Just some random notes and useful commands on LDAP!

With “LDAP” we can mean:

  • a protocol for accessing a directory server
    • Nice comparison: LDAP : X.500 DAP = TCP/IP : OSI
  • a hierarchic (non-relational) database
  • the server itself

Structure

  • DIT (Directory Information Tree): hierarchical structure in which LDAP organizes its data
  • DIT is composed by a set of entries
  • Each entry has a unique DN (Distinguished Name) (e.g. uid=username,ou=peple,dc=zonia3000,dc=net). DN is composed by:
    • RDN (Relative Distinguished Name): the name of the entry itself (uid=username)
    • the sequence of names of the upper levels entries (ou=peple,dc=zonia3000,dc=net)
  • Each entry has a set of attributes
  • Root can be anything

Common acronyms

  • ou = Organisation Unit
  • uid = User Identifier
  • o = Organization
  • c = Country

ObjectClass

Each object belongs to one or more objectClasses.

An objectClass defines:

  • an OID (Object IDentifier): it is unique and assigned by international organizations.
  • which attributes are mandatory or optional
  • rules for sorting and comparison

Other useful facts:

  • It is possible to create a custom objectClass extending an existing one
    • An OID should be registered, however, if the objectClass is for internal usage, generation a random (quite big) id may be fine
  • an objectClass can be abstract (it cannot be instantiated)
  • if an objectClass attribute includes the value extensibleObject, it can contain any attribute

Clients

Searches

Syntax: RFC 2254

  • Base: node from which the search starts
  • Scope: search depth
    • baseObject: stop at base
    • singleLevel: stop at first level children
    • wholeSubtree: all the tree

LDIF

Format for representing LDAP update requests.

  • multiline: go to newline and start the next line using a space or a tab
  • each attribute in a new line
  • if the attribute value contains non-ASCII chars it is encoded using Base64 and prefixed by a couple of columns (::)
  • one empty line: separation between 2 entries
  • more than one empty line: EOF

OpenLDAP administration

  • Daemon: slapd (/usr/local/etc/openldap)

Configuration

  • In the past the configuration was stored into a file, now it is stored into a special LDAP directory (having root cn=config)
  • Read the configuration: sudo slapcat -n0
  • What is that number? Some configuration dn contains a number (e.g. dn: olcDatabase={1}mdb,cn=config). This is because LDAP data is not intrinsically sorted, but configuration instructions need to be executed using a specific order, so that number is used.
  • olc prefix into configuration data stands for “OpenLDAP Configuration”

Create a new root

Multiple rootDN on one LDAP server

  • Create a new folder inside /var/lib/ldap/
    • folder name should be the same of the LDAP root (e.g. net), otherwise a “global superior knowledge missing” error will appear
    • folder permissions: openldap 755
  • Add the tree with ldapadd and following LDIF:
dn: dc=zonia3000,dc=net
o: MyOrganization
objectClass: organization
objectClass: dcObject

dn: ou=people,dc=zonia3000,dc=net
objectClass: organizationalUnit
ou: people

Example of commands

  • Search:

    ldapsearch -D "uid=pippo,ou=people,dc=zonia3000,dc=net" -W -b "uid=pippo,ou=people,dc=zonia3000,dc=net"
    
  • Add:

    ldapadd -D "cn=Manager,dc=zonia3000,dc=net" -W -f create_user.ldif  
    
  • Execute operation on local LDAP without password:

    ldapmodify -Y EXTERNAL -H ldapi:/// -f <file_name>
    

Enable debug

On client

ldapsearch ... -d 1

On server

  • create file ldap-loglevel.ldif with following content:

    dn: cn=config
    changetype: modify
    replace: olcLogLevel
    olcLogLevel: -1
    
  • then execute: ldapmodify -Y EXTERNAL -H ldapi:/// -f ldap-loglevel.ldif

Significant values:

  • 0: disabled:
  • -1: all logs

SSL configuration

Documentation

  • vim /etc/default/slapd
  • Add SLAPD_SERVICES="ldap:/// ldapi:/// ldaps://"
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/certificates/cacert.pem
-
add: olcTLSCipherSuite
olcTLSCipherSuite: NORMAL
-
add: olcTLSCRLCheck
olcTLSCRLCheck: none
-
add: olcTLSVerifyClient
olcTLSVerifyClient: never
-
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/ldap/certificates/ldapkey.pem
-
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/certificates/ldapcert.pem
  • Certificate files must have openldap group and owner (see this), otherwise following error will appear: ldap_modify: Other (e.g., implementation specific) error (80)

Setup user passwords

Configuration

dn: olcDatabase={-1}frontend,cn=config
add: olcPasswordHash
olcPasswordHash: {CRYPT}

Possible values: {SSHA} (salted SHA), {SHA}, {SMD5}, {MD5}, {CRYPT}

Generate a new password

slappasswd -h {SSHA}

Create user

dn: uid=username,ou=peple,dc=zonia3000,dc=net
objectClass: inetOrgPerson
mail: mail
uid: username
userPassword: {SSHA}TT5x7iT5q8hhsfTJzmmzCHwLnbOfvNHd
sn: Name
cn: Name Surname