OpenLDAP Docker Container
https://github.com/osixia/docker-openldap
admin https://github.com/osixia/docker-phpLDAPadmin
http://ldapadmin.org/download/ldapadmin.html
Repos
https://github.com/leenooks/phpLDAPadmin
https://github.com/obrienlabs/phpldapadmin-for-xampp fork/modify of https://sourceforge.net/projects/phpldapadmin/files/ see code in https://github.com/obrienlabs/phpldapadmin-for-xampp/issues/2
openldap installation
curl https://releases.rancher.com/install-docker/18.09.sh | sh sudo usermod -aG docker amdocs amdocs@obriensystemsu0:~$ sudo docker run -p 389:389 -p 636:636 --name ldap-service --hostname ldap-service --detach osixia/openldap:1.2.4 b4d5c727a2a513351b6fdf5e172ea7319e4451cf16f158aa373da6ccc6bd0d4a amdocs@obriensystemsu0:~$ sudo docker exec ldap-service ldapsearch -x -H ldap://localhost -b dc=example,dc=org -D "cn=admin,dc=example,dc=org" -w admin # extended LDIF # LDAPv3 # base <dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # example.org dn: dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: Example Inc. dc: example # admin, example.org dn: cn=admin,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9RjM5amZtWVRwTmJ0Q2VUVlA3RVg2aWtHc2dHeS9ESGc= # search result search: 2 result: 0 Success # numResponses: 3 numEntries: 2
Setup Admin image - phpldapadmin
docker run --name phpldapadmin-service --hostname phpldapadmin-service --link ldap-service:ldap-host --env PHPLDAPADMIN_LDAP_HOSTS=ldap-host --detach osixia/phpldapadmin:0.8.0 amdocs@obriensystemsu0:~$ sudo docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 1b83d81c3cd0 osixia/phpldapadmin:0.8.0 "/container/tool/run" 9 seconds ago Up 8 seconds 80/tcp, 443/tcp phpldapadmin-service b4d5c727a2a5 osixia/openldap:1.2.4 "/container/tool/run" 2 minutes ago Up 2 minutes 0.0.0.0:389->389/tcp, 0.0.0.0:636->636/tcp ldap-service amdocs@obriensystemsu0:~$ sudo docker inspect -f "{{ .NetworkSettings.IPAddress }}" phpldapadmin-service 172.17.0.3 https://172.17.0.3/
LDAP CLI
sudo docker exec -it ldap-service bash root@ldap-service:/# ldapsearch -x -H ldap://localhost -b "dc=example,dc=org" -D "cn=admin,dc=example,dc=org" -s sub "(objectclass=*)" -w admin
Create Container or OU
Create 2nd Admin User
# admin ldif export # LDIF Export for cn=admin,dc=example,dc=org # Server: ldap-host (ldap-host) # Search Scope: base # Search Filter: (objectClass=*) # Total Entries: 1 # Generated by phpLDAPadmin (http://phpldapadmin.sourceforge.net) on June 18, 2019 3:42 pm # Version: 1.2.4 version: 1 # Entry 1: cn=admin,dc=example,dc=org dn: cn=admin,dc=example,dc=org cn: admin description: LDAP administrator objectclass: simpleSecurityObject objectclass: organizationalRole userpassword: {SSHA}HvaAeza5iELgw91g8b4fIP1X6kWjGGGf # admin2 ldif import not working yet version: 1 # Entry 1: cn=admin2,dc=example,dc=org dn: cn=admin2,dc=example,dc=org cn: admin2 creatorsname: cn=admin2,dc=example,dc=org description: LDAP administrator2 entrydn: cn=admin2,dc=example,dc=org hassubordinates: FALSE modifiersname: cn=admin2,dc=example,dc=org objectclass: simpleSecurityObject objectclass: organizationalRole structuralobjectclass: organizationalRole subschemasubentry: cn=Subschema userpassword: {SSHA}HvaAeza5iELgw91g8b4fIP1X6kWjGGGf
Modify phpldapadmin config
#
Modify phpldapadmin template
sudo docker exec -it phpldapadmin-service bash root@phpldapadmin-service:/#
Standing up a Phpldapadmin instance without Docker
XAMPP 7.3 comes with PHP 7.2 - the versions are aligned - so for some code that only works in php 7.2 - use XAMPP 7.2
This article is for PHP 7.3.6
Phpldapadmin is an excellent front end to openldap. In the rare case where you do not have access to either a kubernetes cluster or raw docker on a VM/BM instance - try running PhpLdapAdmin natively on a php+apache stack.
I have a lot of new found respect for the PHP stack - the turnaround time on editing the code or php library itself lends itself to very fast development.
Installation - PHP + Apache2
with docker
https://hub.docker.com/editions/community/docker-ce-desktop-windows
https://github.com/osixia/docker-phpLDAPadmin
without docker
https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-openldap-and-phpldapadmin-on-ubuntu-16-04
http://phpldapadmin.sourceforge.net/wiki/index.php/PreRequisites
https://www.thesitewizard.com/apache/install-and-configure-xampp.shtml
https://www.thesitewizard.com/apache/install-apache-on-vista.shtml
https://www.apachefriends.org/index.html - I installed 7.3.6-2 (a week later we are at xampp-windows-x64-7.3.6-3-VC15-installer.exe) - get a specific version from https://www.apachefriends.org/download.html
XAMPP Installation
Run the executable as administrator deselect everything except apache and php choose the default folder c:/xampp |
XAMPP Installation Logs
5:58:23 PM [main] Initializing Control Panel 5:58:23 PM [main] Windows Version: Windows Server 2012 R2 64-bit 5:58:23 PM [main] XAMPP Version: 7.3.6 5:58:23 PM [main] Control Panel Version: 3.2.4 [ Compiled: Jun 5th 2019 ] 5:58:23 PM [main] Running with Administrator rights - good! 5:58:23 PM [main] XAMPP Installation Directory: "c:\xampp\" 5:58:23 PM [main] Checking for prerequisites 5:58:25 PM [main] All prerequisites found 5:58:25 PM [main] Initializing Modules 5:58:25 PM [main] The MySQL module is disabled 5:58:25 PM [main] The FileZilla module is disabled 5:58:25 PM [main] The Mercury module is disabled 5:58:25 PM [main] The Tomcat module is disabled 5:58:25 PM [main] Starting Check-Timer 5:58:25 PM [main] Control Panel Ready # manually starting 5:58:48 PM [Apache] Attempting to start Apache app... 5:58:49 PM [Apache] Status change detected: running
php server up on apache 2
Enable LDAP on PHP
uncomment the following lines
$ vi /c/opt/xampp/php/php.ini extension=php_openssl.dll extension=php_ldap.dll # addded extension=php_ftp.dll
Installing phpldapadmin code
https://sourceforge.net/projects/phpldapadmin/files/
mfobrien@biometricvm MINGW64 ~ $ cd /c/opt/xampp/htdocs/config mfobrien@biometricvm MINGW64 /c/opt/xampp/htdocs/config $ ls config.php.example mfobrien@biometricvm MINGW64 /c/opt/xampp/htdocs/config $ cp config.php.example config.php mfobrien@biometricvm MINGW64 /c/opt/xampp/htdocs/config $ vi config.php #$servers->setValue('server','name','My LDAP Server'); $servers->setValue('server','host','127.0.0.1'); /* The port your LDAP server listens on (no quotes). 389 is standard. */ // $servers->setValue('server','port',389); # $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com'); $servers->setValue('login','bind_id','cn=anadmin'); /* Your LDAP password. If you specified an empty bind_id above, this MUST also be blank. */ // $servers->setValue('login','bind_pass',''); $servers->setValue('login','bind_pass','password'); // $servers->setValue('server','base',array('')); $servers->setValue('server','base',array('dc=...dc=ca'));
Triage/Fixing of PHP and PhpLDAPAdmin version issues
see changes in
https://github.com/obrienlabs/phpldapadmin-for-xampp or https://github.com/obrienlabs/phpldapadmin-for-xampp/archive/master.zip
There are issues with the older version of PhpLDAPAdmin running on certain newer versions of the LAMPP stack - that could be solved quickly by targeting a specific version of php in the docker container image - we don't have access to docker in this case.
https://localhost/htdocs/index.php
Deprecated: __autoload() is deprecated, use spl_autoload_register() instead in C:\opt\xampp\htdocs\lib\functions.php on line 54
Fatal error: Cannot redeclare password_hash() in C:\opt\xampp\htdocs\lib\functions.php on line 2236
see
https://bugzilla.redhat.com/show_bug.cgi?id=1374431
see a rename of the function moved into the common lib
http://forums.debian.net/viewtopic.php?t=111508
rename 2246 function password_hash($password_clear,$enc_type) { 2321,2330 case 'sha': if (strcasecmp(pla_password_hash($plainpassword,'sha'),'{SHA}'.$cryptedpassword) == 0) return true; else return false; break; # MD5 crypted passwords case 'md5': if( strcasecmp(pla_password_hash($plainpassword,'md5'),'{MD5}'.$cryptedpassword) == 0)
attempted login ok
now getting
Fatal error: Uncaught Error: Call to undefined function ldap_explode_dn() in C:\opt\xampp\htdocs\lib\functions.php:2508 Stack trace: #0 C:\opt\xampp\htdocs\lib\Tree.php(135): pla_explode_dn('dc=i..d...') #1 C:\opt\xampp\htdocs\lib\Tree.php(173): Tree->indexDN('dc=....,d...') #2 C:\opt\xampp\htdocs\lib\Tree.php(62): Tree->addEntry('dc=....,d...') #3 C:\opt\xampp\htdocs\lib\page.php(227): Tree::getInstance(1) #4 C:\opt\xampp\htdocs\lib\page.php(418): page->tree() #5 C:\opt\xampp\htdocs\htdocs\cmd.php(78): page->display() #6 C:\opt\xampp\htdocs\htdocs\index.php(146): include('C:\\opt\\xampp\\ht...') #7 {main} thrown in C:\opt\xampp\htdocs\lib\functions.php on line 2508
see https://stackoverflow.com/questions/16864306/fatal-error-call-to-undefined-function-ldap-connect
mfobrien@biometricvm MINGW64 /c/opt/xampp/php $ cp /c/opt/xampp/php/libsasl.dll /c/opt/xampp/apache/bin mfobrien@biometricvm MINGW64 /c/opt/xampp/php $ vi /c/opt/xampp/htdocs/config/config.php foreach ($dn as $key => $rdn) $a[$key] = preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn); return $a; } else { return preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn); to with preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn); preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',function(){return "''.chr(hexdec('\\1')).''";},$rdn); preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn); preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',function(){return "''.chr(hexdec('\\1')).''";},$dn); foreach ($dn as $key => $rdn) $a[$key] = preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',function(){return "''.chr(hexdec('\\1')).''";},$rdn); return $a; } else { return preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',function(){return "''.chr(hexdec('\\1')).''";},$dn); doing Warning: preg_replace(): The /e modifier is no longer supported, use preg_replace_callback instead in C:\opt\xampp\htdocs\lib\ds_ldap.php on line 1120 foreach ($dn as $key => $rdn) $a[$key] = preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn); return $a; } else return preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn); same as above for Function create_function() is deprecated in C:\opt\xampp\htdocs\lib\functions.php on line 1083 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890127
results: better
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890127
https://stackoverflow.com/questions/16864306/fatal-error-call-to-undefined-function-ldap-connect
http://forums.debian.net/viewtopic.php?t=111508
User/group security to allow for non-root admin login
Context: phpldapadmin is the non-root front end to oudsm
A default user will be able to log into the gui but will not be able to see any of the DN tree or perform actions. We require a non-root admin user that has privileges that allow for viewing the entire DN tree.
User/group security to allow for non-root admin user create/delete user via LDIF
Context: phpldapadmin is the non-root front end to oudsm
Extra security config is required to be able to create/delete users using ldif import
User/group security to allow for non-root admin user copy user create
Context: phpldapadmin is the non-root front end to oudsm
Extra security is required to be able to create users via user copy.
Could not add the object to the LDAP server. LDAP said: Server is unwilling to perform Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM) Description: The LDAP server refused to perform the operation.
Artifacts
Using Templates in phpldapadmin
http://phpldapadmin.sourceforge.net/wiki/index.php/Templates
Issues with the LDAP schema or objectClass
http://phpldapadmin.sourceforge.net/wiki/index.php/FAQ
Production config settings for phpldapadmin
Set the following 3 properties below so that we only see the custom templates for your use case, we disable the default template and we don't see warnings in template loading (make sure all warnings are addressed first)
# in config/config.php /* Just show your custom templates. */ $config->custom->appearance['custom_templates_only'] = true; /* Disable the default template. */ $config->custom->appearance['disable_default_template'] = true; /* Hide the warnings for invalid objectClasses/attributes in templates. */ $config->custom->appearance['hide_template_warning'] = true;
DI 20190704-1: new user creation fails on GID not populated
It looks like the following error may be due to a missing group - or change the template to allow for a groud id of 0 .
Fixed by taking out the dropdown from the the template
DI 20190704-2: Create custom template for custom attributes
DI 20190706-1: password encryption error on new user submit
Fixed by bypassing the password encryption code.
error Error E_WARNING: password_hash() expects parameter 2 to be int, string given PHP Debug Backtrace File C:\opt\xampp\htdocs\lib\functions.php (184) Function error (a:5:{i:0;s:70:"E_WARNING: password_hash() expects ...) File C:\opt\xampp\htdocs\lib\functions.php () Function app_error_handler (a:5:{i:0;i:2;i:1;s:59:"password_hash() expects par...) File C:\opt\xampp\htdocs\lib\PageRender.php (290) Function password_hash (a:2:{i:0;s:8:"password";i:1;s:0:"";}) File C:\opt\xampp\htdocs\lib\Visitor.php (58) Function getPostAttribute (a:2:{i:0;O:17:"PasswordAttribute":34:{s:4:"name";s...) File C:\opt\xampp\htdocs\lib\PageRender.php (924) Function __call (a:2:{i:0;s:3:"get";i:1;a:2:{i:0;O:17:"PasswordAttr...) File C:\opt\xampp\htdocs\lib\Visitor.php (58) Function getAutoPostPasswordAttribute (a:2:{i:0;O:17:"PasswordAttribute":34:{s:4:"name";s...) File C:\opt\xampp\htdocs\lib\PageRender.php (92) Function __call (a:2:{i:0;s:3:"get";i:1;a:2:{i:0;O:17:"PasswordAttr...) File C:\opt\xampp\htdocs\htdocs\create_confirm.php (19) Function accept (a:0:{}) File C:\opt\xampp\htdocs\htdocs\cmd.php (59) Function include (a:1:{i:0;s:45:"C:\opt\xampp\htdocs\htdocs\create_c...) using the default template <attribute id="userPassword"> <display>userPassword</display> <!-- <helper> <display>Encryption</display> <id>enc</id> <value>0</value> </helper> --> <icon>lock.png</icon> <order>5</order> <page>1</page> <spacer>1</spacer> <verify>1</verify> </attribute> # fix in PageRender.php:924 protected function getAutoPostPasswordAttribute($attribute,$i) { + # 20190706: Just return the password enc or not - it will get encrypted on the server + return; # If the password is already encoded, then we'll return if (preg_match('/^\{.+\}.+/',$attribute->getValue($i))) return; $attribute->setPostValue(array('function'=>'PasswordEncrypt','args'=>sprintf('%%enc%%;%%%s%%',$attribute->getName()))); $this->get('Post',$attribute,$i); }
DI 20190708: Copy user fails on permission violation - server unwilling
Getting the following error attempting to copy a user.
Could not add the object to the LDAP server. LDAP said: Server is unwilling to perform Error number: 0x35 (LDAP_UNWILLING_TO_PERFORM) Description: The LDAP server refused to perform the operation.
# logs in C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\logs\admin [08/Jul/2019:11:30:29 -0400] CONNECT conn=856 from=127.0.0.1:52750 to=127.0.0.1:17489 protocol=LDAP [08/Jul/2019:11:30:29 -0400] BIND REQ conn=856 op=0 msgID=1 type=SIMPLE dn="cn=michaelobrien,cn=admin,dc=ca" version=3 [08/Jul/2019:11:30:29 -0400] BIND RES conn=856 op=0 msgID=1 result=0 authDN="cn=michaelobrien,cn=admin,dc=ca" etime=2 [08/Jul/2019:11:30:29 -0400] SEARCH REQ conn=856 op=1 msgID=2 base="ou=People,dc=ca" scope=base filter="(&(objectClass=*))" attrs="*,+" [08/Jul/2019:11:30:29 -0400] SEARCH RES conn=856 op=1 msgID=2 result=0 nentries=1 etime=0 [08/Jul/2019:11:30:29 -0400] SEARCH REQ conn=856 op=2 msgID=3 base="dc=ca" scope=sub filter="(|(uid=u20190708b_copy)(uidnumber=1010))" attrs="uid,uidnumber" [08/Jul/2019:11:30:29 -0400] SEARCH RES conn=856 op=2 msgID=3 result=0 nentries=0 etime=0 [08/Jul/2019:11:30:29 -0400] ADD REQ conn=856 op=3 msgID=4 dn="cn=u20190708b_copy,ou=People,dc=ca" [08/Jul/2019:11:30:29 -0400] ADD RES conn=856 op=3 msgID=4 result=53 message="Pre-encoded passwords are not allowed for the password attribute userPassword" etime=0 [08/Jul/2019:11:30:29 -0400] UNBIND REQ conn=856 op=4 msgID=5 [08/Jul/2019:11:30:29 -0400] DISCONNECT conn=856 reason="Client Disconnect" copy is OK if the password field is cleared Q) can we set it separately - yes cn=u20190708b_copy Server: Distinguished Name: cn=u20190708b_copy,ou=People,dc=ca Do you want to make these changes? Attribute Old Value New Value Skip Password [attribute doesnt exist] **************** Could not perform ldap_modify operation. LDAP said: Insufficient access Error number: 0x32 (LDAP_INSUFFICIENT_ACCESS) Description: You do not have sufficient permissions to perform that operation. [08/Jul/2019:11:41:58 -0400] BIND RES conn=872 op=0 msgID=1 result=0 authDN="cn=michaelobrien,cn=admin,dc=ca" etime=1 .. [08/Jul/2019:11:41:58 -0400] MODIFY REQ conn=872 op=4 msgID=5 dn="cn=u20190708b_copy,ou=People,dc=ca" [08/Jul/2019:11:41:58 -0400] MODIFY RES conn=872 op=4 msgID=5 result=50 message="You do not have sufficient privileges to reset user passwords" etime=1 was using michaelobrien,admin - tried with Admin.Lab OK [08/Jul/2019:11:43:49 -0400] BIND REQ conn=881 op=0 msgID=1 type=SIMPLE dn="cn=Admin.Lab,ou=People,dc=ca" version=3 .. [08/Jul/2019:11:43:49 -0400] MODIFY REQ conn=881 op=4 msgID=5 dn="cn=u20190708b_copy,ou=People,dc=ca" [08/Jul/2019:11:43:49 -0400] MODIFY RES conn=881 op=4 msgID=5 result=0 etime=1
DI 20190708-2: Delete user
Are you sure you want to permanently delete this object? Server: DN cn=u20190704i,ou=People,dc=ca Delete DN Successfully deleted DN cn=u20190704i,ou=People,dc=ca # logs in C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\logs\admin [08/Jul/2019:14:03:27 -0400] BIND REQ conn=896 op=0 msgID=1 type=SIMPLE dn="cn=Admin.Lab,ou=People,dc=ca" version=3 .. [08/Jul/2019:14:03:27 -0400] DELETE REQ conn=896 op=2 msgID=3 dn="cn=u20190704i,ou=People,dc=ca" [08/Jul/2019:14:03:27 -0400] DELETE RES conn=896 op=2 msgID=3 result=0 etime=3
DI 20190708-3: Search User PHP error
Getting the following - should be able to adjust the code.
Search user Error E_WARNING: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? PHP Debug Backtrace File C:\opt\xampp\htdocs\lib\functions.php (184) Function error (a:5:{i:0;s:98:"E_WARNING: "continue" targeting swi...) File C:\opt\xampp\htdocs\lib\functions.php (58) Function app_error_handler (a:5:{i:0;i:2;i:1;s:87:""continue" targeting switch...) File C:\opt\xampp\htdocs\lib\functions.php (58) Function require_once File C:\opt\xampp\htdocs\lib\functions.php () Function my_autoload (a:1:{i:0;s:11:"QueryRender";}) File C:\opt\xampp\htdocs\htdocs\query_engine.php (17) Function spl_autoload_call (a:1:{i:0;s:11:"QueryRender";}) File C:\opt\xampp\htdocs\htdocs\cmd.php (59) Function include (a:1:{i:0;s:43:"C:\opt\xampp\htdocs\htdocs\query_en...)
Downgrade PHP from 7.3 to 7.2 in XAMPP
Trying this solution
https://wiki.php.net/rfc/continue_on_switch_deprecation
https://github.com/breisig/phpLDAPadmin/issues/7
https://github.com/leenooks/phpLDAPadmin/issues/43
not https://github.com/leenooks/phpLDAPadmin/issues/72
DI: 20190709: expose member or isMemberOf attributes on OneToMany group membership
Need a way to view group membership via 3rd party ldap client.
Oracle Unified Directory
I have a client that is migrating from on-premises to the cloud - part of the work is retrofitting existing non-cloud tech as part of the migration. One of the modules is an LDAP server that will not be containerized. There is an additional issue where we need non-root admin users with CRUD capability - ideally in a reduced admin web based environment.
Normally I use docker containers on ubuntu or OSX under an orchestration framework like Kubernetes - this particular OUD is on windows - there is a port to docker though I will look at - https://github.com/oehrlis/docker-oud
https://www.oracle.com/technetwork/middleware/id-mgmt/oid-11gr2-2104316.html
Oracle Unified Directory 12cPS3 (12.2.1.3.0)
The OUD and OUDSM can be installed on a standard Windows 10 Pro VM on VMware for developer productivity.
There is a 2 min default timeout on the oudsm war - even though the timeout it set to 3600 sec - change it to 7200 to kick in the change - click ok on new plan and redeploy.
ldapsearch
PS C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\bat> ./ldapsearch.bat -h biometricvm -p 17489 -D cn=oudadmin -w password -b "dc=obrienlabs,dc=cloud" cn=admin dn: cn=admin,dc=obrienlabs,dc=cloud objectClass: top objectClass: orclContainer cn: admin check acls # https://docs.oracle.com/cd/E22289_01/html/821-1273/managing-acis-with-ldapmodify.html#scrolltoc PS C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\bat> ./ldapsearch.bat -h biometricvm -p 17489 -D cn=oudadmin -w IDMoudpwd1# -b "cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud" -s base "(objectclass=*)" aci dn: cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud
ldapadd or ldapmodify -a
C:\_dev\michaelobrien_add_ldif.txt PS C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\bat> ./ldapmodify.bat -a -h biometricvm -p 17489 -w password -D "cn=oudadmin" -f C:\_dev\michaelobrien_add_ldif.txt Processing ADD request for cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud ADD operation successful for DN cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud # check it PS C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\bat> ./ldapsearch.bat -h biometricvm -p 17489 -D cn=oudadmin -w password -b "dc=obrienlabs,dc=cloud" cn=michaelobrien dn: cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud sn: michaelobrien cn: .....
ldapmodify for ACI changes
follow https://docs.oracle.com/cd/E22289_01/html/821-1273/managing-acis-with-ldapmodify.html#scrolltoc
PS C:\oracle\middleware_oud1\user_projects\domains\oud_domain\system_components\OUD\oud1\bat> ./ldapmodify.bat -a -h biometricvm -p 17489 -w IDMoudpwd1# -D "cn=oudadmin" -f C:\_dev\michaelobrien_acl_add_ldif.txt Processing MODIFY request for cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud MODIFY operation successful for DN cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud # using ldif file dn: cn=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud changetype: modify add: aci aci: (targetattr="*")(version 3.0; acl "give full rights"; allow(all) userdn = "ldap:///uid=michaelobrien,cn=admin,dc=obrienlabs,dc=cloud";)
ACLs
https://docs.oracle.com/cd/E37116_01/admin.111210/e22648/root_users.htm#OUDAG00055
Docker
https://www.oradba.ch/blog/page/3/
Alternative/Legacy LDAP clients
I would recommend you try to use helm charts, kubernetes or even bare docker. However in some cases legacy applications will not have access to VMs or a docker orchestration system - you will need to supply a web based interface old-school via a deployed war or other distribution like 90's PHP in some cases. Here I will detail how to get these alternative clients running.
ldapadmin.exe
Connecting ldapadmin to Oracle Unified Directory - bypassing Oracle Unified Directory Services Manager
There are use cases where non-root admin user gui access is required. Currently the oudsm accepts connections to the gui app only from root users. Ldapadmin.exe is one option to use non-root users for actions where CLI access is not available for ldapsearch/ldapmodify and dsconfig.