Contents

Adding Entries to Your Directory Server



There are two ways to add users to your Directory Server. For large imports or when you have the information already assembled, you can import the entries in bulk by importing an LDIF file. You can also add single users at a time.

Either way can be done through the Fedora Directory Server Console. There are several benefits to using the Console to create users.
You can also import an LDIF and create single users from the command-line. This way is more difficult if you are not familiar with using command-line utilities because the syntax and spelling has to be correct or you will not create the entries and will overwrite and lose your existing data. You also have to turn your server off to import an LDIF from the command line. However, if you are comfortable using these utilities, they offer more flexibility and speed to make the changes you want.


I. Importing an LDIF from the Console



NOTE         
The LDIF must be formatted to fit your directory structure. That is, every new entry must have a DN line at the beginning, and it must correspond to your existing suffix(es). E.g., a new user must be named dn: uid=sguy,ou=people,dc=example,dc=com. If the LDIF is missing the DN line or does not have the correct suffix, it will not import.


To import an LDIF from the Console, do the following:

  1. On the Tasks tab, the first tab in the Directory Server Console, scroll down to "Import Databases."

  2. A dialog box will pop up, asking for the path to the LDIF file you want to import. You can browse to select a file, which can be a general list of users or an LDIF you've exported from a mail client like Mozilla Thunderbird.



  3. Hit okay, and a status box will appear, showing how many files have been imported.

    If you left the "rejects file" checkbox checked, then any files that are not imported will be sent to that file. Entries that already exist in your database or entries that do not have the proper suffix will be rejected when you import.

I. Creating a New User from the Console

To create a new user in the Console, do the following:
  1. Go to the Directory tab of the Directory Server Console.

  2. Open the suffix (such as dc=company,dc=com)  where you want to create the new entry. Select the organizational unit, such as ou=People, where you want the new user to go.

    You may have more than one "people" branch, such as ou=Sales, ou=People or ou=Employees and ou=Customers. Be sure that your users are logically organized.

  3. Right-click on the branch you've selected, and pick "Create New>User" from the menu. You can also select the Object menu from the top menu bar, and then click "Create New>User."



  4. A dialog will appear for you to create a new user. The first tab (the only one that is required) lets you fill in a first and last name, email address, password, and more common information.



  5. To add an attribute or object class or to view more of the allowed attributes for the entry, click on the "Advanced..." button at the bottom of the box. See III.B.3.a Adding Attributes and Object Classes to a User from the Console.

  6. Once you have supplied all the information you want for your user, hit okay to save it. Your user will appear at the bottom of the list of users in the pane on the right.

II. Modifying Users from the Console

To modify a user from the Console, highlight the user you want to change. Right-click on the entry, and select "Properties" or "Advanced Properties" from the menu. The same Properties Editor will appear that came up when the entry was created; simply change or add the values in the fields you want modified.

II.a. Adding Attributes and Object Classes to a User from the Console

To add an attribute or object class or to view more of the allowed attributes for the entry, click on the "Advanced..." button at the bottom of the box.

To add an object class to an entry, click on the objectClasses attribute that is in the list of entry attributes, and then hit the "Add Value" button.



There is a list of object classes you can add. When you select one, that object class will appear as an attribute to objectClasses.

Any required attributes for that object class will automatically appear in the window for you to supply their values. Below, the posixAccount object class was added to an entry; the gidNumber and homeDirectory (and uidNumber, not shown) attributes automatically appear in the list of attributes.



To add an attribute to an entry, hit the "Add Attribute" button on the right, and select an attribute from the list. The field will appear in the entry, and you can add the attribute value there. Sometimes an attribute is only available to certain object classes; unless that object class is added to the entry, that attribute cannot be added. When you add a new object class, any new attributes will appear in the window when you hit "Add Attribute." These shots show the attributes list before and after the mailrecipient object class was added to an entry.



III.  Inactivating and Deleting a User from the Console

Inactivating an entry will treat that entry as if it has been deleted: the user cannot login with that UID and password, he cannot search or access the directory, and he cannot modify his entry. However, that entry still exists and will still be returned in searches. To inactivate an entry, highlight the user entry, and select properties. There is a screen called Accounts with the "Activate/Inactivate" button. Hit the "Inactivate" button, and then okay.

When you deactivate an entry, than the User icon will have the red mark across it whenever you open the Property Editor. To reactivate, hit the "Activate" button, and then okay.

To delete an entry, highlight the entry you want to delete, and select "Delete" from the drop-down menu. A dialogue will appear to confirm that you want to delete the entry; hit okay to delete and no to cancel.


IV.  Importing an LDIF from the Command-Line

You import an LDIF file on the command line by running the ldif2db command-line script that comes with Fedora Directory Server. You can also use the ldif2ldap script that comes with the Fedora Directory Server to import an LDIF; however, the ldif2ldap script imports all data to all databases at the same time. Using ldif2db allows you to import your data to a single database or to a specified group of databases.



NOTE         
Using ldif2db will overwrite any data you currently have in your databases.


 



NOTE         
The LDIF must be formatted to fit your directory structure. That is, every new entry must have a DN line at the beginning, and it must correspond to your existing suffix(es). E.g., a new user must be named dn: uid=sguy,ou=people,dc=example,dc=com. If the LDIF is missing the DN line or does not have the correct suffix, it will not import.



To import an LDIF from the command-line, do the following:
  1. Stop your Directory Server. You can do this from the Console by simply hitting the "Stop Server" button in the Tasks tab. To stop the server from the command-line, type the following:

    cd /pathtoyourserver/slapd-serverName
    ./stop-slapd

  2. Run the ldif2db script (this script is stored in the /slapd-serverName directory). This script takes two options: -n, which names the database you want to import the LDIF to, and -i, which gives the full path to the LDIF file you are importing. This file must be a local file, meaning it must be on the machine you are running the import from. This example, using the default installation directory for Fedora Directory Server and a server named Company, imports an address book LDIF to the PeopleDB database.

    ldif2db -n PeopleDB
    -i /usr/redhat/server/slapd-Company/ldif/addressbook.ldif


    The -i option can be used more than once. So, to import an address book LDIF and an old employee directory into PeopleDB, run the following command.

    ldif2db -n PeopleDB
    -i /usr/redhat/server/slapd-Company/ldif/addressbook.ldif
    -i /usr/redhat/server/slapd-Company/ldif/directory.ldif


    If you import more than one LDIF at a time, then the LDIFs are imported in the order you list them in the command.

  3. Restart the Directory Server.

    cd /pathtoyourserver/slapd-serverName
    ./start-slapd

V. Creating Users from the Command-Line

The easiest way to create users from the command-line is to use the ldamodify utility. There's a special option, -a, which signals the server to create a new entry. This can be done over a remote connection.



NOTE         
You leave the server running when you run LDAP commands like ldapmodify.



To add a user with ldapmodify, do the following:
  1. Open the directory where ldapmodify is.

    cd /pathtoserver/shared/bin

  2. Run the ldapmodify command. There are several options you have to specify for this command:

    ldapmodify -a -D bindName -w bindPassword -p port -h hostname entry

    For example, you can add an entry like the following:

    ldapmodify -a -D "cn=Directory Manager" -w password -p 389 -h localhost

    >dn: uid=tlackey,ou=People,dc=example,dc=com
    >objectclass: top
    >objectclass: person
    >objectclass: inetorgperson
    >cn: Thomas Lackey
    >sn: Lackey
    >givenname: Thomas
    >mail: tlackey@company.com
    >
    telephonenumber: 505 555 6617
    >userPassword: password
    >description: QA team lead

  3. The server will return the message adding entry uid=tlackey,ou=People,dc=example,dc=com.
If schema checking is enabled on your directory, then if you try to add an entry that doesn't have all the required schema, you will get an error message, and the addition will fail. You can also add entries in bulk by running -f filename.ldif instead of entry.


VI. Modifying Users from the Command-Line

To modify entries from the command-line, you run the ldapmodify utility the same as when you add an entry, only without the -a option. To change a single entry, you run the entry with the changes; for bulk changes, you can specify the -f filename.ldif option and add an LDIF with changes in it, called an LDIF update statement.

To modify a single entry, do the following:
  1. Open the directory where ldapmodify is.

    cd /pathtoserver/shared/bin

  2. Run the ldapmodify command. Run changetype: modify, and then specify the type of change you are making, either add (for an attribute), delete (for an attribute), replace, rename, modrdn (to change the first section of the DN, usually the UID), or moddn (to change the DN).


NOTE         
If you run changetype: delete, the server will delete the entire entry, not an attribute. Likewise, if you run changetype: add, the server will try to add an entire entry. If the entry already exists, you'll get an error.


    This example changes Thomas Lackey's email account.

    ldapmodify -D "cn=Directory Manager" -w password -p 389 -h localhost

    >dn: uid=tlackey,ou=People,dc=example,dc=com
    >changetype: modify
    >replace: mail
    >mail: thomasl@company.com

    The following changes Thomas Lackey's mail attribute and adds a phone attribute. When you want to make multiple changes, separate the changes with a dash (-).

    ldapmodify -D "cn=Directory Manager" -w password -p 389 -h localhost

    >dn: uid=tlackey,ou=People,dc=example,dc=com
    >changetype: modify
    >replace: mail
    >mail: thomasl@company.com
    -
    >add:
    telephonenumber
    >telephonenumber: 505 555 6617

    You can add more than one value to attributes when allowed.

    ldapmodify -D "cn=Directory Manager" -w password -p 389 -h localhost

    >dn: uid=tlackey,ou=People,dc=example,dc=com
    >changetype: modify
    >add: phone
    >telephonenumber: 505 555 6617
    >telephonenumber: 505 555 4352


    The server will return the message modifying entry uid=tlackey,ou=People,dc=example,dc=com.

     

VII. Deleting Users from the Command-Line

To delete an attribute or an attribute value from an entry, use ldapmodify, and then specify a replace or delete operation. To delete an entire entry from the command-line, run the ldapdelete utility with the DN of the entry you want to delete.

ldapdelete -D "cn=Directory Manager" -w password -p 389 -h localhost

>dn: uid=tlackey,ou=People,dc=example,dc=com

 


2003 Bozeman Pass Incorporated