LPIC2 Exam Guide
LPIC2 Exam Guide
LPIC2 Exam Guide
LPIC2 Exam Guide
Introduction
200.1. Measure and Troubleshoot Resource Usage
200.2. Predict Future Resource Needs
201.1. Kernel Components
201.2. Compiling a kernel
201.3. Kernel runtime management and troubleshooting
202.1. Customizing SysV-init system startup
202.2. System Recovery
202.3. Alternate Bootloaders
203.1. Operating the Linux filesystem
203.2. Maintaining a Linux filesystem
203.3. Creating and configuring filesystem options
204.1. Configuring RAID
204.2. Adjusting Storage Device Access
204.3. Logical Volume Manager
205.1. Basic networking configuration
205.2. Advanced Network Configuration and Troubleshooting
205.3 Troubleshooting Network Issues
206.1. Make and install programs from source
206.2. Backup operations
206.3. Notify users on system-related issues
207.1. Basic DNS server configuration
207.2. Create and maintain DNS zones
207.3. Securing a DNS server
208.1. Implementing a web server
208.2. Apache configuration for HTTPS
208.3. Implementing a proxy server
208.4. Implementing Nginx as a web server and a reverse proxy
209.1. SAMBA Server Configuration
209.2. NFS Server Configuration
210.1. DHCP configuration
210.2. PAM authentication
210.3. LDAP client usage
210.4. Configuring an OpenLDAP server
211.1. Using e-mail servers
211.2. Managing E-Mail Delivery
211.3. Managing Remote E-Mail Delivery Weight: 2
212.1. Configuring a router
212.2. Securing FTP servers
212.3 Secure shell (SSH)
212.4. Security tasks
212.5. OpenVPN
Powered by GitBook

210.3. LDAP client usage

Weight: 2

Description: Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.

Key Knowledge Areas:

  • LDAP utilities for data management and queries

  • Change user passwords

  • Querying the LDAP directory

Terms and Utilities:

  • ldapsearch

  • ldappasswd

  • ldapadd

  • ldapdelete

This course is about LDAP Client utilities and their usage. Obviously we need and OpenLDAP server up and running inorder to perform queries and do modifcations.

We recommend you to study 210.4 course before start reading this course :-o

note:LDAP client utilities usage might be different based on OpenLDAP server versions. To get the best results and covering LPIC2 exam objectives, we have used OpenLDAP v2.3.x on CentOS 5 in this course.

ldapsearch

ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. By default ldapsearch query local host computer for LDAP server but its is possible to run it from a remote client using -h option and specifying the server.

Now that some LDAP configuration has been added, lets check the results using ldapsearch command:

[[email protected] openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
​
#
dn:
namingContexts: dc=example,dc=com
​
# search result
search: 2
result: 0 Success
​
# numResponses: 2
# numEntries: 1

ldapadd

The ldapadd command is an LDAP add-entry tool. Here we use ldapadd command which takes our ldif file definations and add it to our configuration:

Create OU inorder to give structure to our Directory Server, again we need to required ldif file:

[[email protected] openldap]# vi myou.ldif
[[email protected] openldap]# cat myou.ldif 
dn: ou=managers,dc=example,dc=com
ou: managers
description : Managers in the company
objectclass: organizationalunit

and lets run ldapadd commands :

[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f myou.ldif
Enter LDAP Password: 
adding new entry "ou=managers,dc=example,dc=com"

-x means use simple authentication,-Dsays that the admin account is setup here to adding things to our configuration, -W Prompt for simple authentication (This is used instead of specifying the password on the command line).-f specify ldif file.

Use slapcat command to see the results:

[[email protected] openldap]# slapcat
dn: dc=example,dc=com
dc: example
description:: Y3JlYXRpbmcgbXkgZGMg
objectClass: dcObject
objectClass: organization
o: example,com.
structuralObjectClass: organization
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
creatorsName: cn=ldapadm,dc=example,dc=com
modifiersName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828083000Z
modifyTimestamp: 20180828083000Z
entryCSN: 20180828083000Z#000000#00#000000
​
dn: ou=managers,dc=example,dc=com
ou: managers
description: Managers in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105120Z
entryCSN: 20180828105120Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105120Z

Now that we have "managers" ou we can add a record to it:

[[email protected] openldap]# vi myuser.ldif
[[email protected] openldap]# cat myuser.ldif
dn: cn=Bob Smith,ou=managers,dc=example,dc=com
objectclass: inetOrgperson
cn: Bob Smith
cn: Bob J Smith
cn: bob smith
sn: smith
uid: bjsmith
userpassword: Aa12345
carlicense: abc123
homephone: 111-222-3344
mail: [email protected]
mail: [email protected]
mail: [email protected]
description: Big Boss
ou: IT Department

For more info about objectClass "inetOrgperson" try cat schema/inetorgperson.schema .

[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f myuser.ldif 
Enter LDAP Password:
adding new entry "cn=Bob Smith,ou=managers,dc=example,dc=com"

and check:

[[email protected] openldap]# slapcat
dn: dc=example,dc=com
dc: example
description:: Y3JlYXRpbmcgbXkgZGMg
objectClass: dcObject
objectClass: organization
o: example,com.
structuralObjectClass: organization
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
creatorsName: cn=ldapadm,dc=example,dc=com
modifiersName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828083000Z
modifyTimestamp: 20180828083000Z
entryCSN: 20180828083000Z#000000#00#000000
​
dn: ou=managers,dc=example,dc=com
ou: managers
description: Managers in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105120Z
entryCSN: 20180828105120Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105120Z

lets add more users and OUs to our LDAP server:

[[email protected] openldap]# cat moreusers.ldif 
dn: cn=James Smith,ou=managers,dc=example,dc=com
objectclass: inetOrgPerson
cn: James Smith
cn: James J Smith
sn: James
uid: jsmith
userpassword: Aa12345
carlicense: A1B2C3
homephone: 222-333-4455
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
​
### add anothr Entry to our OU
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
objectclass: inetOrgPerson
cn: Maria Garcia
sn: garcia
uid: mgarcia
userpassword: Aa12345
carlicense: AABBCC
homephone: 333-444-4466
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f moreusers.ldif
Enter LDAP Password: 
adding new entry "cn=James Smith,ou=managers,dc=example,dc=com"
​
adding new entry "cn=Maria Garcia,ou=managers,dc=example,dc=com"
[[email protected] openldap]# cat moreou.ldif 
### Add Users OU
dn: ou=users,dc=example,dc=com
ou: users
description : Ordinary users in the company
objectclass: organizationalunit
​
### Add Devices OU
​
dn: ou=sales,dc=example,dc=com
ou: sales
description: Sales group OU
objectclass: organizationalunit
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f moreou.ldif
Enter LDAP Password: 
adding new entry "ou=users,dc=example,dc=com"
​
adding new entry "ou=sales,dc=example,dc=com"

and see current Directory Structure in our LDAP server:

[[email protected] openldap]# slapcat
dn: dc=example,dc=com
dc: example
description:: Y3JlYXRpbmcgbXkgZGMg
objectClass: dcObject
objectClass: organization
o: example,com.
structuralObjectClass: organization
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
creatorsName: cn=ldapadm,dc=example,dc=com
modifiersName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828083000Z
modifyTimestamp: 20180828083000Z
entryCSN: 20180828083000Z#000000#00#000000
​
dn: ou=managers,dc=example,dc=com
ou: managers
description: Managers in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105120Z
entryCSN: 20180828105120Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105120Z
​
dn: cn=James Smith,ou=managers,dc=example,dc=com
objectClass: inetOrgPerson
cn: James Smith
cn: James J Smith
sn: James
uid: jsmith
userPassword:: QWExMjM0NQ==
carLicense: A1B2C3
homePhone: 222-333-4455
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
structuralObjectClass: inetOrgPerson
entryUUID: 225aa230-3efd-1038-9391-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105909Z
entryCSN: 20180828105909Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105909Z
​
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
objectClass: inetOrgPerson
cn: Maria Garcia
sn: garcia
uid: mgarcia
userPassword:: QWExMjM0NQ==
carLicense: AABBCC
homePhone: 333-444-4466
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
structuralObjectClass: inetOrgPerson
entryUUID: 2279564e-3efd-1038-9392-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105909Z
entryCSN: 20180828105909Z#000001#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105909Z
​
dn: ou=users,dc=example,dc=com
ou: users
description: Ordinary users in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 66342080-3efd-1038-9393-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828110103Z
entryCSN: 20180828110103Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828110103Z
​
dn: ou=sales,dc=example,dc=com
ou: sales
description: Sales group OU
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 6634f758-3efd-1038-9394-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828110103Z
entryCSN: 20180828110103Z#000001#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828110103Z

Check the result using ldapsearch :

[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(objectclass=inetorgperson)' uid
# extended LDIF
#
# LDAPv3
# base <ou=managers,dc=example,dc=com> with scope subtree
# filter: (objectclass=inetorgperson)
# requesting: uid 
#
​
# James Smith, managers, example.com
dn: cn=James Smith,ou=managers,dc=example,dc=com
uid: jsmith
​
# Maria Garcia, managers, example.com
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
uid: mgarcia
​
# search result
search: 2
result: 0 Success
​
# numResponses: 3
# numEntries: 2

lets request for passwords to see wether it gives us or not:

[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(objectclass=inetorgperson)' password
# extended LDIF
#
# LDAPv3
# base <ou=managers,dc=example,dc=com> with scope subtree
# filter: (objectclass=inetorgperson)
# requesting: password 
#
​
# James Smith, managers, example.com
dn: cn=James Smith,ou=managers,dc=example,dc=com
​
# Maria Garcia, managers, example.com
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
​
# search result
search: 2
result: 0 Success
​
# numResponses: 3
# numEntries: 2

it won't give us the password, no matter which user is performing this request. We can just see hashed passwords using slapcat command:

[[email protected] openldap]# slapcat
dn: dc=example,dc=com
dc: example
description:: Y3JlYXRpbmcgbXkgZGMg
objectClass: dcObject
objectClass: organization
o: example,com.
structuralObjectClass: organization
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
creatorsName: cn=ldapadm,dc=example,dc=com
modifiersName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828083000Z
modifyTimestamp: 20180828083000Z
entryCSN: 20180828083000Z#000000#00#000000
​
dn: ou=managers,dc=example,dc=com
ou: managers
description: Managers in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105120Z
entryCSN: 20180828105120Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105120Z
​
dn: cn=James Smith,ou=managers,dc=example,dc=com
objectClass: inetOrgPerson
cn: James Smith
cn: James J Smith
sn: James
uid: jsmith
userPassword:: QWExMjM0NQ==
carLicense: A1B2C3
homePhone: 222-333-4455
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
structuralObjectClass: inetOrgPerson
entryUUID: 225aa230-3efd-1038-9391-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105909Z
entryCSN: 20180828105909Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105909Z
​
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
objectClass: inetOrgPerson
cn: Maria Garcia
sn: garcia
uid: mgarcia
userPassword:: QWExMjM0NQ==
carLicense: AABBCC
homePhone: 333-444-4466
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
structuralObjectClass: inetOrgPerson
entryUUID: 2279564e-3efd-1038-9392-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828105909Z
entryCSN: 20180828105909Z#000001#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828105909Z
​
dn: ou=users,dc=example,dc=com
ou: users
description: Ordinary users in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 66342080-3efd-1038-9393-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828110103Z
entryCSN: 20180828110103Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828110103Z
​
dn: ou=sales,dc=example,dc=com
ou: sales
description: Sales group OU
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 6634f758-3efd-1038-9394-2be1474ec233
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828110103Z
entryCSN: 20180828110103Z#000001#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828110103Z

another example of ldapsearch for searching for a specific user:

[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
# extended LDIF
#
# LDAPv3
# base <ou=managers,dc=example,dc=com> with scope subtree
# filter: (cn=Maria Garcia)
# requesting: uid 
#
​
# Maria Garcia, managers, example.com
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
uid: mgarcia
​
# search result
search: 2
result: 0 Success
​
# numResponses: 2
# numEntries: 1

But that is lots of information. By using -L switche Search results are display in LDAP Data Interchange Format detailed in ldif. A single -L restricts the output to LDIFv1. A second-L disables comments. A third-L disables printing of the LDIF version. The default is to use an extended version of LDIF.

[[email protected] openldap]# ldapsearch -L -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
version: 1
​
#
# LDAPv3
# base <ou=managers,dc=example,dc=com> with scope subtree
# filter: (cn=Maria Garcia)
# requesting: uid 
#
​
# Maria Garcia, managers, example.com
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
uid: mgarcia
​
# search result
​
# numResponses: 2
# numEntries: 1
[[email protected] openldap]# ldapsearch -LL -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
version: 1
​
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
uid: mgarcia
[[email protected] openldap]# ldapsearch -LLL -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
uid: mgarcia

ldappasswd

We have used ldappasswd to generat hashed password for LDAP Admin user but we can use it to restart users passwords too:

[[email protected] openldap]# ldappasswd -x -D "cn=ldapadm,dc=example,dc=com" -s UserNewPassword -W "cn=Maria Garcia,ou=managers,dc=example,dc=com"
Enter LDAP Password: 
Result: Success (0)

-x for simple authentication , -D say this is the user that has the authorizationon on this particular directory server inorder to make these kind of changes, -s to set what ever password we like, -w for getting prompted for rootdn password, and finally secify who we are quering for. Now lets check th old password hash QWExMjM0NQ== with the new one:

[[email protected] openldap]# slapcat
dn: dc=example,dc=com
dc: example
description:: Y3JlYXRpbmcgbXkgZGMg
objectClass: dcObject
objectClass: organization
o: example,organization.
structuralObjectClass: organization
entryUUID: 99ad21b4-3eee-1038-99cf-79db8b518c63
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828091507Z
entryCSN: 20180828091507Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828091507Z
​
dn: ou=managers,dc=example,dc=com
ou: managers
description: Managers in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: 78826438-3ef1-1038-99d0-79db8b518c63
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828093540Z
entryCSN: 20180828093540Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828093540Z
​
dn: cn=James Smith,ou=managers,dc=example,dc=com
objectClass: inetOrgPerson
cn: James Smith
cn: James J Smith
sn: James
uid: jsmith
userPassword:: QWExMjM0NQ==
carLicense: A1B2C3
homePhone: 222-333-4455
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
structuralObjectClass: inetOrgPerson
entryUUID: f565e3c8-3efe-1038-99d1-79db8b518c63
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828111213Z
entryCSN: 20180828111213Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828111213Z
​
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
objectClass: inetOrgPerson
cn: Maria Garcia
sn: garcia
uid: mgarcia
carLicense: AABBCC
homePhone: 333-444-4466
mail: [email protected]
mail: [email protected]
mail: [email protected]
ou: managers
structuralObjectClass: inetOrgPerson
entryUUID: f56bc55e-3efe-1038-99d2-79db8b518c63
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828111213Z
userPassword:: e1NTSEF9NklNb0pSeVlHNTlEc0xOY2Zkanc2YUt3OSs3QnVNaUo=
entryCSN: 20180828125347Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828125347Z
​
dn: ou=users,dc=example,dc=com
ou: users
description: Ordinary users in the company
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: df4b1d00-3eff-1038-99d3-79db8b518c63
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828111845Z
entryCSN: 20180828111845Z#000000#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828111845Z
​
dn: ou=sales,dc=example,dc=com
ou: sales
description: Sales group OU
objectClass: organizationalUnit
structuralObjectClass: organizationalUnit
entryUUID: df4c13ea-3eff-1038-99d4-79db8b518c63
creatorsName: cn=ldapadm,dc=example,dc=com
createTimestamp: 20180828111845Z
entryCSN: 20180828111845Z#000001#00#000000
modifiersName: cn=ldapadm,dc=example,dc=com
modifyTimestamp: 20180828111845Z

To avoid setting password in the command use -S option:

[[email protected] openldap]# ldappasswd -x -D "cn=ldapadm,dc=example,dc=com" -S -W "cn=Maria Garcia,ou=managers,dc=example,dc=com"
New password: 
Re-enter new password: 
Enter LDAP Password: 
Result: Success (0)

and check the previous password hash with the new one using slapcat command.

ldapdelete

lapdelete using similar information like ldapadd, ldapsearch and ldappasswd. It allows us to delete a record. Lets delete "Maria Garcia"

[[email protected] openldap]# ldapdelete "cn= Maria Garcia,ou=managers,dc=example,dc=com" -x -D "cn=ldapadm,dc=example,dc=com" -W
Enter LDAP Password:

to make sure that the record has been deleted try to delete it again:

[[email protected] openldap]# ldapdelete "cn= Maria Garcia,ou=managers,dc=example,dc=com" -x -D "cn=ldapadm,dc=example,dc=com" -W
Enter LDAP Password: 
ldap_delete: No such object (32)
        matched DN: ou=managers,dc=example,dc=com

and it will bark that the object does not exist.

Now we are able to use lapadd, lapsearch and lapdelete both on the client and the server.

Previous
210.2. PAM authentication
Next
210.4. Configuring an OpenLDAP server
Last updated 12 months ago
Contents
We recommend you to study 210.4 course before start reading this course :-o
ldapsearch
ldapadd
ldappasswd
ldapdelete