Your LDAP Administration Toolbox

Do you have what it takes to manage an LDAP infrastructure? Administration of a directory means having a thorough knowledge of the directory's structure, data, security, performance, and general configuration. It also means knowing how to efficiently respond to requests for information about any aspect of the directory, and indeed, any aspect of your environment for which your directory is the canonical source of information. In this article, I'll go over some of the standard (and not so standard) tools that can put you firmly in control of your directory.

OpenLDAP command-line tools

The OpenLDAP tools are the no-brainer tools for LDAP administrators, partly due to the fact that they come with the OpenLDAP software distribution, and partly because you could probably administer an OpenLDAP directory without the aid of much else.

Let's start by looking at how to search your directory using the OpenLDAP ldapsearch utility. Consider the simple command

ldapsearch -x -b'dc=linuxlaboratory,dc=org' '(objectclass=*)'

The -x flag indicates that I wish to use simple authentication, as opposed to SASL-based authentication, which is the default. The -b flag tells the server where to start looking -- in other words, the search base. In this case, by feeding it the top level of the directory, I specify searching the entire directory (though there are other flags that control the depth of the search). The last quoted argument, '(objectclass=*)', is the search parameter, which says I want to see all attributes of anything that contains an objectclass attribute. Since every object stored in a directory has to be defined using an objectclass attribute, I'm saying I want to see everything in the directory.

The data returned from this query is standard LDIF, and will look identical to the LDIF we used to enter the data into the directory in the first place.

The ldapsearch utility can be a flexible, powerful tool, allowing you to search any LDAP host for any object or group of objects, using almost any filter both for matching and output. Here's a slightly more advanced search:

ldapsearch -x -b'dc=linuxlaboratory,dc=org' '(&(sn=Jones)(givenname=Brian))' -S cn

Note the ampersand, which is a logical AND operator. In order to match a directory entry, both of the search terms must match. The -S cn argument at the end says to sort results by the cn attribute in the returned entries. If I added a + operator at the end of the line the command would return only the operational attributes stored internally by the server, such as the creation date, creator's dn, and modification dates and names for the entry. This can be a valuable troubleshooting technique.

My favorite tool from the OpenLDAP suite is ldapmodify. To me, this is the consummate Swiss Army knife for OpenLDAP. It takes a little getting used to the flags and files involved, but once you've mastered ldapmodify, you can perform additions, changes, deletes, and modifications with pinpoint accuracy in seconds. For example, suppose I demote user "cartman" to janitor and take away his right to have a homepage in the process. I create a quick file, which I name modlab, containing my changes:

dn: cn=cartman,ou=People,dc=linuxlaboratory,dc=org
changetype: modify
replace: loginShell
loginShell: /bin/bash
-
replace: title
title: janitor
-
delete: labeledURI
-

I then run ldapmodify:

ldapmodify -x -W -D'cn=Manager,dc=linuxlaboratory,dc=org' -c -S modlab.err -f modlab

Upon the command's completion, cartman's entry will have an altered loginShell, reflect his new title, and completely remove the labeledURI attribute from his entry. If there are any errors with the modifications, they will be written to the file modlab.err, as indicated by the -S modlab.err argument. In cases where many modifications will affect many entries, coupling -S with the -c flag, which tells the utility to continue even if an error occurs, allows ldapmodify to complete the changes that can be made now and log those that can't to a file, with the error included as a comment.

I strongly suggest you read the man pages for the OpenLDAP command-line tools. They can be a lifesaver when you're working from some remote location that doesn't support the bandwidth necessary for a GUI display, or when you're forced to work from an SSH client running on a Windows box with no X server.

Don't imagine you're limited to command-line tools, though...

Getting GUI with LDAP: Graphical tools

New graphical tools for LDAP administration seem to come along every day. Some are Web-based, while others are full-fledged desktop applications running without a browser. I have tried many of the Web-based tools and nearly all of the desktop applications that run under Linux. Of these, the one I've found most useful is one that I don't often see recommended on the various LDAP mailing lists. It's a humble Java application called LDAP Browser.

In spite of its name, LDAP Browser is far more than a simple browser that lets you view the data in your directory. It is a full-fledged administration tool, allowing you to add, delete, and modify entries, with full support for encrypted sessions as well as specialized support for certain attributes -- for example, it enables you to verify or reset an encrypted userPassword attribute for an entry. With LDAP Browser you can move an entire section of your LDAP directory to another part of your directory. In my early testing, I moved the entire contents of a subtree of my directory, containing about 1,000 entries, and put it underneath an existing subtree -- an operation I've had problems doing using other tools. In addition, if you simply must have a browser-based tool, LDAP Browser is written in Java and can run either as an applet or a standalone application. While the application hasn't been updated since (apparently) 2001, it is 100% LDAPv3 aware, and the tool works as well as or better than any other tool out there that I've tried.

GQ, another standalone application that is heavily recommended on the LDAP mailing lists, is a GNOME application that is included on a lot of Linux distribution CDs, usually as an add-on application. Though I'll probably take heat for saying so, I've never made friends with GQ. I've turned up multiple ways of crashing the tool, and I did not find it to be particularly user-friendly. Add to this my growing resentment of open source projects that lack anything resembling documentation and you have my less-than-glowing review of the tool. However, the fact that it is so heavily hyped on the mailing lists leads me to believe that GQ is probably useful for those who overcome its quirks.

Only two worthwhile Web-based LDAP administration tools spring to mind: phpLDAPadmin and YALA (Yet Another LDAP Administrator). (DISCLAIMER: I once contributed to the YALA project, to add support for TLS connections.) These tools are equally useful, and are probably the least buggy of the Web-based administration tools I've used (the number of which is nearing a dozen). If you have a relatively small directory, don't need connections to multiple directories, and don't do crazy things with loads of data at any given time, these tools are fine, assuming you don't mind maintaining a Web server to support them. For enterprise-strength administration, I've had more luck with the desktop tools. On the other hand, if you need a specialty tool for LDAP, like a special interface just to manage LDAP and Qmail, or LDAP and RADIUS, or some other configuration, there is probably a Web-based tool to ease your pain. It's worth searching freshmeat.net for these tools.

In closing

I hope this sampling of my favorite tools helps you narrow your search for LDAP administration software and gives you a baseline to measure other tools by. There are a million other tools available to ease LDAP administration. The fact that I have some kind of gripe with about 99% of them should not keep you from trying them out. LDAP environments can vary greatly in their configuration, and one LDAP admin's useless crapware is another's savior. Find one that fits your brain and stick with it.

Up to now in this column we've covered building and installing OpenLDAP, designed a simple directory, and added some entries. After reading this article, you are now armed with the tools necessary to move forward as an LDAP administrator. These tools can help you tinker with your directory -- poking and prodding at it to discover (or change, or destroy) all that it holds. Next time, we'll learn how to make your Linux system an LDAP client, using LDAP for authentication as well as user and group lookups.