I've configured an ldap app in G Suite and I've downloaded the cert & key. I'm trying to query it via ldapsearch:
LDAPTLS_CERT="Google_cert.crt" \
LDAPTLS_KEY="Google_cert.key" \
ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX -x '(mail=first.last#XXXXX.XXX)'
The response I get is this:
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=XXX> with scope subtree
# filter: (mail=first.last#XXXXX.XXX)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I'm not sure how to interpret the response. Did it execute the search and find nothing? What do the search, result, and numResponses mean?
I would expect more information, as I'm searching for myself, so I know I'm in there. Is my query messed up?
EDIT
Based on the comments, I changed my query to *:
LDAPTLS_CERT="Google_cert.crt" \
LDAPTLS_KEY="Google_cert.key" \
ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX -x '*'
and got this:
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=XXX> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# XXXXX.XXX
dn: dc=XXXXX,dc=XXX
objectClass: top
objectClass: domain
objectClass: dcObject
dc: XXXXX
# Groups, XXXXX.XXX
dn: ou=Groups,dc=XXXXX,dc=XXX
objectClass: top
objectClass: organizationalUnit
ou: Groups
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Does this mean the only next level container is Groups and that next I need to search down in that ou?
I'm on a Mac, and ldapsearch on Mac is different. Instead of using LDAPTLS_CERT & LDAPTLS_KEY, I had to convert the certificate and key files to one PKCS12 formatted file and import them into my MacBook's keychain, then use the LDAPTLS_IDENTITY environment variable with the ldapsearch command. This page Connect LDAP clients to the Secure LDAP service has specific instructions for using ldapsearch on MacOS.
After that, this is the command that found my user:
LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX '(uid=first.last)'
Hope this saves somebody else some time.
Related
My ldap.conf looks like: (server and client on the same machine)
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
BASE dc=hdlldaptest,dc=net
URI ldap://localhost
Results of ldapsearch -x:
# extended LDIF
#
# LDAPv3
# base <dc=hdlldaptest,dc=net> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# hdlldaptest.net
dn: dc=hdlldaptest,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: qatest
dc: hdlldaptest
# admin, hdlldaptest.net
dn: cn=admin,dc=hdlldaptest,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
I try to add a user using this file: qa_test.ldif
dn: uid=qa_test,ou=users,dc=hdlldaptest,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: qa_test
uid: qa_test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/qa_test
loginShell: /bin/bash
gecos: qa_test
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
Then I run
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f qa_test.ldif
Enter LDAP Password:
I don't know what password I am supposed to use, I tried leaving as is and entering x. Adding a real password, but every time I run, I get invalid credentials. I thought that you add the password after the user was created.
The -D option is used for binding (which account is used to perform the operation), so you need to provide a DN corresponding to a user with sufficient permissions to achieve the ldapadd.
Usually that kind of operations are performed by the LDAP admin/manager, probably cn=admin,dc=hdlldaptest,dc=net in your case.
If your directory supports it, you can also bind using SASL mechanism, for example 'EXTERNAL' (usually TLS or Unix IPC) :
ldapadd -Y EXTERNAL -H ldapi:/// -f qa_test.ldif
Thanks for reading
Here's an screenshot of my ldap
This command:
docker exec ldap-service ldapsearch -v -x -H ldap://localhost:389 -b dc=everteam,dc=us -D "cn=admin,dc=everteam,dc=us" -w everteam cn=estebanf
... return the result I'm looking for:
ldap_initialize( ldap://localhost:389/??base )
filter: cn=estebanf
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=everteam,dc=us> with scope subtree
# filter: cn=estebanf
# requesting: ALL
#
# estebanf, People, everteam.us
dn: cn=estebanf,ou=People,dc=everteam,dc=us
cn: estebanf
displayName: Esteban J Felipe M
mail: e.felipe#everteam.com
givenName: Esteban Felipe
sn: Esteban Felipe
userPassword:: e01ENX00UXJjT1VtNldhdStWdUJYOGcrSVBnPT0=
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
ou: People
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But this command:
docker exec ldap-service ldapsearch -v -x -H ldap://localhost:389 -b dc=everteam,dc=us -D "cn=admin,dc=everteam,dc=us" -w everteam cn=estebanf,ou=People,dc=everteam,dc=us
.. doesn't. The difference is that I'm using the full dn
# extended LDIF
#
# LDAPv3
# base <dc=everteam,dc=us> with scope subtree
# filter: cn=estebanf,ou=People,dc=everteam,dc=us
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
ldap_initialize( ldap://localhost:389/??base )
filter: cn=estebanf,ou=People,dc=everteam,dc=us
requesting: All userApplication attributes
Any suggestion on how to make the search with the full dn work?. The software I'm trying to integrate with openldap will issue a search with full DN and I have no way to change that.
Thanks!
Try something like:
ldapsearch -v -x -H ldap://localhost:389 -b cn=estebanf,ou=People,dc=everteam,dc=us -D "cn=admin,dc=everteam,dc=us" -w everteam --searchScope base "(objectclass=*)" '*'
Which performs a search at the individual user entry requesting all attributes.
-jim
I'm trying to understand how ldap work. I tried to list the olcAccess of ldap with this command
$ ldapsearch -x -b 'cn=config' "objectclass=*" -s sub
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
I also tried with the admin user (ldapsearch -x -W -D 'cn=admin,dc=example,dc=com' -s sub -b 'cn=config' 'objectclass=*'). Same output as above.
But with slapcat -b 'cn=config', I get everything.
Why ?
I believe it is not posible to do this with simple authentication.
You have to use the EXTERNAL mechanism for operations against the config DIT of the local ldap server:
sudo ldapsearch -LLLY EXTERNAL -H ldapi:/// -b cn=config
I have ran into problem using memberOf filter in my ldapsearch query. The customer is using `OpenLDAP.
I have a group of users with 3 members
When I query for users using ldapsearch:
ldapsearch -h hostname -p 393 -x -z 3 -b "o=XY,dc=group,dc=com,dc=xyz,dc=cz" "(&(objectClass=person))" 1.1
I get results containing also user XYZ.
# extended LDIF
#
# LDAPv3
# base <o=XYZ,dc=group,dc=com,dc=xyz,dc=cz> with scope subtree
# filter: (&(objectClass=person))
# requesting: 1.1
#
# XYZ, People, XY, xyz.com
dn: cn=XYZ,ou=People,o=XY,dc=group,dc=com,dc=xyz,dc=cz
...
# search result
search: 2
result: 4 Size limit exceeded
# numResponses: 4
# numEntries: 3
But when I use the filter:
ldapsearch -h hostname -p 393 -x -z 3 -b "o=XY,dc=group,dc=com,dc=xyz,dc=cz" "(&(objectClass=person)(memberOf=cn=X,ou=BusinessRoles,ou=AccessControl,o=XYZ,dc=group,dc=com,dc=xyz,dc=cz))"
I get no results.
Did I make any mistake in the query? Is the memberOf syntax OK?
Check with your admin to make sure that memberOf is enabled on the OpenLDAP server
Check with your admin that anonymous access is allowed to this attribute
I created a local ldap server with Apache Directory Studio. A user entry is created with the uid "djiao1" and password "123456" (SHA hashed password).
I was able to search the user with the following ldapsearch command:
ldapsearch -H ldap://localhost:10389 -x uid=djiao1
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=djiao1
# requesting: ALL
#
# djiao, Users, example.com
dn: cn=djiao,ou=Users,dc=example,dc=com
sn: jiao
cn: djiao
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
userPassword:: e3NoYX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9
uid: djiao1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However if I run with -W to prompt password and type in "123456" I get "invalid credentials" error:
ldapsearch -H ldap://localhost:10389 -W -x uid=djiao1
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: INVALID_CREDENTIALS: Bind failed: Invalid authentication
I tried the very long string shown as the userPassword e3NoYX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9 and still got the same error.
The below screenshot the verification is successful with password 123456 for the user. Why doesn't the password work?
I suppose your problem that you not use login, but use password,
try something like this:
ldapsearch -x -LLL -H ldap://localhost:10389/ -b dc=example,dc=com -D "cn=djiao,ou=Users,dc=example,dc=com" -w 123456 uid=djiao1
the key moment here full dn of user which password you use:
cn=djiao,ou=Users,dc=example,dc=com