Using LDAP Without Getting Your Hands Dirty

by Ali Tayarani


Several months ago, we discussed the why and how of setting up an LDAP server cluster. But what do you do when you want to manage the resources in your directory? The traditional tools for managing LDAP are powerful, but can be hard to understand. In order to save us the hassle of ramp-up time and yet another DSL that we’d need to remember, we wrote the ldap_tools gem.

The traditional tools use long configuration files, while the ldap_tools gem allows for simple command lines like ldap group create -n <name>. To demonstrate how they compare, let’s first look at how those built-ins work.

Traditional Tools

The traditional tools center around a file format called LDIF (Light-weight Directory Interchange Format). To get a sense of what the format looks like, here is an example entry for an existing user:

So, how do we get to this point?

Save it to a file, and run this command: ldapadd -H ldap://ldaphost.example.net -x -D "cn=admin,dc=example,dc=net" -f /tmp/createuser.ldif -w $(cat /etc/ldap.secret)

It could be worse, but what happens when we want example.user to be in a secondary group. gidNumber is only for primary groups.

Save to a file the run the same command as above with the new file name.

Save the file. Since we’re now modifying LDAP, rather than adding to it, we have a new command to use: ldapmodify -H ldap://ldaphost.example.net -x -D "cn=admin,dc=example,dc=net" -f /tmp/adduser_to_group2.ldif -w $(cat /etc/ldap.secret)

Note: ldapadd is a hard link to ldapmodify -a, so you could use ldapmodify for both, but include a -a on the first command.

A New Way Forward

Now that you’ve seen the long way, let’s see if we can do it a bit cleaner.  First, the organizational groups are created as above.  Adding it via the gem isn’t currently possible, because hopefully, you’ll only need to do this once.

There are many more features of the ldap_tools gem, as this is only one example. For more information, visit the GitHub project at: https://github.com/Tapjoy/ldap_tools.

 

Think this is interesting? We're hiring! See our current openings here.