Weight: 2
Description: Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
Key Knowledge Areas:
LDAP utilities for data management and queries
Change user passwords
Querying the LDAP directory
Terms and Utilities:
ldapsearch
ldappasswd
ldapadd
ldapdelete
This course is about LDAP Client utilities and their usage. Obviously we need and OpenLDAP server up and running inorder to perform queries and do modifcations.
note:LDAP client utilities usage might be different based on OpenLDAP server versions. To get the best results and covering LPIC2 exam objectives, we have used OpenLDAP v2.3.x on CentOS 5 in this course.
ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. By default ldapsearch query local host computer for LDAP server but its is possible to run it from a remote client using -h option and specifying the server.
Now that some LDAP configuration has been added, lets check the results using ldapsearch command:
[[email protected] openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts# extended LDIF## LDAPv3# base <> with scope baseObject# filter: (objectclass=*)# requesting: namingContexts#​#dn:namingContexts: dc=example,dc=com​# search resultsearch: 2result: 0 Success​# numResponses: 2# numEntries: 1
The ldapadd command is an LDAP add-entry tool. Here we use ldapadd command which takes our ldif file definations and add it to our configuration:
Create OU inorder to give structure to our Directory Server, again we need to required ldif file:
[[email protected] openldap]# vi myou.ldif[[email protected] openldap]# cat myou.ldifdn: ou=managers,dc=example,dc=comou: managersdescription : Managers in the companyobjectclass: organizationalunit
and lets run ldapadd commands :
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f myou.ldifEnter LDAP Password:adding new entry "ou=managers,dc=example,dc=com"
-x
means use simple authentication,-D
says that the admin account is setup here to adding things to our configuration, -W
Prompt for simple authentication (This is used instead of specifying the password on the command line).-f
specify ldif file.
Use slapcat command to see the results:
[[email protected] openldap]# slapcatdn: dc=example,dc=comdc: exampledescription:: Y3JlYXRpbmcgbXkgZGMgobjectClass: dcObjectobjectClass: organizationo: example,com.structuralObjectClass: organizationentryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9creatorsName: cn=ldapadm,dc=example,dc=commodifiersName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828083000ZmodifyTimestamp: 20180828083000ZentryCSN: 20180828083000Z#000000#00#000000​dn: ou=managers,dc=example,dc=comou: managersdescription: Managers in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105120ZentryCSN: 20180828105120Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105120Z
Now that we have "managers" ou we can add a record to it:
[[email protected] openldap]# vi myuser.ldif[[email protected] openldap]# cat myuser.ldifdn: cn=Bob Smith,ou=managers,dc=example,dc=comobjectclass: inetOrgpersoncn: Bob Smithcn: Bob J Smithcn: bob smithsn: smithuid: bjsmithuserpassword: Aa12345carlicense: abc123homephone: 111-222-3344mail: [email protected]mail: [email protected]mail: [email protected]description: Big Bossou: IT Department
For more info about objectClass "inetOrgperson" try cat schema/inetorgperson.schema .
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f myuser.ldifEnter LDAP Password:adding new entry "cn=Bob Smith,ou=managers,dc=example,dc=com"
and check:
[[email protected] openldap]# slapcatdn: dc=example,dc=comdc: exampledescription:: Y3JlYXRpbmcgbXkgZGMgobjectClass: dcObjectobjectClass: organizationo: example,com.structuralObjectClass: organizationentryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9creatorsName: cn=ldapadm,dc=example,dc=commodifiersName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828083000ZmodifyTimestamp: 20180828083000ZentryCSN: 20180828083000Z#000000#00#000000​dn: ou=managers,dc=example,dc=comou: managersdescription: Managers in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105120ZentryCSN: 20180828105120Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105120Z
lets add more users and OUs to our LDAP server:
[[email protected] openldap]# cat moreusers.ldifdn: cn=James Smith,ou=managers,dc=example,dc=comobjectclass: inetOrgPersoncn: James Smithcn: James J Smithsn: Jamesuid: jsmithuserpassword: Aa12345carlicense: A1B2C3homephone: 222-333-4455mail: [email protected]mail: [email protected]mail: [email protected]ou: managers​### add anothr Entry to our OUdn: cn=Maria Garcia,ou=managers,dc=example,dc=comobjectclass: inetOrgPersoncn: Maria Garciasn: garciauid: mgarciauserpassword: Aa12345carlicense: AABBCChomephone: 333-444-4466mail: [email protected]mail: [email protected]mail: [email protected]ou: managers
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f moreusers.ldifEnter LDAP Password:adding new entry "cn=James Smith,ou=managers,dc=example,dc=com"​adding new entry "cn=Maria Garcia,ou=managers,dc=example,dc=com"
[[email protected] openldap]# cat moreou.ldif### Add Users OUdn: ou=users,dc=example,dc=comou: usersdescription : Ordinary users in the companyobjectclass: organizationalunit​### Add Devices OU​dn: ou=sales,dc=example,dc=comou: salesdescription: Sales group OUobjectclass: organizationalunit
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f moreou.ldifEnter LDAP Password:adding new entry "ou=users,dc=example,dc=com"​adding new entry "ou=sales,dc=example,dc=com"
and see current Directory Structure in our LDAP server:
[[email protected] openldap]# slapcatdn: dc=example,dc=comdc: exampledescription:: Y3JlYXRpbmcgbXkgZGMgobjectClass: dcObjectobjectClass: organizationo: example,com.structuralObjectClass: organizationentryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9creatorsName: cn=ldapadm,dc=example,dc=commodifiersName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828083000ZmodifyTimestamp: 20180828083000ZentryCSN: 20180828083000Z#000000#00#000000​dn: ou=managers,dc=example,dc=comou: managersdescription: Managers in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105120ZentryCSN: 20180828105120Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105120Z​dn: cn=James Smith,ou=managers,dc=example,dc=comobjectClass: inetOrgPersoncn: James Smithcn: James J Smithsn: Jamesuid: jsmithuserPassword:: QWExMjM0NQ==carLicense: A1B2C3homePhone: 222-333-4455mail: [email protected]mail: [email protected]mail: [email protected]ou: managersstructuralObjectClass: inetOrgPersonentryUUID: 225aa230-3efd-1038-9391-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105909ZentryCSN: 20180828105909Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105909Z​dn: cn=Maria Garcia,ou=managers,dc=example,dc=comobjectClass: inetOrgPersoncn: Maria Garciasn: garciauid: mgarciauserPassword:: QWExMjM0NQ==carLicense: AABBCChomePhone: 333-444-4466mail: [email protected]mail: [email protected]mail: [email protected]ou: managersstructuralObjectClass: inetOrgPersonentryUUID: 2279564e-3efd-1038-9392-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105909ZentryCSN: 20180828105909Z#000001#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105909Z​dn: ou=users,dc=example,dc=comou: usersdescription: Ordinary users in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 66342080-3efd-1038-9393-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828110103ZentryCSN: 20180828110103Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828110103Z​dn: ou=sales,dc=example,dc=comou: salesdescription: Sales group OUobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 6634f758-3efd-1038-9394-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828110103ZentryCSN: 20180828110103Z#000001#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828110103Z
Check the result using ldapsearch :
[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(objectclass=inetorgperson)' uid# extended LDIF## LDAPv3# base <ou=managers,dc=example,dc=com> with scope subtree# filter: (objectclass=inetorgperson)# requesting: uid#​# James Smith, managers, example.comdn: cn=James Smith,ou=managers,dc=example,dc=comuid: jsmith​# Maria Garcia, managers, example.comdn: cn=Maria Garcia,ou=managers,dc=example,dc=comuid: mgarcia​# search resultsearch: 2result: 0 Success​# numResponses: 3# numEntries: 2
lets request for passwords to see wether it gives us or not:
[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(objectclass=inetorgperson)' password# extended LDIF## LDAPv3# base <ou=managers,dc=example,dc=com> with scope subtree# filter: (objectclass=inetorgperson)# requesting: password#​# James Smith, managers, example.comdn: cn=James Smith,ou=managers,dc=example,dc=com​# Maria Garcia, managers, example.comdn: cn=Maria Garcia,ou=managers,dc=example,dc=com​# search resultsearch: 2result: 0 Success​# numResponses: 3# numEntries: 2
it won't give us the password, no matter which user is performing this request. We can just see hashed passwords using slapcat command:
[[email protected] openldap]# slapcatdn: dc=example,dc=comdc: exampledescription:: Y3JlYXRpbmcgbXkgZGMgobjectClass: dcObjectobjectClass: organizationo: example,com.structuralObjectClass: organizationentryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9creatorsName: cn=ldapadm,dc=example,dc=commodifiersName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828083000ZmodifyTimestamp: 20180828083000ZentryCSN: 20180828083000Z#000000#00#000000​dn: ou=managers,dc=example,dc=comou: managersdescription: Managers in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105120ZentryCSN: 20180828105120Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105120Z​dn: cn=James Smith,ou=managers,dc=example,dc=comobjectClass: inetOrgPersoncn: James Smithcn: James J Smithsn: Jamesuid: jsmithuserPassword:: QWExMjM0NQ==carLicense: A1B2C3homePhone: 222-333-4455mail: [email protected]mail: [email protected]mail: [email protected]ou: managersstructuralObjectClass: inetOrgPersonentryUUID: 225aa230-3efd-1038-9391-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105909ZentryCSN: 20180828105909Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105909Z​dn: cn=Maria Garcia,ou=managers,dc=example,dc=comobjectClass: inetOrgPersoncn: Maria Garciasn: garciauid: mgarciauserPassword:: QWExMjM0NQ==carLicense: AABBCChomePhone: 333-444-4466mail: [email protected]mail: [email protected]mail: [email protected]ou: managersstructuralObjectClass: inetOrgPersonentryUUID: 2279564e-3efd-1038-9392-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828105909ZentryCSN: 20180828105909Z#000001#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828105909Z​dn: ou=users,dc=example,dc=comou: usersdescription: Ordinary users in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 66342080-3efd-1038-9393-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828110103ZentryCSN: 20180828110103Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828110103Z​dn: ou=sales,dc=example,dc=comou: salesdescription: Sales group OUobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 6634f758-3efd-1038-9394-2be1474ec233creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828110103ZentryCSN: 20180828110103Z#000001#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828110103Z
another example of ldapsearch for searching for a specific user:
[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid# extended LDIF## LDAPv3# base <ou=managers,dc=example,dc=com> with scope subtree# filter: (cn=Maria Garcia)# requesting: uid#​# Maria Garcia, managers, example.comdn: cn=Maria Garcia,ou=managers,dc=example,dc=comuid: mgarcia​# search resultsearch: 2result: 0 Success​# numResponses: 2# numEntries: 1
But that is lots of information. By using -L
switche Search results are display in LDAP Data Interchange Format detailed in ldif. A single -L
restricts the output to LDIFv1. A second-L
disables comments. A third-L
disables printing of the LDIF version. The default is to use an extended version of LDIF.
[[email protected] openldap]# ldapsearch -L -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uidversion: 1​## LDAPv3# base <ou=managers,dc=example,dc=com> with scope subtree# filter: (cn=Maria Garcia)# requesting: uid#​# Maria Garcia, managers, example.comdn: cn=Maria Garcia,ou=managers,dc=example,dc=comuid: mgarcia​# search result​# numResponses: 2# numEntries: 1
[[email protected] openldap]# ldapsearch -LL -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uidversion: 1​dn: cn=Maria Garcia,ou=managers,dc=example,dc=comuid: mgarcia
[[email protected] openldap]# ldapsearch -LLL -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uiddn: cn=Maria Garcia,ou=managers,dc=example,dc=comuid: mgarcia
We have used ldappasswd to generat hashed password for LDAP Admin user but we can use it to restart users passwords too:
[[email protected] openldap]# ldappasswd -x -D "cn=ldapadm,dc=example,dc=com" -s UserNewPassword -W "cn=Maria Garcia,ou=managers,dc=example,dc=com"Enter LDAP Password:Result: Success (0)
-x
for simple authentication , -D
say this is the user that has the authorizationon on this particular directory server inorder to make these kind of changes, -s
to set what ever password we like, -w for getting prompted for rootdn password, and finally secify who we are quering for. Now lets check th old password hash QWExMjM0NQ==
with the new one:
[[email protected] openldap]# slapcatdn: dc=example,dc=comdc: exampledescription:: Y3JlYXRpbmcgbXkgZGMgobjectClass: dcObjectobjectClass: organizationo: example,organization.structuralObjectClass: organizationentryUUID: 99ad21b4-3eee-1038-99cf-79db8b518c63creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828091507ZentryCSN: 20180828091507Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828091507Z​dn: ou=managers,dc=example,dc=comou: managersdescription: Managers in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: 78826438-3ef1-1038-99d0-79db8b518c63creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828093540ZentryCSN: 20180828093540Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828093540Z​dn: cn=James Smith,ou=managers,dc=example,dc=comobjectClass: inetOrgPersoncn: James Smithcn: James J Smithsn: Jamesuid: jsmithuserPassword:: QWExMjM0NQ==carLicense: A1B2C3homePhone: 222-333-4455mail: [email protected]mail: [email protected]mail: [email protected]ou: managersstructuralObjectClass: inetOrgPersonentryUUID: f565e3c8-3efe-1038-99d1-79db8b518c63creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828111213ZentryCSN: 20180828111213Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828111213Z​dn: cn=Maria Garcia,ou=managers,dc=example,dc=comobjectClass: inetOrgPersoncn: Maria Garciasn: garciauid: mgarciacarLicense: AABBCChomePhone: 333-444-4466mail: [email protected]mail: [email protected]mail: [email protected]ou: managersstructuralObjectClass: inetOrgPersonentryUUID: f56bc55e-3efe-1038-99d2-79db8b518c63creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828111213ZuserPassword:: e1NTSEF9NklNb0pSeVlHNTlEc0xOY2Zkanc2YUt3OSs3QnVNaUo=entryCSN: 20180828125347Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828125347Z​dn: ou=users,dc=example,dc=comou: usersdescription: Ordinary users in the companyobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: df4b1d00-3eff-1038-99d3-79db8b518c63creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828111845ZentryCSN: 20180828111845Z#000000#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828111845Z​dn: ou=sales,dc=example,dc=comou: salesdescription: Sales group OUobjectClass: organizationalUnitstructuralObjectClass: organizationalUnitentryUUID: df4c13ea-3eff-1038-99d4-79db8b518c63creatorsName: cn=ldapadm,dc=example,dc=comcreateTimestamp: 20180828111845ZentryCSN: 20180828111845Z#000001#00#000000modifiersName: cn=ldapadm,dc=example,dc=commodifyTimestamp: 20180828111845Z
To avoid setting password in the command use -S
option:
[[email protected] openldap]# ldappasswd -x -D "cn=ldapadm,dc=example,dc=com" -S -W "cn=Maria Garcia,ou=managers,dc=example,dc=com"New password:Re-enter new password:Enter LDAP Password:Result: Success (0)
and check the previous password hash with the new one using slapcat command.
lapdelete using similar information like ldapadd, ldapsearch and ldappasswd. It allows us to delete a record. Lets delete "Maria Garcia"
[[email protected] openldap]# ldapdelete "cn= Maria Garcia,ou=managers,dc=example,dc=com" -x -D "cn=ldapadm,dc=example,dc=com" -WEnter LDAP Password:
to make sure that the record has been deleted try to delete it again:
[[email protected] openldap]# ldapdelete "cn= Maria Garcia,ou=managers,dc=example,dc=com" -x -D "cn=ldapadm,dc=example,dc=com" -WEnter LDAP Password:ldap_delete: No such object (32)matched DN: ou=managers,dc=example,dc=com
and it will bark that the object does not exist.
Now we are able to use lapadd, lapsearch and lapdelete both on the client and the server.