210.3. LDAP client usage
Weight: 2
Description: Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
Key Knowledge Areas:
LDAP utilities for data management and queries
Change user passwords
Querying the LDAP directory
Terms and Utilities:
ldapsearch
ldappasswd
ldapadd
ldapdelete
This course is about LDAP Client utilities and their usage. Obviously we need and OpenLDAP server up and running inorder to perform queries and do modifcations.
We recommend you to study 210.4 course before start reading this course :-o
note:LDAP client utilities usage might be different based on OpenLDAP server versions. To get the best results and covering LPIC2 exam objectives, we have used OpenLDAP v2.3.x on CentOS 5 in this course.
ldapsearch
ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. By default ldapsearch query local host computer for LDAP server but its is possible to run it from a remote client using -h option and specifying the server.
Now that some LDAP configuration has been added, lets check the results using ldapsearch command:
ldapadd
The ldapadd command is an LDAP add-entry tool. Here we use ldapadd command which takes our ldif file definations and add it to our configuration:
Create OU inorder to give structure to our Directory Server, again we need to required ldif file:
and lets run ldapadd commands :
-x means use simple authentication,-Dsays that the admin account is setup here to adding things to our configuration, -W Prompt for simple authentication (This is used instead of specifying the password on the command line).-f specify ldif file.
Use slapcat command to see the results:
Now that we have "managers" ou we can add a record to it:
For more info about objectClass "inetOrgperson" try cat schema/inetorgperson.schema .
and check:
lets add more users and OUs to our LDAP server:
and see current Directory Structure in our LDAP server:
Check the result using ldapsearch :
lets request for passwords to see wether it gives us or not:
it won't give us the password, no matter which user is performing this request. We can just see hashed passwords using slapcat command:
another example of ldapsearch for searching for a specific user:
But that is lots of information. By using -L switche Search results are display in LDAP Data Interchange Format detailed in ldif. A single -L restricts the output to LDIFv1. A second-L disables comments. A third-L disables printing of the LDIF version. The default is to use an extended version of LDIF.
ldappasswd
We have used ldappasswd to generat hashed password for LDAP Admin user but we can use it to restart users passwords too:
-x for simple authentication , -D say this is the user that has the authorizationon on this particular directory server inorder to make these kind of changes, -s to set what ever password we like, -w for getting prompted for rootdn password, and finally secify who we are quering for. Now lets check th old password hash QWExMjM0NQ== with the new one:
To avoid setting password in the command use -S option:
and check the previous password hash with the new one using slapcat command.
ldapdelete
lapdelete using similar information like ldapadd, ldapsearch and ldappasswd. It allows us to delete a record. Lets delete "Maria Garcia"
to make sure that the record has been deleted try to delete it again:
and it will bark that the object does not exist.
Now we are able to use lapadd, lapsearch and lapdelete both on the client and the server.
Last updated