Thanks for reading
Here's an screenshot of my ldap
This command:
docker exec ldap-service ldapsearch -v -x -H ldap://localhost:389 -b dc=everteam,dc=us -D "cn=admin,dc=everteam,dc=us" -w everteam cn=estebanf
... return the result I'm looking for:
ldap_initialize( ldap://localhost:389/??base )
filter: cn=estebanf
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=everteam,dc=us> with scope subtree
# filter: cn=estebanf
# requesting: ALL
#
# estebanf, People, everteam.us
dn: cn=estebanf,ou=People,dc=everteam,dc=us
cn: estebanf
displayName: Esteban J Felipe M
mail: e.felipe#everteam.com
givenName: Esteban Felipe
sn: Esteban Felipe
userPassword:: e01ENX00UXJjT1VtNldhdStWdUJYOGcrSVBnPT0=
objectClass: inetOrgPerson
objectClass: top
objectClass: organizationalPerson
objectClass: person
ou: People
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
But this command:
docker exec ldap-service ldapsearch -v -x -H ldap://localhost:389 -b dc=everteam,dc=us -D "cn=admin,dc=everteam,dc=us" -w everteam cn=estebanf,ou=People,dc=everteam,dc=us
.. doesn't. The difference is that I'm using the full dn
# extended LDIF
#
# LDAPv3
# base <dc=everteam,dc=us> with scope subtree
# filter: cn=estebanf,ou=People,dc=everteam,dc=us
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
ldap_initialize( ldap://localhost:389/??base )
filter: cn=estebanf,ou=People,dc=everteam,dc=us
requesting: All userApplication attributes
Any suggestion on how to make the search with the full dn work?. The software I'm trying to integrate with openldap will issue a search with full DN and I have no way to change that.
Thanks!
Try something like:
ldapsearch -v -x -H ldap://localhost:389 -b cn=estebanf,ou=People,dc=everteam,dc=us -D "cn=admin,dc=everteam,dc=us" -w everteam --searchScope base "(objectclass=*)" '*'
Which performs a search at the individual user entry requesting all attributes.
-jim
Related
My ldap.conf looks like: (server and client on the same machine)
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
BASE dc=hdlldaptest,dc=net
URI ldap://localhost
Results of ldapsearch -x:
# extended LDIF
#
# LDAPv3
# base <dc=hdlldaptest,dc=net> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# hdlldaptest.net
dn: dc=hdlldaptest,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: qatest
dc: hdlldaptest
# admin, hdlldaptest.net
dn: cn=admin,dc=hdlldaptest,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
I try to add a user using this file: qa_test.ldif
dn: uid=qa_test,ou=users,dc=hdlldaptest,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: qa_test
uid: qa_test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/qa_test
loginShell: /bin/bash
gecos: qa_test
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
Then I run
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f qa_test.ldif
Enter LDAP Password:
I don't know what password I am supposed to use, I tried leaving as is and entering x. Adding a real password, but every time I run, I get invalid credentials. I thought that you add the password after the user was created.
The -D option is used for binding (which account is used to perform the operation), so you need to provide a DN corresponding to a user with sufficient permissions to achieve the ldapadd.
Usually that kind of operations are performed by the LDAP admin/manager, probably cn=admin,dc=hdlldaptest,dc=net in your case.
If your directory supports it, you can also bind using SASL mechanism, for example 'EXTERNAL' (usually TLS or Unix IPC) :
ldapadd -Y EXTERNAL -H ldapi:/// -f qa_test.ldif
I've configured an ldap app in G Suite and I've downloaded the cert & key. I'm trying to query it via ldapsearch:
LDAPTLS_CERT="Google_cert.crt" \
LDAPTLS_KEY="Google_cert.key" \
ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX -x '(mail=first.last#XXXXX.XXX)'
The response I get is this:
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=XXX> with scope subtree
# filter: (mail=first.last#XXXXX.XXX)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
I'm not sure how to interpret the response. Did it execute the search and find nothing? What do the search, result, and numResponses mean?
I would expect more information, as I'm searching for myself, so I know I'm in there. Is my query messed up?
EDIT
Based on the comments, I changed my query to *:
LDAPTLS_CERT="Google_cert.crt" \
LDAPTLS_KEY="Google_cert.key" \
ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX -x '*'
and got this:
# extended LDIF
#
# LDAPv3
# base <dc=XXXXX,dc=XXX> with scope subtree
# filter: (objectclass=*)
# requesting: *
#
# XXXXX.XXX
dn: dc=XXXXX,dc=XXX
objectClass: top
objectClass: domain
objectClass: dcObject
dc: XXXXX
# Groups, XXXXX.XXX
dn: ou=Groups,dc=XXXXX,dc=XXX
objectClass: top
objectClass: organizationalUnit
ou: Groups
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Does this mean the only next level container is Groups and that next I need to search down in that ou?
I'm on a Mac, and ldapsearch on Mac is different. Instead of using LDAPTLS_CERT & LDAPTLS_KEY, I had to convert the certificate and key files to one PKCS12 formatted file and import them into my MacBook's keychain, then use the LDAPTLS_IDENTITY environment variable with the ldapsearch command. This page Connect LDAP clients to the Secure LDAP service has specific instructions for using ldapsearch on MacOS.
After that, this is the command that found my user:
LDAPTLS_IDENTITY="LDAP Client" ldapsearch -H ldaps://ldap.google.com:636 -b dc=XXXXX,dc=XXX '(uid=first.last)'
Hope this saves somebody else some time.
I recently installed openldap on RHEL 7. Service is running and slaptest is find too. But when I try to connect using Apache Directory Studio, it fails.
[root#openldap.redhat ~]$ netstat -tulpn | grep slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 2631/slapd
tcp6 0 0 :::389 :::* LISTEN 2631/slapd
[root#openldap.redhat ~]$ slaptest -u
config file testing succeeded
[root#openldap.redhat ~]$ ps -eaf | grep ldap
ldap 2631 1 0 00:04 ? 00:00:00 slapd -u ldap -h ldapi:/// ldap:/// -F /etc/openldap/slapd.d
root 2676 2595 0 00:07 pts/0 00:00:00 grep --color=auto ldap
Authentication with directory manager is also successful
[root#openldap.redhat ~]$ ldapsearch -x -D "cn=Manager,dc=maxcrc,dc=com" -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <dc=maxcrc,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# maxcrc.com
dn: dc=maxcrc,dc=com
objectClass: top
objectClass: domain
dc: maxcrc
# People, maxcrc.com
dn: ou=People,dc=maxcrc,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
# Group, maxcrc.com
dn: ou=Group,dc=maxcrc,dc=com
ou: Group
objectClass: top
objectClass: organizationalUnit
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Server is pingable from my machine
But, when i try same from Apache Dir Studio, it fails. What could be an issue?
I created a local ldap server with Apache Directory Studio. A user entry is created with the uid "djiao1" and password "123456" (SHA hashed password).
I was able to search the user with the following ldapsearch command:
ldapsearch -H ldap://localhost:10389 -x uid=djiao1
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: uid=djiao1
# requesting: ALL
#
# djiao, Users, example.com
dn: cn=djiao,ou=Users,dc=example,dc=com
sn: jiao
cn: djiao
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
userPassword:: e3NoYX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9
uid: djiao1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However if I run with -W to prompt password and type in "123456" I get "invalid credentials" error:
ldapsearch -H ldap://localhost:10389 -W -x uid=djiao1
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
additional info: INVALID_CREDENTIALS: Bind failed: Invalid authentication
I tried the very long string shown as the userPassword e3NoYX1mRXFOQ2NvM1lxOWg1WlVnbEQzQ1pKVDRsQnM9 and still got the same error.
The below screenshot the verification is successful with password 123456 for the user. Why doesn't the password work?
I suppose your problem that you not use login, but use password,
try something like this:
ldapsearch -x -LLL -H ldap://localhost:10389/ -b dc=example,dc=com -D "cn=djiao,ou=Users,dc=example,dc=com" -w 123456 uid=djiao1
the key moment here full dn of user which password you use:
cn=djiao,ou=Users,dc=example,dc=com
I start my test openldap server on RedHat enterprise linux 6.5. I configured it properly I think. I add my base.ldif file which looks like that:
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootObject
dn: ou=People,dc=exapmle,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit
Using command:
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
I got an output:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=exapmle,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
But i tried second time and I receive:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
ldap_add: Already exists (68)
So it looks okay for me, next I tried to add an user:
dn: uid=ldapuser100,ou=People,dc=example,dc=com
uid: ldapuser100
cn: ldapuser100
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$E/tH1oRF$9.Km8Xs/wDIFgWgTT.domcw0PJGUZqK7mqdFPaNru2il5LMgsxaowq5bvjulQLR8CqSq.Pw.brZU77fzviQPG.
shadowLastChange: 16460
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1400
gidNumber: 1400
homeDirectory: /exports/ldapuser100
Using command:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f ldapuser100.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser100,ou=People,dc=example,dc=com"
ldap_add: No such object (32)
matched DN: dc=example,dc=com
And I receive that DN didn't exists. I think there is problem with that base file, do you have any idea what I can do to fix it?
My conf files(I think that the conf files are ok):
/etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://localhost
TLS_REQCERT never
/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs/ldap.crt
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}MdddSPNLtlsVia4T534qLL6LWLRy2lBB
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
It looks like you have a typo in the dn of your LDIF
dn: ou=People,**dc=exapmle**,dc=com
If you change exapmle to example and re-run the LDIF with continue on error you should get the example entry and then you will be able to add your user afterwards.