We started using 389 LDAP (aka Fedora Directory Server) for user and group management in our research computing environment. Instead of managing users, groups and passwords on each and every machine, we just put them in LDAP and have all the machines authenticate users centrally; it’s not rocket science (people have been doing centralized LDAP authentication for decades), but it’s certainly non trivial.
As 389 is a Red Hat technology, it integrates very well with other Red Hat technologies like RHEL (errm, CentOS!). Installation and configuration is well documented, but the out-of-the-box administration tools (
389-console) are complete rubbish; the fonts are nearly unreadable, the windows don’t show up in GNOME 3.x window overview (good luck if you accidentally move something over one), the GUI makes it easy to mess up your directory (
right click -> delete without selecting a user first? Big mistake!), and also it’s just not very fast/convenient compared to traditional CLI-based *nix utilities like
So I decided to write my own wrapper script for adding users from the command line, 389_useradd.sh. It was originally based on the example script in the Red Hat Netgroup whitepaper, but has been significantly updated.
Using it is simple; the only mandatory options are first and last name:
./389_useradd.sh -f Alan -l Orth > /tmp/aorth.ldif
Otherwise, if you mess up somehow, it will print out usage instructions (aka
./389_useradd.sh Usage: ./389_useradd.sh -f FirstName -l LastName -u username [ -i userid -g groupid -p password]
Basically, it outputs an LDIF for a new user and corresponding primary group for that user. You can save the LDIF to disk or pipe it directly to
ldapmodify. If user/group id are unspecified it will generate unique values based on the latest in the directory (basically, latest + 1). You can still specify these on the command line if you want to, but it seems more useful to be able to add users without checking your LDAP for the last uid first. This is what the *nix useradd does, so it makes sense to be able to use the same thing here.
/tmp/aorth.ldif, from above:
dn: uid=aorth, ou=People, dc=example,dc=org changetype: add givenName: Alan Orth sn: Orth loginShell: /bin/bash gidNumber: 901 uidNumber: 901 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount uid: aorth gecos: Alan Orth cn: Alan Orth userPassword: redhat homeDirectory: /home/aorth dn: cn=aorth, ou=Groups, dc=example,dc=org changetype: add gidNumber: 901 memberUid: aorth objectClass: top objectClass: groupofuniquenames objectClass: posixgroup cn: aorth
Import the LDIF using
ldapmodify. For example:
ldapmodify -h ldap.example.org -D "cn=Directory Manager" -W -f /tmp/aorth.ldif
While the simple use case of adding a user works, there are still some things I’d like to be able to do from the command line:
- Ability to add groups, à la
- Ability to add/remove users from arbitrary groups, à la