Introduction
This article demonstrates how to add a member to more than one group when using LDIF files.
About LDIF Entries
User account management is facilitated through LDIF entries. These entries may be a base64-encoded version of the LDIF string. The string will be parsed and validated to ensure it adheres to LDIF syntax. A good reference for proper LDIF syntax can be found here.
Pre-requisites
Before crafting your LDIF entries, keep the following important points in mind:
- There should be no trailing spaces on any line, including empty lines.
- Each modify block must be preceded by an empty line.
- Multiple modifications for a DN can be defined in a single modify block, with each modification closing with a single dash (-).
In this article, we're focusing on using dynamic users and generating vault-backed dynamic credentials. However, customers who want to use their static users will need to modify the templates below to include the distinguished names (DNs) of those users.
For example, we have a static user named Eshant already created in Active Directory, here's how we can reference his distinguished name in the templates like this:
dn: CN=Eshant Arora,CN=Users,DC=eshant-addomain,DC=com
To create a user programmatically in Active Directory (AD), refer to the official documentation for additional details.
Steps
Adding user to groups via LDIF:
To add a user to a single group via LDIF, use the following creation.ldif:
dn: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userPrincipalName: {{.Username}}@eshant-addomain.com
sAMAccountName: {{.Username}}
dn: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::
-
replace: userAccountControl
userAccountControl: 66048
-
dn: CN=Support,CN=Users,DC=eshant-addomain,DC=com
changetype: modify
add: member
member: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
To add a user to multiple groups via creation.ldif:
dn: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
userPrincipalName: {{.Username}}@eshant-addomain.com
sAMAccountName: {{.Username}}
dn: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::
-
replace: userAccountControl
userAccountControl: 66048
-
dn: CN=Support,CN=Users,DC=eshant-addomain,DC=com
changetype: modify
add: member
member: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
-
dn: CN=Managers,CN=Users,DC=eshant-addomain,DC=com
changetype: modify
add: member
member: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
-
Deleting user from groups via LDIF:
To remove a user from groups in an LDAP directory, you'll want to specify the distinguished names (DNs) of both the user and the groups from which you want to remove them. Remove the user from the groups and then delete the user. Here’s a basic template for your deletion.ldif file:
# LDIF file to remove user from groups
# Remove user from Support group
dn: CN=Support,CN=Users,DC=eshant-addomain,DC=com
changetype: modify
delete: member
member: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
-
# Optionally, you can add more groups if needed
# Remove user from another group Managers
dn: CN=Managers,CN=Users,DC=eshant-addomain,DC=com
changetype: modify
delete: member
member: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
-
# Delete the user
dn: CN={{.Username}},CN=Users,DC=eshant-addomain,DC=com
changetype: delete
-