favorite editor like vi, emacs, pico, et al):
dn: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org changetype: modrdn newrdn: cn=Terry Bee deleteoldrdn: 0
Now call this file and insert your data for your base DN and password (ie: baseDN=“cn=manager,cn=internal,dc=example,dc=org” and password=“abcdEFGHijklMNOP”):
ldapmodify -h localhost -D "cn=manager,cn=internal,dc=example,dc=org" -x -w abcdEFGHijklMNOP -f ./atest2TerryBee-dn.ldif # This line left blank for easy copy and paste
Now, grab another snapshot of the ldap database and validate the DN change for the user:
slapcat -n3 > /root/ldapdump.todaysdate.1
Once you confirm that the change is good for the DN (edit /root/ldapdump.todaysdate.1 and see if it is changed), we will make changes to the attributes contained in that DN. Make a file called atest2TerryBee-attr.ldif with the following information:
dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org changetype: modify delete: cn cn: test a - dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org changetype: modify replace: sn sn: Bee - dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org changetype: modify replace: uid uid: terryb - dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org changetype: modify replace: homeDirectory homeDirectory: /home/terryb - dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org changetype: modify replace: sambaHomePath sambaHomePath: \\DanburyCO\terryb - dn: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org changetype: modify replace: givenName givenName: Terry -
Now merge this value by running the following:
ldapmodify -h localhost -D "cn=manager,cn=internal,dc=example,dc=org" -x -w abcdEFGHijklMNOP -f ./atest2TerryBee-attr.ldif # This line left blank for easy copy and paste
Lastly, rename the home directory and validate that the user is a member of the correct groups.
mv /home/testa /home/terryb
You can validate the permissions work by running:
ls -la /home |grep terryb
Cleaning up
During this method we left some bad records in the LDAP database. We can clean those up as well. Find the groups which the old DN was listed. When I search the file I find the following DNs which have 'test a' as a user:
dn: cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org dn: cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org
The user Terry Bee was NOT added to either of these groups when the modifications were made to the group memberships in Webconfig so they will need to be modified here. Make and LDIF file called atest2TerryBee-groups.ldif
dn: cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org changetype: modify delete: member member: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org - dn: cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org changetype: modify add: member member: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org - dn: cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org changetype: modify delete: member member: cn=test a,ou=Users,ou=Accounts,dc=example,dc=org - dn: cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org changetype: modify add: member member: cn=Terry Bee,ou=Users,ou=Accounts,dc=example,dc=org
ldapmodify -h localhost -D "cn=manager,cn=internal,dc=example,dc=org" -x -w abcdEFGHijklMNOP -f ./atest2TerryBee-groups.ldif # This line left blank for easy copy and paste
You should get a response like this:
modifying entry "cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org" modifying entry "cn=allusers,ou=Groups,ou=Accounts,dc=example,dc=org" modifying entry "cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org" modifying entry "cn=domain_users,ou=Groups,ou=Accounts,dc=example,dc=org"
Check through your LDAP directory and see if you see any inconsistencies.