/etc/ldap/slapd.d/cn=config/cn=schema # schema location

slapcat # show content of DB object

/usr/sbin/slapcat -v -l dump.ldif # backup SLAPD database

# Install

sudo apt-get install slapd ldap-utils

dpkg-reconfigure slapd

Omit OpenLDAP server configuration? No DNS domain name? Organization name? any name Administrator password? password Database backend? HDB | BDB Remove the database when slapd is purged? No Move old database? Yes Allow LDAPv2 protocol? No

RESTART SLAPD (or container)

ldapsearch -D “cn=admin,dc=mycorp,dc=com” -w password -b “dc=mycorp,dc=com”

ldapsearch -H ldap://localhost:389 -D “cn=admin,dc=mycorp,dc=com” -w password -b “dc=mycorp,dc=com”

ldapdelete -D cn=admin,dc=mycorp,dc=com -w password -r “dc=mycorp,dc=com”

ldapmodify -D “cn=admin,dc=mydomain,dc=com” -w password
dn: ou=users,dc=mydomain,dc=com changetype: add objectClass: top objectClass: organizationalUnit ou: users description: Domain Users

Всё, начиная с «dn: » вводим руками. После ввода строки описания («description: Domain Users») нажимаем Enter два раза. Если всё введено без ошибок, вы должны увидеть такое сообщение: adding new entry “ou=Users,dc=mydomain,dc=com”

# Нажимаем Ctrl+C для выхода

ldapadd -D cn=admin,dc=mycorp,dc=com -w password -f addgroup.ldif

# Create user

slappasswd # generate hash pass

ldapmodify -D “cn=admin,dc=mydomain,dc=com” -w password

nano adduser.ldif

dn: uid=jdoe,cn=John Doe,ou=users,dc=mydomain,dc=com changetype: add objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: John Doe ou: users uid: jdoe givenName: John sn: Doe userPassword: {SSHA}hsxkIVICZSSQsUOQf4xWZutr0t44HSFP

ldapmodify -D “cn=admin,dc=mycorp,dc=com” -w password -f adduser.ldif

# Modify ldif-file:
dn: cn=John Doe,ou=users,dc=mycorp,dc=com changetype: modify add: userPassword userPassword: {SSHA}hsxkIlskflksfOQf4xWZutr0t44HSFP

# Commands #

ldapsearch -D "cn=admin,dc=mydomain,dc=com"
                      -w <pass>     # bind password (for simple authentication)
                      -W            # prompt for bind password

                      -a deref   one of never (default), always, search, or find
                      -A         retrieve attribute names only (no values)
                      -b basedn  base dn for search
                      -c         continuous operation mode (do not stop on errors)
                      -E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
                                             [!]domainScope              (domain scope)
                                             !dontUseCopy                (Don't Use Copy)
                                             [!]mv=<filter>              (RFC 3876 matched values filter)
                                             [!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
                                                                         (RFC 2891 server side sorting)
                                             [!]subentries[=true|false]  (RFC 3672 subentries)
                                             [!]sync=ro[/<cookie>]       (RFC 4533 LDAP Sync refreshOnly)
                                                     rp[/<cookie>][/<slimit>] (refreshAndPersist)
                                                                         (ldapv3-vlv-09 virtual list views)
                                             [!]<oid>[=:<b64value>] (generic control; no response handling)
                      -f file    read operations from `file'
                      -F prefix  URL prefix for files (default: file:///tmp/)
                      -l limit   time limit (in seconds, or "none" or "max") for search
                      -L         print responses in LDIFv1 format
                      -LL        print responses in LDIF format without comments
                      -LLL       print responses in LDIF format without comments
                                             and version
                      -M         enable Manage DSA IT control (-MM to make critical)
                      -P version protocol version (default: 3)
                      -s scope   one of base, one, sub or children (search scope)
                      -S attr    sort the results by attribute `attr'
                      -t         write binary values to files in temporary directory
                      -tt        write all values to files in temporary directory
                      -T path    write files to directory specified by path (default: /tmp)
                      -u         include User Friendly entry names in the output
                      -z limit   size limit (in entries, or "none" or "max") for search
                    Common options:
                      -d level   set LDAP debugging level to `level'
                      -D binddn  bind DN
                      -e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
                                             [!]assert=<filter>     (RFC 4528; a RFC 4515 Filter string)
                                             [!]authzid=<authzid>   (RFC 4370; "dn:<dn>" or "u:<user>")
                                                     one of "chainingPreferred", "chainingRequired",
                                                     "referralsPreferred", "referralsRequired"
                                             [!]manageDSAit         (RFC 3296)
                                             [!]postread[=<attrs>]  (RFC 4527; comma-separated attr list)
                                             [!]preread[=<attrs>]   (RFC 4527; comma-separated attr list)
                                             abandon, cancel, ignore (SIGINT sends abandon/cancel,
                                             or ignores response; if critical, doesn't wait for SIGINT.
                                             not really controls)
                      -h host    LDAP server
                      -H URI     LDAP Uniform Resource Identifier(s)
                      -I         use SASL Interactive mode
                      -n         show what would be done but don't actually do it
                      -N         do not use reverse DNS to canonicalize SASL host name
                      -O props   SASL security properties
                      -o <opt>[=<optparam>] general options
                                             nettimeout=<timeout> (in seconds, or "none" or "max")
                                             ldif-wrap=<width> (in columns, or "no" for no wrapping)
                      -p port    port on LDAP server
                      -Q         use SASL Quiet mode
                      -R realm   SASL realm
                      -U authcid SASL authentication identity
                      -v         run in verbose mode (diagnostics to standard output)
                      -V         print version info (-VV only)

                      -x         Simple authentication
                      -X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
                      -y file    Read password from file
                      -Y mech    SASL mechanism
                      -Z         Start TLS request (-ZZ to require successful response)

Backup data


LDAPBK=ldap_$( date +%H-%M_%d-%m-%Y ).ldif

/usr/sbin/slapcat -v -l $BACKUPDIR/$LDAPBK


Restore data

  1. stop slapd daemon:

    /etc/init.d/slapd stop
  2. delete old database (make sure you are in right directory to use rm):

    cd /var/lib/ldap
    rm -rf *
  3. Restore database from LDIF file:

    /usr/sbin/slapadd -l backup.ldif
  4. run slapd daemon:

    /etc/init.d/slapd start