≡ Menu

How to Add LDAP Users and Groups in OpenLDAP on Linux

To add something to the LDAP directory, you need to first create a LDIF file.

The ldif file should contain definitions for all attributes that are required for the entries that you want to create.

With this ldif file, you can use ldapadd command to import the entries into the directory as explained in this tutorial.

If you are new to OpenLDAP, you should first install OpenLDAP on your system.

Create a LDIF file for New User

The following is a sample LDIF file that will be used to create a new user.

# cat adam.ldif
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0

Add a LDAP User using ldapadd

Now, use ldapadd command and the above ldif file to create a new user called adam in our OpenLDAP directory as shown below:

# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f adam.ldif
Enter LDAP Password:
adding new entry "uid=adam,ou=users,dc=tgs,dc=com"

Assign Password to LDAP User

To set the password for the LDAP user we just created above, use ldappasswd command as shown in the below example:

# ldappasswd -s welcome123 -W -D "cn=ramesh,dc=tgs,dc=com" -x "uid=adam,ou=users,dc=tgs,dc=com"
Enter LDAP Password:

In the above command:

  • -s specify the password for the username entry
  • -x The username entry for which the password is changed
  • -D specify your DN here. i.e Distinguished name to authenticate in the server

Create LDIF file for New Group

Similar to adding user, you’ll also need a ldif file to add a group.

To add a new group to the LDAP groups OU, you need to create a LDIF with the group information as shown in the example ldif file below.

# cat group1.ldif
dn: cn=dbagrp,ou=groups,dc=tgs,dc=com
objectClass: top
objectClass: posixGroup
gidNumber: 678

Add a LDAP Group using ldapadd

Just like adding user, use ldapadd command to add the group from the group1.ldif file that we created above.

# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f group1.ldif
Enter LDAP Password:
adding new entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"

Create LDIF file for an existing Group

To add an existing user to a group, we should still create an ldif file.

First, create an ldif file. In this example, I am adding the user adam to the dbagrp (group id: 678)

# cat file1.ldif
dn: cn=dbagrp,ou=groups,dc=tgs,dc=com
changetype: modify
add: memberuid
memberuid: adam

Add an User to an existing Group using ldapmodify

To add an user to an existing group, we’ll be using ldapmodify. This example will use the above LDIF file to add user adam to dbagrp.

# ldapmodify -x -W -D "cn=ramesh,dc=tgs,dc=com" -f file1.ldif
Enter LDAP Password:
modifying entry "cn=dbagrp,ou=groups,dc=tgs,dc=com"

Verify LDAP Entries

Once you’ve added an user or group, you can use ldapsearch to verify it.

Here is a simple example to verify if the users exists in the LDAP database:

# ldapsearch -x -W -D "cn=ramesh,dc=tgs,dc=com" -b "uid=adam,ou=users,dc=tgs,dc=com" "(objectclass=*)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <uid=adam,ou=users,dc=tgs,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# adam, users, tgs.com
dn: uid=adam,ou=users,dc=tgs,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: adam
uid: adam
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/adam
loginShell: /bin/bash
gecos: adam
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9b0lPd3AzYTBmT2xQcHBPNDcrK0VHRndEUjdMV2hSZ2U=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

Delete an Entry from LDAP using ldapdelete

If you’ve made a mistake while adding an user or group, you can remove the entry using ldapdelete.

To delete an entry, you don’t need to create an ldif file. The following will delete user “adam” that we created earlier.

# ldapdelete -W -D "cn=ramesh,dc=tgs,dc=com" "uid=adam,ou=users,dc=tgs,dc=com"
Enter LDAP Password:
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • dipanjan mukherjee February 25, 2015, 3:46 am

    Thnx a lot. I have waited for this since the first part.

  • kiran March 2, 2015, 4:40 am

    Dear Sir,

    This is kiran sir, I already contact with gmail.My request could you please post a ldap migration from on server to another it is also important

  • marcos March 4, 2015, 6:11 pm

    do you have tutorial on how to understand structure of ldap? it is hard to understand the cn and ou and other tags

  • venkatesh March 18, 2015, 9:29 am

    Dear Sir,
    Please continue your next openldap article. It is very simple and interesting. Show us how to authenticate users via nfs and how use phpldapadmin utility. Above you have showed how to add user adam to directory-I am confusing here. should we use useradd command to create a user before adding user to directory? Kindly continue…

    With best wishes
    Venkatesh
    Bangalore

  • venkatesh March 26, 2015, 9:21 am

    Hi Ramesh!
    Many many thanks for your OpenLDAP article. I am very new to Openldap. I was searching this type of basic article. I found many and old-requires previous versions of centos or redhat systems and requires previous knowledge about ldap. Yours is very basic and following step by step. As I told I am very new to openldap, I am facing lot of problems and no-one around me to solve the basic doubts. I have a small doubt, please guide me.

    in your above “How to Add LDAP Users and Groups in OpenLDAP on Linux” article, ‘Add a LDAP User using ldapadd ‘ section, should we create a ‘adam user’ by using useradd command before running the command->

    ldapadd -x -W -D “cn=ramesh,dc=tgs,dc=com” -f adam.ldif ?
    because after running above command, I am not finding a adam directory in /home directory.

    Please clarify. I am eagerly waiting for your reply..
    Sorry for the grammatical errors.

    Thanks
    Venkatesh
    India

  • Gerry May 25, 2015, 1:05 pm

    First of all thumbs on both this and the previous article!

    I’m getting very confused with setting this up. I’ve got the following user

    [root@localhost ldap]# ldapadd -x -W -D “cn=gmullin,dc=lava,dc=com” -f newusers.ldif
    Enter LDAP Password:
    adding new entry “uid=hduser,ou=users,dc=lava,dc=com”
    ldap_add: Invalid syntax (21)
    additional info: objectClass: value #1 invalid per syntax

    [root@localhost ldap]# cat newusers.ldif
    dn: uid=hduser,ou=users,dc=lava,dc=com
    objectClass: top
    objectClass: account
    objectClass: posixAccount
    objectClass: shadowAccount
    cn: hduser
    uid: hduser
    uidNumber: 16860
    gidNumber: 100
    homeDirectory: /home/hduser
    loginShell: /bin/bash
    gecos: hduser
    userPassword: {crypt}x
    shadowLastChange: 0
    shadowMax: 0
    shadowWarning: 0

    After a quick Google, I’m told I need to load my schema (how come yours is already loaded?), with something like the following:

    ldapadd -Y EXTERNAL -H ldapi:// -f /usr/local/etc/openldap/schema/nis.ldif

    How do I get the appropriate schema for this article?

    Help is greatly appreciated!

  • MaxiReglisse June 12, 2015, 1:19 am

    Hello Ramesh,

    Very very good tutorial. Thanks !
    I am sure that it will be suitable for a lot of people. but i think there is a little mistake with the option of ldapadd.

    indeed, you should use -l and not -f when you use ldapadd, as the manual says it :
    SLAPADD(8)
    /usr/sbin/slapadd [-b suffix] [-c] [-d debug-level] [-f slapd.conf] [-F confdir] [-g] [-j lineno] [-l ldif-file] [-n dbnum] [-o option[=value]] [-q] [-s] [-S SID] [-u] [-v] [-w]

    Hope it will be useful ! 😉

    MaxiReglisse.

  • Elijah July 20, 2015, 11:54 am

    Question. In our dev environment I need to add many test dummy accounts in order to test the impact on our system. How can I go about adding in 20k, 50, 100k users into OpenLdap? Do I really have to have to build a custom JAVA project that calls the add command that many times or is there another way to get this job done?

  • Vaibhav Chauhan September 3, 2015, 11:26 am

    Do we need to add group and users in *nix systems before creating and executing add-user.ldif file LDAP

  • MOEURNG METT June 18, 2016, 4:44 am

    how to create sub-ou in ldap