LDIF for creating Active Directory users and groups in OpenLDAP?

Asked 30/8, 2011 at 21:28 Answered 23/9, 2011 at 17:41

I have a web application that uses Active Directory to authenticate users, and I'm trying to replace AD with OpenLDAP.

The documentation says that I need to log on the domain controller as administrator, open the user management window, click on the appropriate organizational unit and add the userids to the proper groups (these groups should have scope "Global" and group type "Security").

I need to create the equivalent entries on my OpenLDAP server. Can someone provide an example LDIF for this? I don't know the class nor the attributes I should use, and I don't have access to a domain controller. The most problematic items seems to be group type and scope, because they seem to be binary values, not strings.

Please note that I don't want to replace Active Directory completely - I just need userids and groups. I've tried adding microsoft.schema to OpenLDAP, but it doesn't work. I've found some information about modifying the schema for Microsoft Outlook; I need something similar but simpler.

Veteran answered 30/8, 2011 at 21:28 Comment(3)

Can you be more explicit. You need LDIF script so it's programming so I do not vote to close the question, but it's not so explicit. What do you really want to do, migrate users from AD to OpenLDAP? add new user to OpenLDAP with LFIF? You told about a document which one (can you edit your question and put the link?). Another question why OpenLDAP do yu know that ADAM (AD like) runs on Windows and is free ? – Snot 31/8, 2011 at 7:33

I need to create new users and groups (not migrate them from AD) in OpenLDAP using the same scheme (classes, attributes) used by Active Directory. I can't provide the document I mentioned - it's proprietary. I know ADAM, but I can't use it (the solution should be Linux-based). Thanks for your interest. – Veteran 31/8, 2011 at 13:40

This answer is useful for later openldap versions. #45539052 – Restrict 6/9, 2018 at 6:16

It's almost impossible to convert the entire ActiveDirectory schema to OpenLDAP, it's huge. However, we can add only the needed attributes and classes:

attributetype ( 1.2.840.113556.1.4.750 NAME 'groupType' 
   SYNTAX '1.3.6.1.4.1.1466.115.121.1.27' SINGLE-VALUE 
)

attributetype ( 1.3.114.7.4.2.0.33 NAME 'memberOf' 
    SYNTAX '1.3.6.1.4.1.1466.115.121.1.26' 
)

objectclass ( 1.2.840.113556.1.5.9 NAME 'user'
        DESC 'a user'
        SUP organizationalPerson STRUCTURAL
        MUST ( cn )
        MAY ( userPassword $ memberOf ) )

objectclass ( 1.2.840.113556.1.5.8 NAME 'group'
        DESC 'a group of users'
        SUP top STRUCTURAL
        MUST ( groupType $ cn )
        MAY ( member ) )

Then it's easy to create an LDIF file for inserting the users and groups:

dn: dc=myCompany
objectClass: top
objectClass: dcObject
objectClass: organization
dc: myCompany
o: LocalBranch

dn: ou=People,dc=myCompany
objectClass: top
objectClass: organizationalUnit
ou: People
description: Test database

dn: cn=Users,dc=myCompany
objectClass: groupOfNames
objectClass: top
cn: Users
member: cn=Manager,cn=Users,dc=myCompany

dn: cn=Manager,cn=Users,dc=myCompany
objectClass: person
objectClass: top
cn: Manager
sn: Manager
userPassword:: e1NIQX1tc0lKSXJCVU1XdmlPRUtsdktmV255bjJuWGM9

dn: cn=ReadWrite,ou=People,dc=myCompany
objectClass: group
objectClass: top
cn: ReadWrite
groupType: 2147483650
member: cn=sysconf,ou=People,dc=myCompany

dn: cn=sysopr,ou=People,dc=myCompany
objectClass: user
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: sysopr
sn: team
memberOf: cn=ReadOnly,ou=People,dc=myCompany
userPassword:: e1NIQX1jUkR0cE5DZUJpcWw1S09Rc0tWeXJBMHNBaUE9

Veteran answered 23/9, 2011 at 17:41 Comment(1)

How do we add these attributeTypes and objectClasses? I tried to add them using Apache Directory Studio but it fails. – Turpin 17/2, 2021 at 15:41

Ok, here is the begining of an answer :

Once you installed your OPENLdap

A - Edit your slapd.conf to :

1) Modify the schemas included

include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetperson.schema

2) Modifiy schema files as explained in this FAQ

3) Modify your naming context (personaly I'am using HDB as backend)

database hdb
suffix "dc=dom,dc=com"
rootdn "cn=Manager,dc=dom,dc=com"
rootpw secret
directory /usr/local/var/openldap-hdb

4) Then restart your directory

B - Insert your root

Here is the LDIF file (root.ldif)

dn: dc=dom,dc=com
objectclass: dcObject
objectclass: organization
o: Company name
dc: dom

Here is the command line

ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f root.ldif

C - Insert a user

Here is the LDIF file (user.ldif)

dn: cn=user1,dc=dom,dc=com
objectClass: inetOrgPerson
sn: users
cn: user1
telephoneNumber: 9999

Here is the command line

ldapadd –x –D "cn=Manager,dc=dom,dc=com" -W –f user.ldif

D - An advice

Apache directory studio, is for me, a VERY good LDAP Browser, it's Open Source, it works on the top of java on Linux and Windows. Using it you can graphicaly browse AD and OpenLdap and do parts B and C just clicking.

Active-Directory Schema (Classes and attributes) are documented in the MSDN. For example here are the information about groupType. Is it what you expect?

Snot answered 31/8, 2011 at 14:24 Comment(2)

Thanks, but you gave just generic instructions for setting up OpenLDAP - I've already did that (and I'm using Apache Directory Studio). What I need to know is how to create users and groups in the specific way AD does. The group type and group scope attributes, for example, aren't simply strings "Security" and "Global", they use long numeric constants (which a I didn't have). – Veteran 1/9, 2011 at 12:16

I edit my answer, but I'am not sure to understand what you expect. – Snot 1/9, 2011 at 13:2

Recommended topics

Hot tags