We started using 389 LDAP (aka Fedora Directory Server) for user and group management in our research computing environment. Instead of managing users, groups and passwords on each and every machine, we just put them in LDAP and have all the machines authenticate users centrally; it’s not rocket science (people have been doing centralized LDAP authentication for decades), but it’s certainly non trivial.
As 389 is a Red Hat technology, it integrates very well with other Red Hat technologies like RHEL (errm, CentOS!). Installation and configuration is well documented, but the out-of-the-box administration tools (389-console
) are complete rubbish; the fonts are nearly unreadable, the windows don’t show up in GNOME 3.x window overview (good luck if you accidentally move something over one), the GUI makes it easy to mess up your directory (right click -> delete
without selecting a user first? Big mistake!), and also it’s just not very fast/convenient compared to traditional CLI-based *nix utilities like useradd
.
So I decided to write my own wrapper script for adding users from the command line, 389_useradd.sh. It was originally based on the example script in the Red Hat Netgroup whitepaper, but has been significantly updated.
Usage
Using it is simple; the only mandatory options are first and last name:
./389_useradd.sh -f Alan -l Orth > /tmp/aorth.ldif
Otherwise, if you mess up somehow, it will print out usage instructions (aka -h
).
./389_useradd.sh
Usage: ./389_useradd.sh -f FirstName -l LastName -u username [ -i userid -g groupid -p password]
Basically, it outputs an LDIF for a new user and corresponding primary group for that user. You can save the LDIF to disk or pipe it directly to ldapmodify
. If user/group id are unspecified it will generate unique values based on the latest in the directory (basically, latest + 1). You can still specify these on the command line if you want to, but it seems more useful to be able to add users without checking your LDAP for the last uid first. This is what the *nix useradd does, so it makes sense to be able to use the same thing here.
Example output
/tmp/aorth.ldif, from above:
dn: uid=aorth, ou=People, dc=example,dc=org
changetype: add
givenName: Alan Orth
sn: Orth
loginShell: /bin/bash
gidNumber: 901
uidNumber: 901
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: posixAccount
uid: aorth
gecos: Alan Orth
cn: Alan Orth
userPassword: redhat
homeDirectory: /home/aorth
dn: cn=aorth, ou=Groups, dc=example,dc=org
changetype: add
gidNumber: 901
memberUid: aorth
objectClass: top
objectClass: groupofuniquenames
objectClass: posixgroup
cn: aorth
Import the LDIF using ldapmodify
. For example:
ldapmodify -h ldap.example.org -D "cn=Directory Manager" -W -f /tmp/aorth.ldif
Todo
While the simple use case of adding a user works, there are still some things I’d like to be able to do from the command line:
- Ability to add groups, à la
groupadd
- Ability to add/remove users from arbitrary groups, à la
gpasswd
Thanks, I might be setting up this soon, i have a bunch of new machines and will be creating a new lab, cant think of anything else at the moment.
Yah, it might be an idea to look into LDAP if you’re going to be doing users on many machines; network-based home directories are a cool thing too! 389 is only one of the many open-source LDAP servers out there, and I have no idea if it’s easier, better, etc than OpenLDAP, ApacheDS, etc… but I’m happy with it in our CentOS-based environment.