LDAP bindDN

assumption:

/etc/openldap/ldap.conf is correct:

    SASL_NOCANON	on
    URI ldaps://ipa.foo.com
    BASE dc=foo,dc=com
    TLS_CACERT /etc/ipa/ca.crt

check LDAP:

    ldapsearch -x -D 'cn=Directory Manager' -w password "(objectClass=*)"

create new bindDN:

create a script:

    #!/bin/bash

    # run on the FreeIPA server

    user="${1}"

    cat <<EOF >ldap-binddn.update
    dn: uid=${user},cn=sysaccounts,cn=etc,dc=foo,dc=com
    add:objectclass:account
    add:objectclass:simplesecurityobject
    add:uid:${user}
    add:userPassword:changeme
    add:passwordExpirationTime:20380119031407Z
    add:nsIdleTimeout:0
    EOF

    cat ldap-binddn.update

    ipa-ldap-updater ldap-binddn.update
    
test:

  ldapsearch -v -x -D 'uid=tomcat,cn=sysaccounts,cn=etc,dc=foo,dc=com' -w CHANGEME "(objectClass=*)"

or use one in ou=users

  ldapsearch -x -h lab.mac.wales -D 'uid=bind,cn=users,cn=accounts,dc=lab,dc=mac,dc=wales' -w CHANGEME


delete a binddn:

    #!/bin/bash

    # run on the FreeIPA server

    user="${1}"

    cat <<EOF >ldap-binddn.update
    dn: uid=${user},cn=sysaccounts,cn=etc,dc=foo,dc=com
    deleteentry
    EOF

    cat ldap-binddn.update

    ipa-ldap-updater ldap-binddn.update

Active Directory search Users

    # ldapsearch -x -h ad01.foo.com \
       -D 'cn=bindn,dc=foo,dc=com' -w changeme \
       -b 'cn=users,dc=foo,dc=com' \
       '(sAMAccountName=theusername)'