Can't find members of group using its cn in LDAP - ldap

I am totally new to LDAP, and have just started. I have seen a couple of examples, which to my understanding have used the query as I have done, but in my case it seems to be not working.
I have a hierarchy like this (I am using Apache Directory Studio):
If I double click on the object with ou=scientists then its info will pop up as followed:
So this group with ou=scientists has a cn=Scientists (I have checked and there are no following spaces after Scientists.
I want to simply find stuff inside the group with ou=scientists.
There is 1 way to do it like this:
ou=scientists,dc=example,dc=com which gives the expected result.
But I want to be able to find the content inside the group with ou=scientists not by its ou value, but by its cn value. So I thought to myself, ok I can use this: cn=Scientists,dc=example,dc=com
But this yields 0 results. I think I am missing a key point here. What should I actually do?

There are multiple things to consider when you query a LDAP directory.
In your case you want to lookup from a branch (call search base dn in LDAP) and apply a filter in all the childrens of this branch to select those you want :
ldapsearch ... -b <search base dn> -s sub "<FILTER>"
So for your DIT :
ldapsearch ... -b dc=example,dc=com -s sub "(&(objectClass=groupOfUniqueNames)(cn=scientists))"
Consider learning how the search request works in LDAP if you want to work more deeply with ldap : https://ldapwiki.com/wiki/SearchRequest

#SeanGoudarzi I think there is some misunderstanding about how LDAP model works.
If you want to find Sub-entries of a given entry, you need 2 searches.
One to find the base-entry and one to find the child entries
To find entry with so called 'relative distinguished name' ou=scientists you need a search like
ldapsearch ... -b dc=example,dc=com -s sub cn=scientists dn
and then
ldapsearch ... -b DN_RESULT_FORM_PREVIOUS_SEARCH -s one objectclass=* dn
this will give you
dn: ou=italians,ou=scientiests,dc=example,dc=com
Or do you want to achieve something else?

Related

ldapsearch filter with dn

I wanted to search for mentioned entity from the ldapsearch:
ldapsearch -LLL -x -H ldaps://ldapserver -E pr=1000/noprompt -b "O=XXX,C=AN " "(dn=cn=firstName lastName 1231233,ou=employee,o=xxx,c=an)"
I get the output as
# pagedresults: cookie=
But when i search the same entity with its alias name, I am getting the whole object return from the command.
So, why I am not getting the return from the mentioned command.
I wanted to do the filter on the dn field from the as already mentioned and the same dn I got from the alias search field. So ideally I should get the result if I used the correct way to filter.
Please let me know if I made any mistake on the filter query.
You can access the entry by its dn using the following (probably what #user207421 suggested) :
ldapsearch -LLL -x -H ldaps://ldapserver -b "cn=firstName lastName 1231233,ou=employee,o=xxx,c=an" -s base
The key is to set the searched entry as the base with the appropriate scope, that is base.

Create a wordlist using hashcat?

Hashcat doesn't support the target application I'm trying to crack, but I'm wondering whether the mask function can be 'fed' the list of passwords and parsed through the rockyou rule to generate an effective wordlist for me?
If so, how can this be done as the documentation leaves lots to be desired.. !
Many thanks
I used HashCatRulesEngine:
https://github.com/llamasoft/HashcatRulesEngine
You can chain all the HashCat rules together, it then union selects them, weeds out any duplicates and takes as input your sample password file.
It then generates all possible permutations.
For instance:
echo "password">foo
./hcre /Users/chris/Downloads/hashcat-4.0.0/rules/Incisive-leetspeak.rule /Users/chris/Downloads/hashcat-4.0.0/rules/InsidePro-HashManager.rule /Users/chris/Downloads/hashcat-4.0.0/rules/InsidePro-PasswordsPro.rule /Users/chris/Downloads/hashcat-4.0.0/rules/T0XlC-insert_00-99_1950-2050_toprules_0_F.rule /Users/chris/Downloads/hashcat-4.0.0/rules/T0XlC-insert_space_and_special_0_F.rule /Users/chris/Downloads/hashcat-4.0.0/rules/T0XlC-insert_top_100_passwords_1_G.rule /Users/chris/Downloads/hashcat-4.0.0/rules/T0XlC.rule /Users/chris/Downloads/hashcat-4.0.0/rules/T0XlCv1.rule /Users/chris/Downloads/hashcat-4.0.0/rules/best64.rule /Users/chris/Downloads/hashcat-4.0.0/rules/combinator.rule /Users/chris/Downloads/hashcat-4.0.0/rules/d3ad0ne.rule /Users/chris/Downloads/hashcat-4.0.0/rules/dive.rule /Users/chris/Downloads/hashcat-4.0.0/rules/generated.rule /Users/chris/Downloads/hashcat-4.0.0/rules/generated2.rule /Users/chris/Downloads/hashcat-4.0.0/rules/hybrid /Users/chris/Downloads/hashcat-4.0.0/rules/leetspeak.rule /Users/chris/Downloads/hashcat-4.0.0/rules/oscommerce.rule /Users/chris/Downloads/hashcat-4.0.0/rules/rockyou-30000.rule /Users/chris/Downloads/hashcat-4.0.0/rules/specific.rule /Users/chris/Downloads/hashcat-4.0.0/rules/toggles1.rule /Users/chris/Downloads/hashcat-4.0.0/rules/toggles2.rule /Users/chris/Downloads/hashcat-4.0.0/rules/toggles3.rule /Users/chris/Downloads/hashcat-4.0.0/rules/toggles4.rule /Users/chris/Downloads/hashcat-4.0.0/rules/toggles5.rule /Users/chris/Downloads/hashcat-4.0.0/rules/unix-ninja-leetspeak.rule < foo >passwordsx
1 password the word "password" was permutated a total of:
bash-3.2# wc -l passwordsx
227235 passwordsx
bash-3.2#
Times meaning that each word you feed into this generates 227235 possible combinations roughly giving you full coverage..
You can use hashcat itself as a candidate generator by adding the --stdout switch (then pipe to your file or program of choice). I haven't tried all the possibilities, but it should work with any of the supported hashcat modes.
Here's an example using a ruleset: https://hashcat.net/wiki/doku.php?id=rule_based_attack#debugging_rules

ldap_add: Object class violation (65) when adding posixGroup

I try to move some posixGroup-Definitions from one ldap-server to a new one using
ldapadd -x -v -W -D cn=ldapAdmin,dc=ibk,dc=local -f groups_ldap_20151028.ldif
This produces the following error:
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
add objectClass:
posixGroup
sambaGroupMapping
add cn:
users
add displayName:
users
add sambaGroupType:
2
add sambaSID:
S-1-5-21-4027309494-1722177077-478768286-513
add gidNumber:
100
adding new entry "cn=users,ou=groups,dc=ibk,dc=local"
ldap_add: Object class violation (65)
additional info: no structural object class provided
I do not understand what happens here, so please give me a hint. As i found posixGroup' is a structural object, sambaGroupMapping not. Adding 'top' as objectClass did not help. All necessary attributes are set and the old setting worked. Importing users the same way worked also well. Both ldap-version are the same.
EDIT: The primary Problem was the wrong schema which had posixGroup an as structural class. The modern uses the configuration in the description below. The rest was a mess of duplicate names and whitespace in the ldif-file. Thank you!
Try adding group or groupOfName or groupofUniqueName (depends on LDAP implementation) as an added objectClass. posixGroup is typically an Auxiliary Group
'posixGroup' SUP top AUXILIARY DESC 'Abstraction of a group of accounts' MUST gidNumber MAY ( authPassword $ userPassword $ memberUid $ description ) X-ORIGIN 'draft-howard-rfc2307bis' )

LDIF file error?? Invalid Format?

I am currently working with LDAP which is on a UNIX server. The main purpose for me right now is to modify two entries in the directory by Ldapmodify through command line. The command is as follows:
ldapmodify -a -D 'cn=ldap,dc=cs,dc=ttu,dc=edu' \
-w *password* -H *server address* -f Documents/user.ldif
user.ldif file is as follows:
dn: cn=*username*,cn=Users,dc=ttu,dc=edu
changetype: modify
replace: displayName
displayName: abc
-
replace: loginShell
loginShell: /bin/tc
-
I get the following error when i try to run it:
ldapmodify: invalid format (line 5) entry: "cn=*username*,cn=Users,dc=ttu,dc=edu"
I checked the "dn" and it is correct. Why am I getting this error then?
I have a similar problem. In my case, my dn was correct, but it says "invalid format (line 16) ..." .
This is how I solved this:
The error msg can be misleading, because the dn is indeed correct. But line number "(line 5)" is an accurate pointer to the problem. In your case, I think the dash '-' is causing the problem. Try to remove the dashes and it may work!
is the cn RDN of the entry?
One can have an entry in directory sn=john, ou=Users .....
sn: john
cn: doe
displayName: johnny
the RDN is an attribute used as reference, in this case
dn: cn=doe,....
would be wrong, no matter that the entry has an attribute in specified value.
In the example you provided, DN is first line, and error says about 5th line.
Assuming you put it in some batch, maybe SOME entry has some special character in it's CN ?
And "Users" is usually an "ou" or "dc" or something, even if the container has "cn" attribute with "Users" as one of cn values. Are entries separated by empty newlines? Didn't you put minus sign after last modification of previous entry above, instead of one ( or more ) newline(s) ?
Oh, and when putting ldif with many entries ( changes ), it's wise to try it with "-n". And (actually for some reason I don't remember) I personally prefer to pipe ldif instead of "-f"
cat user.ldif | ldapmodify ...opts...
?
PS. haha :) try to remove "-a", it turns ldapmodify to ldapadd actually :) And add "-x" if you want to use "simple" auth ( with -w password ).
It must be the problem of character encoding of dash(-)
I met the same problem before because I edited file on windows and used it on centOS in Virtualbox
Then I made a new file in centos using touch and edited it using vi and it works.
I've ran into the same issue. In my case, I had an extra space after the dash (-) character separating the entries.
For example, note the space after the dash on line 5:
$cat -A sample.ldif
dn: uid=noelp,ou=People,dc=example,dc=co,dc=us$
changetype: modify$
replace: employeeType$
employeeType: fulltime$
- $
replace: title$
title: Sr IT Analyst$
-$
replace: employeeNumber$
employeeNumber: 1299$
Same issue can happen with a blank line with a space afer it.

How to define an auto-increment number for LDAP structure?

I have one attribute (groupIDNumber), I want to make it work as auto-increment number?
How can we define that attr?
Thank for your help,
-nm
This blog suggests that you can achieve the equivalent by creating a new object that is sort of a sequence. A working implementation in OpenLDAP is reported here. The object is defined as follows (note: not my code, just reproducing what was reported):
----------------------------------------------
objectClass ( 1.3.6.1.4.1.4203.666.599
NAME 'uidNext'
SUP top STRUCTURAL
MUST ( cn $ uidNumber ) )
----------------------------------------------
LDIF entiries are then written as:
--- increment.ldif -------------------------------
dn: cn=uidNext,dc=example,dc=com
changetype: modify
increment:uidNumber
uidNumber: 1
-
---- EOF ------------------------------------------
And called with:
$ ldapadd -x -D "cn=Admin,dc=example,dc=com" -wsecret -f ./autoinc.ldif
This is not part of the LDAP protocol, nor is it a standard thing to do. It is something you would normally do in your client-side logic. However, depending on which LDAP server you are using, it may be possible to achieve using a plugin or extension.