Ldap: Difference between revisions

From Halfface
Jump to navigation Jump to search
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
=setup ldap server=
=what does it mean=
Just followed.
dap        Directory Access Protocol, Ldap ancestor
  http://www.linuxrackers.com/doku.php?id=389_directory_server_setup_using_centos6_rhel6
dit        Directory Information Tree
==add user==
dsa        Directory System Agent is the element of an X.500 directory service that provides User Agents with access to a portion of the directory
  ldapadd -x -W -f users_groups.ldif -c
  dse        Directory System Entry. A DSE is a special entry within the LDAP directory that provides information about the directory itself and its configuration.
==change password==
dua        Directory User Agent
ldappasswd -x -W -S uid=user,ou=People,dc=halfface,dc=se -ZZ
  rdn        parts of the DN are called Relative Distinguished Name (RDN)
sasl      Simple Authentication and Security Layer


==Install ldap server.==
=Install ldap server.=
  yum' -y install openldap openldap-clients openldap-devel openldap-servers
  dnf install 389*
 
==Configure ldap.==
/etc/openldap/ldap.conf
URI ldap://ldap.halfface.se/
BASE dc=halfface,dc=se
 
==Configure ldap.==
/etc/openldap/slapd.conf
include        /etc/openldap/schema/redhat/autofs.schema
database bdb
suffix "dc=halfface,dc=se"
rootdn "uid=root,dc=halfface,dc=se"
rootpw secret
 
==Change rootpw to output from the following command.==
slappasswd
rootpw {SSHA}0BO9AGrX8
 
==Copy database defaults.==
  cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
===To generate ldif to feed your ldap database.===
 
Change varables to suite your domain.
/usr/share/openldap/migration/migrate_common.ph
 
Convert local users to ldap users.
/usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif
 
Import users.
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c
 
Example ldif to add user.
dn: uid=bjorklun,ou=people,dc=halfface,dc=se
uid: bjorklun
cn: Andreas Bjorklund
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$encryptedpasswordheretowork
shadowLastChange: 13080
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/bjorklun
gecos: Andreas Bjorklund
 
==Adding local groups.==
cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group
/usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif
ldapadd -x -D "uid=root,dc=halfface,dc=se" -w secretpassword -f /temp/group.ldif -v
 
===Adding passwd and group.===
dn: ou=people,dc=halfface,dc=se
objectclass: organizationalUnit
ou: people
dn: ou=group,dc=halfface,dc=se
objectclass: organizationalUnit
ou: group
 
Organization Units.
dn: ou=Friends,dc=halfface,dc=se
ou: Friends
objectClass: top
objectClass: organizationalUnit
description: Members of Friends
dn: ou=Work,dc=halfface,dc=se
ou: Work
objectClass: top
objectClass: organizationalUnit
description: Members of Work
 
ldap attribute.
dn: dc=halfface,dc=se
dc: halfface
description: Root LDAP entry for halfface.se
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
 
dn: ou=People, dc=halfface,dc=se
ou: People
description: All people in organisation
objectClass: organizationalUnit
 
dn: dc=halfface,dc=se
objectclass: dcObject
objectclass: organization
o: halfface
dc: halfface
dn: cn=Manager,dc=halfface,dc=se
objectclass: organizationalRole
cn: Manager
 
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
 
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'
 
==Configure client.==
authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update
 
==Configure client. /etc/sysconfig/autofs==
# Other common LDAP nameing
#
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
#
 
==ldapsearch examples.==
Search for user bjorklun.
ldapsearch -x uid=bjorklun
 
Search for specified field.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com ifxGlobalUniqueId
 
Look for the auto.master structure.
ldapsearch -x -s subtree -b 'ou=auto.master,dc=halfface,dc=se' 'objectclass=automount'
 
Search ad for ldap information.
ldapsearch -LLL -x -h ad.ongame.com -W -p 3268 -b DC=ongame,DC=com -D 'ONGAME\username' '(&(objectClass=person)(cn=User Name))'
 
Search without checking cert
tail /etc/openldap/ldap.conf
HOST ldap.halfface.se
TLS_REQCERT ALLOW
ldapsearch -x -b dc=halfface,dc=se -H ldaps://ldap.halfface.se '(&(objectclass=posixAccount)(uid=handsomeuser))'


=Configure ldap.=
dscreate interactive
=ldapsearch examples=
Base64 decode. No line wrap.
Base64 decode. No line wrap.
  ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
  ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
 
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -pe"binmode(STDOUT,':utf8');" -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | strings
# search for numbers higher than 42435.
search for numbers higher than 42435.
  ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
  ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
# search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
  ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
  ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
Wild card search.
ldapsearch -o ldif-wrap=no -H ldap://<url>:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=company,dc=se" -w $COMPANY_PASSWORD -b "dc=company,dc=se" -s sub -a always '(&(objectClass=*)(cn=*<string>*))'
=matching=
=matching=
Match user belonging to one of the groups.
Match user belonging to one of the groups.
Line 157: Line 29:
Match user belonging to both groups.
Match user belonging to both groups.
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
=Naming=
=get root dse=
dit                directory information tree
root DSE (the top-level entry of the directory), supported LDAP versions, naming contexts, supported LDAP extensions, and other operational attributes. The root DSE, in particular, provides essential information about the LDAP server and the directory service it hosts, allowing LDAP clients to discover important details about the directory configuration and capabilities.
dn                entry distinguished name
  ldapsearch -o ldif-wrap=no -H ldaps://ldap.int.redbridge.se:636 -x -b "" -s base -a always "(objectClass=*)"
dsa                directory server, more technically referred to as a Directory Server Agent, a Directory System Agent.
Get root dse using python
entry              consists of three primary components: a distinguished name, a collection of attributes, and a collection of object classes.
python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.info) ;'
rdn                relative distinguished names.
Get schemas
root dse          is sometimes called the “null DN” and references a special type of entry called the root DSE which provides information about the content and capabilities of the directory server.
python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.schema) ;'
  X.500              the original Directory Access Protocol, for which LDAP is a much more lightweight version
 
 
 


[[Category:Applications]]
[[Category:Applications]]
[[Category:Unix]]
[[Category:Unix]]

Latest revision as of 10:49, 3 May 2024

what does it mean

dap        Directory Access Protocol, Ldap ancestor
dit        Directory Information Tree
dsa        Directory System Agent is the element of an X.500 directory service that provides User Agents with access to a portion of the directory
dse        Directory System Entry. A DSE is a special entry within the LDAP directory that provides information about the directory itself and its configuration.
dua        Directory User Agent
rdn        parts of the DN are called Relative Distinguished Name (RDN) 
sasl       Simple Authentication and Security Layer

Install ldap server.

dnf install 389*

Configure ldap.

dscreate interactive

ldapsearch examples

Base64 decode. No line wrap.

ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -pe"binmode(STDOUT,':utf8');" -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | strings

search for numbers higher than 42435.

ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"

search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.

ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less

Wild card search.

ldapsearch -o ldif-wrap=no -H ldap://<url>:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=company,dc=se" -w $COMPANY_PASSWORD -b "dc=company,dc=se" -s sub -a always '(&(objectClass=*)(cn=*<string>*))'

matching

Match user belonging to one of the groups.

(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Match user belonging to both groups.

(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

get root dse

root DSE (the top-level entry of the directory), supported LDAP versions, naming contexts, supported LDAP extensions, and other operational attributes. The root DSE, in particular, provides essential information about the LDAP server and the directory service it hosts, allowing LDAP clients to discover important details about the directory configuration and capabilities.

ldapsearch -o ldif-wrap=no -H ldaps://ldap.int.redbridge.se:636 -x -b "" -s base -a always "(objectClass=*)"

Get root dse using python

python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.info) ;'

Get schemas

python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.schema) ;'