210.3. LDAP client usage
Weight: 2
Description: Candidates should be able to perform queries and updates to an LDAP server. Also included is importing and adding items, as well as adding and managing users.
Key Knowledge Areas:
    LDAP utilities for data management and queries
    Change user passwords
    Querying the LDAP directory
Terms and Utilities:
    ldapsearch
    ldappasswd
    ldapadd
    ldapdelete
This course is about LDAP Client utilities and their usage. Obviously we need and OpenLDAP server up and running inorder to perform queries and do modifcations.

We recommend you to study 210.4 course before start reading this course :-o

note:LDAP client utilities usage might be different based on OpenLDAP server versions. To get the best results and covering LPIC2 exam objectives, we have used OpenLDAP v2.3.x on CentOS 5 in this course.

ldapsearch

ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. By default ldapsearch query local host computer for LDAP server but its is possible to run it from a remote client using -h option and specifying the server.
Now that some LDAP configuration has been added, lets check the results using ldapsearch command:
1
[[email protected] openldap]# ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
2
# extended LDIF
3
#
4
# LDAPv3
5
# base <> with scope baseObject
6
# filter: (objectclass=*)
7
# requesting: namingContexts
8
#
9
10
#
11
dn:
12
namingContexts: dc=example,dc=com
13
14
# search result
15
search: 2
16
result: 0 Success
17
18
# numResponses: 2
19
# numEntries: 1
Copied!

ldapadd

The ldapadd command is an LDAP add-entry tool. Here we use ldapadd command which takes our ldif file definations and add it to our configuration:
Create OU inorder to give structure to our Directory Server, again we need to required ldif file:
1
[[email protected] openldap]# vi myou.ldif
2
[[email protected] openldap]# cat myou.ldif
3
dn: ou=managers,dc=example,dc=com
4
ou: managers
5
description : Managers in the company
6
objectclass: organizationalunit
Copied!
and lets run ldapadd commands :
1
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f myou.ldif
2
Enter LDAP Password:
3
adding new entry "ou=managers,dc=example,dc=com"
Copied!
-x means use simple authentication,-Dsays that the admin account is setup here to adding things to our configuration, -W Prompt for simple authentication (This is used instead of specifying the password on the command line).-f specify ldif file.
Use slapcat command to see the results:
1
[[email protected] openldap]# slapcat
2
dn: dc=example,dc=com
3
dc: example
4
description:: Y3JlYXRpbmcgbXkgZGMg
5
objectClass: dcObject
6
objectClass: organization
7
o: example,com.
8
structuralObjectClass: organization
9
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
10
creatorsName: cn=ldapadm,dc=example,dc=com
11
modifiersName: cn=ldapadm,dc=example,dc=com
12
createTimestamp: 20180828083000Z
13
modifyTimestamp: 20180828083000Z
14
entryCSN: 20180828083000Z#000000#00#000000
15
16
dn: ou=managers,dc=example,dc=com
17
ou: managers
18
description: Managers in the company
19
objectClass: organizationalUnit
20
structuralObjectClass: organizationalUnit
21
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
22
creatorsName: cn=ldapadm,dc=example,dc=com
23
createTimestamp: 20180828105120Z
24
entryCSN: 20180828105120Z#000000#00#000000
25
modifiersName: cn=ldapadm,dc=example,dc=com
26
modifyTimestamp: 20180828105120Z
Copied!
Now that we have "managers" ou we can add a record to it:
1
[[email protected] openldap]# vi myuser.ldif
2
[[email protected] openldap]# cat myuser.ldif
3
dn: cn=Bob Smith,ou=managers,dc=example,dc=com
4
objectclass: inetOrgperson
5
cn: Bob Smith
6
cn: Bob J Smith
7
cn: bob smith
8
sn: smith
9
uid: bjsmith
10
userpassword: Aa12345
11
carlicense: abc123
12
homephone: 111-222-3344
16
description: Big Boss
17
ou: IT Department
Copied!
For more info about objectClass "inetOrgperson" try cat schema/inetorgperson.schema .
1
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f myuser.ldif
2
Enter LDAP Password:
3
adding new entry "cn=Bob Smith,ou=managers,dc=example,dc=com"
Copied!
and check:
1
[[email protected] openldap]# slapcat
2
dn: dc=example,dc=com
3
dc: example
4
description:: Y3JlYXRpbmcgbXkgZGMg
5
objectClass: dcObject
6
objectClass: organization
7
o: example,com.
8
structuralObjectClass: organization
9
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
10
creatorsName: cn=ldapadm,dc=example,dc=com
11
modifiersName: cn=ldapadm,dc=example,dc=com
12
createTimestamp: 20180828083000Z
13
modifyTimestamp: 20180828083000Z
14
entryCSN: 20180828083000Z#000000#00#000000
15
16
dn: ou=managers,dc=example,dc=com
17
ou: managers
18
description: Managers in the company
19
objectClass: organizationalUnit
20
structuralObjectClass: organizationalUnit
21
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
22
creatorsName: cn=ldapadm,dc=example,dc=com
23
createTimestamp: 20180828105120Z
24
entryCSN: 20180828105120Z#000000#00#000000
25
modifiersName: cn=ldapadm,dc=example,dc=com
26
modifyTimestamp: 20180828105120Z
Copied!
lets add more users and OUs to our LDAP server:
1
[[email protected] openldap]# cat moreusers.ldif
2
dn: cn=James Smith,ou=managers,dc=example,dc=com
3
objectclass: inetOrgPerson
4
cn: James Smith
5
cn: James J Smith
6
sn: James
7
uid: jsmith
8
userpassword: Aa12345
9
carlicense: A1B2C3
10
homephone: 222-333-4455
14
ou: managers
15
16
### add anothr Entry to our OU
17
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
18
objectclass: inetOrgPerson
19
cn: Maria Garcia
20
sn: garcia
21
uid: mgarcia
22
userpassword: Aa12345
23
carlicense: AABBCC
24
homephone: 333-444-4466
28
ou: managers
Copied!
1
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f moreusers.ldif
2
Enter LDAP Password:
3
adding new entry "cn=James Smith,ou=managers,dc=example,dc=com"
4
5
adding new entry "cn=Maria Garcia,ou=managers,dc=example,dc=com"
Copied!
1
[[email protected] openldap]# cat moreou.ldif
2
### Add Users OU
3
dn: ou=users,dc=example,dc=com
4
ou: users
5
description : Ordinary users in the company
6
objectclass: organizationalunit
7
8
### Add Devices OU
9
10
dn: ou=sales,dc=example,dc=com
11
ou: sales
12
description: Sales group OU
13
objectclass: organizationalunit
Copied!
1
[[email protected] openldap]# ldapadd -x -D "cn=ldapadm,dc=example,dc=com" -W -f moreou.ldif
2
Enter LDAP Password:
3
adding new entry "ou=users,dc=example,dc=com"
4
5
adding new entry "ou=sales,dc=example,dc=com"
Copied!
and see current Directory Structure in our LDAP server:
1
[[email protected] openldap]# slapcat
2
dn: dc=example,dc=com
3
dc: example
4
description:: Y3JlYXRpbmcgbXkgZGMg
5
objectClass: dcObject
6
objectClass: organization
7
o: example,com.
8
structuralObjectClass: organization
9
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
10
creatorsName: cn=ldapadm,dc=example,dc=com
11
modifiersName: cn=ldapadm,dc=example,dc=com
12
createTimestamp: 20180828083000Z
13
modifyTimestamp: 20180828083000Z
14
entryCSN: 20180828083000Z#000000#00#000000
15
16
dn: ou=managers,dc=example,dc=com
17
ou: managers
18
description: Managers in the company
19
objectClass: organizationalUnit
20
structuralObjectClass: organizationalUnit
21
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
22
creatorsName: cn=ldapadm,dc=example,dc=com
23
createTimestamp: 20180828105120Z
24
entryCSN: 20180828105120Z#000000#00#000000
25
modifiersName: cn=ldapadm,dc=example,dc=com
26
modifyTimestamp: 20180828105120Z
27
28
dn: cn=James Smith,ou=managers,dc=example,dc=com
29
objectClass: inetOrgPerson
30
cn: James Smith
31
cn: James J Smith
32
sn: James
33
uid: jsmith
34
userPassword:: QWExMjM0NQ==
35
carLicense: A1B2C3
36
homePhone: 222-333-4455
40
ou: managers
41
structuralObjectClass: inetOrgPerson
42
entryUUID: 225aa230-3efd-1038-9391-2be1474ec233
43
creatorsName: cn=ldapadm,dc=example,dc=com
44
createTimestamp: 20180828105909Z
45
entryCSN: 20180828105909Z#000000#00#000000
46
modifiersName: cn=ldapadm,dc=example,dc=com
47
modifyTimestamp: 20180828105909Z
48
49
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
50
objectClass: inetOrgPerson
51
cn: Maria Garcia
52
sn: garcia
53
uid: mgarcia
54
userPassword:: QWExMjM0NQ==
55
carLicense: AABBCC
56
homePhone: 333-444-4466
60
ou: managers
61
structuralObjectClass: inetOrgPerson
62
entryUUID: 2279564e-3efd-1038-9392-2be1474ec233
63
creatorsName: cn=ldapadm,dc=example,dc=com
64
createTimestamp: 20180828105909Z
65
entryCSN: 20180828105909Z#000001#00#000000
66
modifiersName: cn=ldapadm,dc=example,dc=com
67
modifyTimestamp: 20180828105909Z
68
69
dn: ou=users,dc=example,dc=com
70
ou: users
71
description: Ordinary users in the company
72
objectClass: organizationalUnit
73
structuralObjectClass: organizationalUnit
74
entryUUID: 66342080-3efd-1038-9393-2be1474ec233
75
creatorsName: cn=ldapadm,dc=example,dc=com
76
createTimestamp: 20180828110103Z
77
entryCSN: 20180828110103Z#000000#00#000000
78
modifiersName: cn=ldapadm,dc=example,dc=com
79
modifyTimestamp: 20180828110103Z
80
81
dn: ou=sales,dc=example,dc=com
82
ou: sales
83
description: Sales group OU
84
objectClass: organizationalUnit
85
structuralObjectClass: organizationalUnit
86
entryUUID: 6634f758-3efd-1038-9394-2be1474ec233
87
creatorsName: cn=ldapadm,dc=example,dc=com
88
createTimestamp: 20180828110103Z
89
entryCSN: 20180828110103Z#000001#00#000000
90
modifiersName: cn=ldapadm,dc=example,dc=com
91
modifyTimestamp: 20180828110103Z
Copied!
Check the result using ldapsearch :
1
[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(objectclass=inetorgperson)' uid
2
# extended LDIF
3
#
4
# LDAPv3
5
# base <ou=managers,dc=example,dc=com> with scope subtree
6
# filter: (objectclass=inetorgperson)
7
# requesting: uid
8
#
9
10
# James Smith, managers, example.com
11
dn: cn=James Smith,ou=managers,dc=example,dc=com
12
uid: jsmith
13
14
# Maria Garcia, managers, example.com
15
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
16
uid: mgarcia
17
18
# search result
19
search: 2
20
result: 0 Success
21
22
# numResponses: 3
23
# numEntries: 2
Copied!
lets request for passwords to see wether it gives us or not:
1
[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(objectclass=inetorgperson)' password
2
# extended LDIF
3
#
4
# LDAPv3
5
# base <ou=managers,dc=example,dc=com> with scope subtree
6
# filter: (objectclass=inetorgperson)
7
# requesting: password
8
#
9
10
# James Smith, managers, example.com
11
dn: cn=James Smith,ou=managers,dc=example,dc=com
12
13
# Maria Garcia, managers, example.com
14
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
15
16
# search result
17
search: 2
18
result: 0 Success
19
20
# numResponses: 3
21
# numEntries: 2
Copied!
it won't give us the password, no matter which user is performing this request. We can just see hashed passwords using slapcat command:
1
[[email protected] openldap]# slapcat
2
dn: dc=example,dc=com
3
dc: example
4
description:: Y3JlYXRpbmcgbXkgZGMg
5
objectClass: dcObject
6
objectClass: organization
7
o: example,com.
8
structuralObjectClass: organization
9
entryUUID: 4c4b3fa6-3ee8-1038-85fd-a183bee33ca9
10
creatorsName: cn=ldapadm,dc=example,dc=com
11
modifiersName: cn=ldapadm,dc=example,dc=com
12
createTimestamp: 20180828083000Z
13
modifyTimestamp: 20180828083000Z
14
entryCSN: 20180828083000Z#000000#00#000000
15
16
dn: ou=managers,dc=example,dc=com
17
ou: managers
18
description: Managers in the company
19
objectClass: organizationalUnit
20
structuralObjectClass: organizationalUnit
21
entryUUID: 0a9d2e2a-3efc-1038-9390-2be1474ec233
22
creatorsName: cn=ldapadm,dc=example,dc=com
23
createTimestamp: 20180828105120Z
24
entryCSN: 20180828105120Z#000000#00#000000
25
modifiersName: cn=ldapadm,dc=example,dc=com
26
modifyTimestamp: 20180828105120Z
27
28
dn: cn=James Smith,ou=managers,dc=example,dc=com
29
objectClass: inetOrgPerson
30
cn: James Smith
31
cn: James J Smith
32
sn: James
33
uid: jsmith
34
userPassword:: QWExMjM0NQ==
35
carLicense: A1B2C3
36
homePhone: 222-333-4455
40
ou: managers
41
structuralObjectClass: inetOrgPerson
42
entryUUID: 225aa230-3efd-1038-9391-2be1474ec233
43
creatorsName: cn=ldapadm,dc=example,dc=com
44
createTimestamp: 20180828105909Z
45
entryCSN: 20180828105909Z#000000#00#000000
46
modifiersName: cn=ldapadm,dc=example,dc=com
47
modifyTimestamp: 20180828105909Z
48
49
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
50
objectClass: inetOrgPerson
51
cn: Maria Garcia
52
sn: garcia
53
uid: mgarcia
54
userPassword:: QWExMjM0NQ==
55
carLicense: AABBCC
56
homePhone: 333-444-4466
60
ou: managers
61
structuralObjectClass: inetOrgPerson
62
entryUUID: 2279564e-3efd-1038-9392-2be1474ec233
63
creatorsName: cn=ldapadm,dc=example,dc=com
64
createTimestamp: 20180828105909Z
65
entryCSN: 20180828105909Z#000001#00#000000
66
modifiersName: cn=ldapadm,dc=example,dc=com
67
modifyTimestamp: 20180828105909Z
68
69
dn: ou=users,dc=example,dc=com
70
ou: users
71
description: Ordinary users in the company
72
objectClass: organizationalUnit
73
structuralObjectClass: organizationalUnit
74
entryUUID: 66342080-3efd-1038-9393-2be1474ec233
75
creatorsName: cn=ldapadm,dc=example,dc=com
76
createTimestamp: 20180828110103Z
77
entryCSN: 20180828110103Z#000000#00#000000
78
modifiersName: cn=ldapadm,dc=example,dc=com
79
modifyTimestamp: 20180828110103Z
80
81
dn: ou=sales,dc=example,dc=com
82
ou: sales
83
description: Sales group OU
84
objectClass: organizationalUnit
85
structuralObjectClass: organizationalUnit
86
entryUUID: 6634f758-3efd-1038-9394-2be1474ec233
87
creatorsName: cn=ldapadm,dc=example,dc=com
88
createTimestamp: 20180828110103Z
89
entryCSN: 20180828110103Z#000001#00#000000
90
modifiersName: cn=ldapadm,dc=example,dc=com
91
modifyTimestamp: 20180828110103Z
Copied!
another example of ldapsearch for searching for a specific user:
1
[[email protected] openldap]# ldapsearch -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
2
# extended LDIF
3
#
4
# LDAPv3
5
# base <ou=managers,dc=example,dc=com> with scope subtree
6
# filter: (cn=Maria Garcia)
7
# requesting: uid
8
#
9
10
# Maria Garcia, managers, example.com
11
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
12
uid: mgarcia
13
14
# search result
15
search: 2
16
result: 0 Success
17
18
# numResponses: 2
19
# numEntries: 1
Copied!
But that is lots of information. By using -L switche Search results are display in LDAP Data Interchange Format detailed in ldif. A single -L restricts the output to LDIFv1. A second-L disables comments. A third-L disables printing of the LDIF version. The default is to use an extended version of LDIF.
1
[[email protected] openldap]# ldapsearch -L -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
2
version: 1
3
4
#
5
# LDAPv3
6
# base <ou=managers,dc=example,dc=com> with scope subtree
7
# filter: (cn=Maria Garcia)
8
# requesting: uid
9
#
10
11
# Maria Garcia, managers, example.com
12
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
13
uid: mgarcia
14
15
# search result
16
17
# numResponses: 2
18
# numEntries: 1
Copied!
1
[[email protected] openldap]# ldapsearch -LL -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
2
version: 1
3
4
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
5
uid: mgarcia
Copied!
1
[[email protected] openldap]# ldapsearch -LLL -x -b 'ou=managers,dc=example,dc=com' '(cn=Maria Garcia)' uid
2
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
3
uid: mgarcia
Copied!

ldappasswd

We have used ldappasswd to generat hashed password for LDAP Admin user but we can use it to restart users passwords too:
1
[[email protected] openldap]# ldappasswd -x -D "cn=ldapadm,dc=example,dc=com" -s UserNewPassword -W "cn=Maria Garcia,ou=managers,dc=example,dc=com"
2
Enter LDAP Password:
3
Result: Success (0)
Copied!
-x for simple authentication , -D say this is the user that has the authorizationon on this particular directory server inorder to make these kind of changes, -s to set what ever password we like, -w for getting prompted for rootdn password, and finally secify who we are quering for. Now lets check th old password hash QWExMjM0NQ== with the new one:
1
[[email protected] openldap]# slapcat
2
dn: dc=example,dc=com
3
dc: example
4
description:: Y3JlYXRpbmcgbXkgZGMg
5
objectClass: dcObject
6
objectClass: organization
7
o: example,organization.
8
structuralObjectClass: organization
9
entryUUID: 99ad21b4-3eee-1038-99cf-79db8b518c63
10
creatorsName: cn=ldapadm,dc=example,dc=com
11
createTimestamp: 20180828091507Z
12
entryCSN: 20180828091507Z#000000#00#000000
13
modifiersName: cn=ldapadm,dc=example,dc=com
14
modifyTimestamp: 20180828091507Z
15
16
dn: ou=managers,dc=example,dc=com
17
ou: managers
18
description: Managers in the company
19
objectClass: organizationalUnit
20
structuralObjectClass: organizationalUnit
21
entryUUID: 78826438-3ef1-1038-99d0-79db8b518c63
22
creatorsName: cn=ldapadm,dc=example,dc=com
23
createTimestamp: 20180828093540Z
24
entryCSN: 20180828093540Z#000000#00#000000
25
modifiersName: cn=ldapadm,dc=example,dc=com
26
modifyTimestamp: 20180828093540Z
27
28
dn: cn=James Smith,ou=managers,dc=example,dc=com
29
objectClass: inetOrgPerson
30
cn: James Smith
31
cn: James J Smith
32
sn: James
33
uid: jsmith
34
userPassword:: QWExMjM0NQ==
35
carLicense: A1B2C3
36
homePhone: 222-333-4455
40
ou: managers
41
structuralObjectClass: inetOrgPerson
42
entryUUID: f565e3c8-3efe-1038-99d1-79db8b518c63
43
creatorsName: cn=ldapadm,dc=example,dc=com
44
createTimestamp: 20180828111213Z
45
entryCSN: 20180828111213Z#000000#00#000000
46
modifiersName: cn=ldapadm,dc=example,dc=com
47
modifyTimestamp: 20180828111213Z
48
49
dn: cn=Maria Garcia,ou=managers,dc=example,dc=com
50
objectClass: inetOrgPerson
51
cn: Maria Garcia
52
sn: garcia
53
uid: mgarcia
54
carLicense: AABBCC
55
homePhone: 333-444-4466
59
ou: managers
60
structuralObjectClass: inetOrgPerson
61
entryUUID: f56bc55e-3efe-1038-99d2-79db8b518c63
62
creatorsName: cn=ldapadm,dc=example,dc=com
63
createTimestamp: 20180828111213Z
64
userPassword:: e1NTSEF9NklNb0pSeVlHNTlEc0xOY2Zkanc2YUt3OSs3QnVNaUo=
65
entryCSN: 20180828125347Z#000000#00#000000
66
modifiersName: cn=ldapadm,dc=example,dc=com
67
modifyTimestamp: 20180828125347Z
68
69
dn: ou=users,dc=example,dc=com
70
ou: users
71
description: Ordinary users in the company
72
objectClass: organizationalUnit
73
structuralObjectClass: organizationalUnit
74
entryUUID: df4b1d00-3eff-1038-99d3-79db8b518c63
75
creatorsName: cn=ldapadm,dc=example,dc=com
76
createTimestamp: 20180828111845Z
77
entryCSN: 20180828111845Z#000000#00#000000
78
modifiersName: cn=ldapadm,dc=example,dc=com
79
modifyTimestamp: 20180828111845Z
80
81
dn: ou=sales,dc=example,dc=com
82
ou: sales
83
description: Sales group OU
84
objectClass: organizationalUnit
85
structuralObjectClass: organizationalUnit
86
entryUUID: df4c13ea-3eff-1038-99d4-79db8b518c63
87
creatorsName: cn=ldapadm,dc=example,dc=com
88
createTimestamp: 20180828111845Z
89
entryCSN: 20180828111845Z#000001#00#000000
90
modifiersName: cn=ldapadm,dc=example,dc=com
91
modifyTimestamp: 20180828111845Z
Copied!
To avoid setting password in the command use -S option:
1
[[email protected] openldap]# ldappasswd -x -D "cn=ldapadm,dc=example,dc=com" -S -W "cn=Maria Garcia,ou=managers,dc=example,dc=com"
2
New password:
3
Re-enter new password:
4
Enter LDAP Password:
5
Result: Success (0)
Copied!
and check the previous password hash with the new one using slapcat command.

ldapdelete

lapdelete using similar information like ldapadd, ldapsearch and ldappasswd. It allows us to delete a record. Lets delete "Maria Garcia"
1
[[email protected] openldap]# ldapdelete "cn= Maria Garcia,ou=managers,dc=example,dc=com" -x -D "cn=ldapadm,dc=example,dc=com" -W
2
Enter LDAP Password:
Copied!
to make sure that the record has been deleted try to delete it again:
1
[[email protected] openldap]# ldapdelete "cn= Maria Garcia,ou=managers,dc=example,dc=com" -x -D "cn=ldapadm,dc=example,dc=com" -W
2
Enter LDAP Password:
3
ldap_delete: No such object (32)
4
matched DN: ou=managers,dc=example,dc=com
Copied!
and it will bark that the object does not exist.
Now we are able to use lapadd, lapsearch and lapdelete both on the client and the server.
Last modified 2yr ago