Posted on Thu 28 May 2020
In the spirit of “the best way to get a correct answer is to post an obviously wrong answer on USENET”, I hereby present the most efficient method of mass-alteration of LDAP user entities I can think of.
You probably shouldn’t do this.
As you know, LDAP is a terrible protocol for getting basic user information and handling authentication of them. You also probably know that it is a well-established standard, and so it is likely to be among (or the sole) method of getting authentication in your new application without maintaining yet another username/password database. Also, the replacements for LDAP tend to want to use LDAP as a source of knowledge.
There is, effectively, one open-source LDAP server: OpenLDAP, also
called slapd
. There are effective but non-powerful tools to
manipulate the data: ldapsearch
and
ldapmodify
. Do not be deceived by the existence of
ldapadd
and ldapdelete
: those are
ldapmodify
in disguise.
When setting up users in that tenuous space between four and many – if there are four, you can probably ask them all to come sit down and type in a password, whereas many is the number where that just isn’t feasible – I have found that the best plan is as follows:
Construct an ldif file for your users with the help of migrationtools, which is probably in a package of that name.
Edit the ldif file with the help of vim or emacs, whichever makes you happiest. Use lots of regexps.
For example, the form:
s/cn: \(\a*\) \(\a*\)/cn: \1 \2\rgn: \1/
That looks for common names (Maeve Binghy), separates them by the
first space, and writes the given name field on the next line. You can
do a similar thing with sn: \2
to get the surname field.
There are falsehoods you should know about names, and this violates
several of them – but it gets you going.
Then make careful edits.
Then delete all the dn’s that you no longer care about and re-insert them. If you grep the dn: field out of your ldif into a new one, then remove the prefix dn:,
ldapdelete
will take that. Make sure you have blank lines separating them.
There, I told you it was awful.
UPDATE: Apparently I’m not the only one.
apt show ldapvi
:
Package: ldapvi
Version: 1.7-10+b3
Section: text
Maintainer: Rhonda D'Vine <rhonda@debian.org>
Homepage: http://www.lichteblau.com/ldapvi/
APT-Sources: http://http.debian.net/debian buster/main amd64 Packages
Description: perform an LDAP search and update results using a text editor
From a first glance ldapvi looks like ldapsearch: You search for entries in
the ldap database. But the results get opened in your preferred editor, and
you can change, add or delete entries from there. After you are done you quit
the editor and ldapvi offers you several options: View your changes as LDIF,
commit changes or discard them.
I rest my case.