Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2771
  • Last Modified:

changing several users attributes through command line (LDAP)

Hi There,

I am newbie to this LDAP implementation stuff. So kindly excuse me if I sound like silly.

I need to write a linux script which should do:
1. Identify who are all users pwdChangedTime set to specific date.
2. based on the given users i need to change their pwdChangedTime attribute one by one.

Condition is, I shouldn't use ldif file. I need to go to ldap command line(I don't know how to do this even manually :( ) then fire the commands to change the attribute, pwdChangedTime.

Can any one guide me how to achieve this?
0
yarabati
Asked:
yarabati
  • 4
  • 3
2 Solutions
 
yarabatiAuthor Commented:

Any one there to hear me??

I have done some part to help myself, I would like to know how to change all the user attributes (pwdChangedTime) through command line with out using ldif files!
0
 
MysidiaCommented:
The only command line method to update LDAP data  _IS_  LDIF, and is the recommended way to make changes of this nature.

You want to use the 'ldapmodify'  command to bind to the directory and transmit some LDIF data  of the form,
i.e.

#ldapsearch -D cn=rootuser -Wx -b "cn=users,dc=example,dc=com" -s sub "(&(pwdChangedTime>20090510000000Z)(pwdChangedTime<20090512000000Z))"
 

# ldapmodify -D cn=rootuser -Wx
dn: CN=someitemtochange, CN=users, DC=example, DC=com
changetype: modify
replace: pwdChangedTime
pwdChangedTime:20090512000000Z

[Press Enter Twice]
^D
0
 
nociSoftware EngineerCommented:
The varous scripting & compiled languages have their libraries to handle LDAP.

For PERL
  http://search.cpan.org/dist/perl-ldap

For JAVA
  http://www.mozilla.org/directory/javasdk.html 

For PHP
  http://pear.php.net/Net_LDAP2
  http://pear.php.net/Net_LDAP 

For Python
 http://python-ldap.sourceforge.net/

This should allow you to script a lot of things regarding LDAP.

Maybe a tool like ldapvi (vi etc. frontend to ldap is of use?)
  http://www.lichteblau.com/ldapvi/

It uses ldapsearch & ldapmodify etc + editor of choice (through EDITOR, PAGER environment variables) to update records.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
yarabatiAuthor Commented:
Thanks Mysidia & noci for the replies.

Please see Code snippet for the fired commands.

I modified using ldapmodify, but after if I try to check it, it still shows it's previous value. Not new values...
Any comments would be greatly received...
[root@ldap1 root]# idsldapsearch -D "cn=Directory Manager" -w <pwd-removed>-s base -b "uid=wpsadmin,ou=people,ou=current,dc=patni,dc=int" objectclass=* pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset ibm-pwdAccountLocked
uid=wpsadmin,ou=People,ou=Current,dc=patni,dc=int
pwdChangedTime=22000101000000.000000Z
 
[root@ldap1 root]# ldapmodify -D "cn=Directory Manager" -w <pwd-removed>
dn: uid=wpsadmin,ou=people,ou=current,dc=patni,dc=int
changetype: modify
replace: pwdChangedTime
pwdChangedTime: 20380119031407Z
 
modifying entry uid=wpsadmin,ou=people,ou=current,dc=patni,dc=int
^D
 
[root@ldap1 root]# idsldapsearch -D "cn=Directory Manager" -w <pwd-removed> -s base -b "uid=wpsadmin,ou=people,ou=current,dc=patni,dc=int" objectclass=* pwdChangedTime pwdAccountLockedTime pwdExpirationWarned pwdFailureTime pwdGraceUseTime pwdReset ibm-pwdAccountLocked
uid=wpsadmin,ou=People,ou=Current,dc=patni,dc=int
pwdChangedTime=22000101000000.000000Z

Open in new window

0
 
MysidiaCommented:
Which LDAP server implementation are you using?
My first suggestion would be to try a value that isn't in the future, i.e.
try
pwdChangedTime: 20090513010100.000000Z

As I understand,
pwdChangedTime is an internal field that indicates the timestamp of last password change, for password policy implementation.

In some LDAP implementations,  this specific field 'pwdChangedTime'  is special, and  the standard may be enforced that an application updating the DB isn't
allowed to change it  it by default, or a date in the future might be prevented,
at least without reconfiguring the server in some manner to allow it.
Oracle's directory server is this way, for example.

Curious that it silently retains the original value and no error is indicated.


In  the Sun directory server docs, the field is noted as
( 1.3.6.1.4.1.42.2.27.8.1.16 NAME 'pwdChangedTime'
 DESC 'Directory Server defined password policy attribute type'
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
 SINGLE-VALUE
 NO-USER-MODIFICATION
 USAGE directoryOperation X-DS-USE 'internal'
 X-ORIGIN 'Password Policy for LDAP Directories Internet Draft' )






0
 
yarabatiAuthor Commented:
we are using IBM TDS 6.0.

Let me more specific in our problem:

We are using IBM TDS 6.0 FP3. Since our product is so matured we have over 2000 end-users using our product. For some internal issues/bugs with this version of TDS our clients are facing some problems. They want us to support with FP7.

As I said we have lot of users to our product it is devided under differnt groups Admins/non-admins. We have around 14 users created our application for internal communications between various servers. After we apply FP7, we are facing account expired problem and for that we have to change/re-set all existing users password in LDAP. As you know this doesn't make sense at all...

We contacted IBM support team on this, they told in FP4 they changed the maximum bit representation of time frame value. And the maximum in linux machines is 32 bit, pwdChangedTIme should be set to 20380119031407Z. We took this very seriously and changed 14 users (which our application uses for internal communications) successfully. Then after everything seems fine...

The question for us, apart from these users we have huge number of users in our LDAP (IBM TDS 6.0 FP7). We see some inconsistent behaviour and have to reset all users pwdChangedTime value to 20380119031407Z.

We have now no idea/plan how to move ahead on this, any suggestions will be greatly received from experts here...
0
 
MysidiaCommented:
When performing the ldapmodify use  the "-k" option,  to perform the modification as a server administration control action,  instead of as a user application action.
ldapmodify -D "cn=Directory Manager" -w <pwd-removed>  -k

As shown here... http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDS.doc/admin_gd39.htm


Or... Have you considered turning off password expiration,
by specifying an unlimited pwdMaxAge in ...

dn:cn=group_pwd_policy,cn=ibmPolicies


pwdMaxAge: 0
Should mean no password expiration.

 
0
 
yarabatiAuthor Commented:
Thanks a lot MysIdia...

I am going to close this thread with full points to you :), thanks once again for your support....
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now