Ldap: Difference between revisions

From Halfface
Jump to navigation Jump to search
 
(16 intermediate revisions by the same user not shown)
Line 1: Line 1:
=setup ldap server=
=what does it mean=
Just followed.
dap        Directory Access Protocol, Ldap ancestor
  http://www.linuxrackers.com/doku.php?id=389_directory_server_setup_using_centos6_rhel6
dit        Directory Information Tree
==add user==
dsa        Directory System Agent is the element of an X.500 directory service that provides User Agents with access to a portion of the directory
  ldapadd -x -W -f users_groups.ldif -c
  dse        Directory System Entry. A DSE is a special entry within the LDAP directory that provides information about the directory itself and its configuration.
==change password==
dua        Directory User Agent
ldappasswd -x -W -S uid=user,ou=People,dc=halfface,dc=se -ZZ
  rdn        parts of the DN are called Relative Distinguished Name (RDN)
sasl      Simple Authentication and Security Layer


==Install ldap server.==
=Install ldap server.=
  yum' -y install openldap openldap-clients openldap-devel openldap-servers
  dnf install 389*
 
==Configure ldap.==
/etc/openldap/ldap.conf
URI ldap://ldap.halfface.se/
BASE dc=halfface,dc=se
 
==Configure ldap.==
/etc/openldap/slapd.conf
include        /etc/openldap/schema/redhat/autofs.schema
database bdb
suffix "dc=halfface,dc=se"
rootdn "uid=root,dc=halfface,dc=se"
rootpw secret
 
==Change rootpw to output from the following command.==
slappasswd
rootpw {SSHA}0BO9AGrX8
 
==Copy database defaults.==
  cp /etc/openldap/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
===To generate ldif to feed your ldap database.===
 
Change varables to suite your domain.
/usr/share/openldap/migration/migrate_common.ph
 
Convert local users to ldap users.
/usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif
 
Import users.
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c
 
Example ldif to add user.
dn: uid=bjorklun,ou=people,dc=halfface,dc=se
uid: bjorklun
cn: Andreas Bjorklund
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$1$encryptedpasswordheretowork
shadowLastChange: 13080
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 501
gidNumber: 501
homeDirectory: /home/bjorklun
gecos: Andreas Bjorklund
 
==Adding local groups.==
cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group
/usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif
ldapadd -x -D "uid=root,dc=halfface,dc=se" -w secretpassword -f /temp/group.ldif -v
 
===Adding passwd and group.===
dn: ou=people,dc=halfface,dc=se
objectclass: organizationalUnit
ou: people
dn: ou=group,dc=halfface,dc=se
objectclass: organizationalUnit
ou: group
 
Organization Units.
dn: ou=Friends,dc=halfface,dc=se
ou: Friends
objectClass: top
objectClass: organizationalUnit
description: Members of Friends
dn: ou=Work,dc=halfface,dc=se
ou: Work
objectClass: top
objectClass: organizationalUnit
description: Members of Work
 
ldap attribute.
dn: dc=halfface,dc=se
dc: halfface
description: Root LDAP entry for halfface.se
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
 
dn: ou=People, dc=halfface,dc=se
ou: People
description: All people in organisation
objectClass: organizationalUnit
 
dn: dc=halfface,dc=se
objectclass: dcObject
objectclass: organization
o: halfface
dc: halfface
dn: cn=Manager,dc=halfface,dc=se
objectclass: organizationalRole
cn: Manager
 
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
 
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'
 
==Configure client.==
authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update
 
==Configure client. /etc/sysconfig/autofs==
# Other common LDAP nameing
#
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
#
 
==ldapsearch examples.==
Search for user bjorklun.
ldapsearch -x uid=bjorklun
 
Search for specified field.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com ifxGlobalUniqueId
 
Look for the auto.master structure.
ldapsearch -x -s subtree -b 'ou=auto.master,dc=halfface,dc=se' 'objectclass=automount'
 
Search ad for ldap information.
ldapsearch -LLL -x -h ad.ongame.com -W -p 3268 -b DC=ongame,DC=com -D 'ONGAME\username' '(&(objectClass=person)(cn=User Name))'
 
Search without checking cert
tail /etc/openldap/ldap.conf
HOST ldap.halfface.se
TLS_REQCERT ALLOW
ldapsearch -x -b dc=halfface,dc=se -H ldaps://ldap.halfface.se '(&(objectclass=posixAccount)(uid=handsomeuser))'


=Configure ldap.=
dscreate interactive
=ldapsearch examples=
Base64 decode. No line wrap.
Base64 decode. No line wrap.
  ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
  ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
 
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -pe"binmode(STDOUT,':utf8');" -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | strings
# search for numbers higher than 42435.
search for numbers higher than 42435.
  ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
  ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
# search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
  ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
  ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
 
Wild card search.
# Wild card search.
  ldapsearch -o ldif-wrap=no -H ldap://<url>:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=company,dc=se" -w $COMPANY_PASSWORD -b "dc=company,dc=se" -s sub -a always '(&(objectClass=*)(cn=*<string>*))'
  ldapsearch -o ldif-wrap=no -H ldap://ldap.int.redbridge.se:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=redbridge,dc=se" -w $COMPANY_PASSWORD -b "dc=redbridge,dc=se" -s sub -a always '(&(objectClass=*)(cn=*kompetensportalen*))'


=matching=
=matching=
Line 161: Line 29:
Match user belonging to both groups.
Match user belonging to both groups.
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
=Naming=
=get root dse=
cd                domain component
root DSE (the top-level entry of the directory), supported LDAP versions, naming contexts, supported LDAP extensions, and other operational attributes. The root DSE, in particular, provides essential information about the LDAP server and the directory service it hosts, allowing LDAP clients to discover important details about the directory configuration and capabilities.
dit                directory information tree
  ldapsearch -o ldif-wrap=no -H ldaps://ldap.int.redbridge.se:636 -x -b "" -s base -a always "(objectClass=*)"
dn                entry distinguished name
Get root dse using python
dsa                directory server, more technically referred to as a Directory Server Agent, a Directory System Agent.
  python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org", get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.info) ;'
entry              consists of three primary components: a distinguished name, a collection of attributes, and a collection of object classes.
Get schemas
leaf entries      entries that do not have any children
  python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.schema) ;'
rdn                relative distinguished names.
root dse          is sometimes called the “null DN” and references a special type of entry called the root DSE which provides information about the content and capabilities of the directory server.
  X.500              the original Directory Access Protocol, for which LDAP is a much more lightweight version
  SupportedExtension A supported extension is a mechanism for identifying the Extended Request supported by the Directory Server.
  SupportedControl  An LDAP control is an element that may be included in an LDAP Message. If it is included in a request message, it can be used to provide additional information about the way that the operation should be processed.
 
  Object Classes    Object classes are schema elements that specify collections of attribute types that may be related to a particular type of object, process, or other entity
Structural.        Indicates the attributes that the entry may have and where each entry may occur in the DIT.
Auxiliary.         Indicates the attributes that the entry may have.
Abstract.         Indicates a "partial" specification in the object class hierarchy; only structural and auxiliary subclasses may appear as entries in the directory.
 
=objectclass=
nsView            This object class is used for a view entry in the directory tree.
organizationalUnit object class defines entries that represent organizational units,
 
 


[[Category:Applications]]
[[Category:Applications]]
[[Category:Unix]]
[[Category:Unix]]

Latest revision as of 10:49, 3 May 2024

what does it mean

dap        Directory Access Protocol, Ldap ancestor
dit        Directory Information Tree
dsa        Directory System Agent is the element of an X.500 directory service that provides User Agents with access to a portion of the directory
dse        Directory System Entry. A DSE is a special entry within the LDAP directory that provides information about the directory itself and its configuration.
dua        Directory User Agent
rdn        parts of the DN are called Relative Distinguished Name (RDN) 
sasl       Simple Authentication and Security Layer

Install ldap server.

dnf install 389*

Configure ldap.

dscreate interactive

ldapsearch examples

Base64 decode. No line wrap.

ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -pe"binmode(STDOUT,':utf8');" -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | strings

search for numbers higher than 42435.

ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"

search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.

ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less

Wild card search.

ldapsearch -o ldif-wrap=no -H ldap://<url>:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=company,dc=se" -w $COMPANY_PASSWORD -b "dc=company,dc=se" -s sub -a always '(&(objectClass=*)(cn=*<string>*))'

matching

Match user belonging to one of the groups.

(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Match user belonging to both groups.

(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

get root dse

root DSE (the top-level entry of the directory), supported LDAP versions, naming contexts, supported LDAP extensions, and other operational attributes. The root DSE, in particular, provides essential information about the LDAP server and the directory service it hosts, allowing LDAP clients to discover important details about the directory configuration and capabilities.

ldapsearch -o ldif-wrap=no -H ldaps://ldap.int.redbridge.se:636 -x -b "" -s base -a always "(objectClass=*)"

Get root dse using python

python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.info) ;'

Get schemas

python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.schema) ;'