LDAP: Difference between revisions

From DWIKI
mNo edit summary
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
'''L'''ightweight '''D'''irectory '''A'''ccess '''P'''rotocol
'''L'''ightweight '''D'''irectory '''A'''ccess '''P'''rotocol


In [http://en.wikipedia.org/wiki/computer_networking computer networking], the '''Lightweight Directory Access Protocol''', or '''LDAP''' ("ell-dap"), is a [http://en.wikipedia.org/wiki/networking_protocol networking protocol] for querying and modifying [http://en.wikipedia.org/wiki/directory_service directory service]s running over [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP]. An LDAP directory usually follows the [http://en.wikipedia.org/wiki/X.500 X.500] model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.
In [http://en.wikipedia.org/wiki/computer_networking computer networking], the '''Lightweight Directory Access Protocol''', or '''LDAP''' ("ell-dap"), is a [http://en.wikipedia.org/wiki/networking_protocol networking protocol] for querying and modifying [http://en.wikipedia.org/wiki/directory_service directory service]s running over [http://en.wikipedia.org/wiki/Internet_protocol_suite TCP/IP]. An LDAP directory usually follows the [http://en.wikipedia.org/wiki/X.500 X.500] model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.


An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System] (DNS)  
An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use [http://en.wikipedia.org/wiki/Domain_Name_System Domain Name System] (DNS) names for structuring the most simple levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries.
names for structuring the most simple levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries.


Its current version is LDAPv3. LDAPv3 is specified in a series of [http://en.wikipedia.org/wiki/IETF IETF] Standard Track [http://en.wikipedia.org/wiki/Request_for_Comments RFC]s as detailed in RFC 4510.
Its current version is LDAPv3. LDAPv3 is specified in a series of [http://en.wikipedia.org/wiki/IETF IETF] Standard Track [http://en.wikipedia.org/wiki/Request_for_Comments RFC]s as detailed in RFC 4510.


=Interfaces=
= Interfaces =
*[http://directory.apache.org/studio/ Apache Directory Studio]
*[http://lam.sourceforge.net/ LAM (LDAP Account Manager)]
*[http://phpldapadmin.sourceforge.net phpldapadmin]


*[http://directory.apache.org/studio/ Apache Directory Studio]
*[http://lam.sourceforge.net/ LAM (LDAP Account Manager)]
*[http://phpldapadmin.sourceforge.net phpldapadmin]
*ldapvi


=Tutorials and docs=
= Tutorials and docs =
*[[Pam-ldap]]
*http://www.zytrax.com/books/ldap/
*http://tuxick.net/ldap.html
*http://ldapadministrator.com
*[http://thomas-howard.com/Reference/Articles/Apache+AD/ Apache Authentication with Active Directory]
*[http://www.gentoo.org/doc/en/ldap-howto.xml LDAP authentication on Gentoo (slightly outdated)]
*[[LDAP Replication]]
*[http://www.linuxtopia.org/online_books//network_administration_guides/ldap_administration/appendix-common-errors_Common_causes_of_LDAP_errors.html Common causes of LDAP errors]
*[http://www.oav.net/mirrors/LDAP-ObjectClasses.html Objectclasses]
*[http://www.zytrax.com/books/ldap/ LDAP for Rocket Scientists]
*http://moduli.net/sysadmin/sarge-ldap-auth-howto.html


==Access control==
*[https://ldapwiki.com/wiki/ LDAP wiki]
*[http://www.openldap.org/doc/admin24/access-control.html Access Control]
*[[Pam-ldap|Pam-ldap]]
*http://www.zytrax.com/books/ldap/ch6/#access
*[http://www.zytrax.com/books/ldap/ http://www.zytrax.com/books/ldap/]
*[http://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/slapdconf2_Access_Control.html OLC access control]
*[http://tuxick.net/ldap.html http://tuxick.net/ldap.html]
*[http://ldapadministrator.com http://ldapadministrator.com]
*[https://www.calmblue.net/blog/server/linux/openldap-server-on-debian-using-olc OpenLDAP server on Debian using OLC]
*[http://thomas-howard.com/Reference/Articles/Apache+AD/ Apache Authentication with Active Directory]
*[http://www.gentoo.org/doc/en/ldap-howto.xml LDAP authentication on Gentoo (slightly outdated)]
*[[LDAP_Replication|LDAP Replication]]
*[http://www.linuxtopia.org/online_books//network_administration_guides/ldap_administration/appendix-common-errors_Common_causes_of_LDAP_errors.html Common causes of LDAP errors]
*[http://www.oav.net/mirrors/LDAP-ObjectClasses.html Objectclasses]  
*[http://www.zytrax.com/books/ldap/ LDAP for Rocket Scientists]
*[http://moduli.net/sysadmin/sarge-ldap-auth-howto.html http://moduli.net/sysadmin/sarge-ldap-auth-howto.html]
*[http://www.zytrax.com/books/ldap/ch6/slapd-config.html#intro OpenLDAP using OLC (cn=config)]
*[https://www.ibm.com/support/pages/how-test-ca-certificate-and-ldap-connection-over-ssltls LDAP and SSL certificates]
== Access control ==


==ldapmodify==
*[http://www.openldap.org/doc/admin24/access-control.html Access Control]
*http://www.novell.com/documentation/nas4nw/usnas4nw/nasnwenu/ldapmod.html
*[http://www.zytrax.com/books/ldap/ch6/#access http://www.zytrax.com/books/ldap/ch6/#access]
*[http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahydeleteobj.htm Delete an objectclass]
*[http://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/slapdconf2_Access_Control.html OLC access control]
 
== ldapmodify ==
 
*[http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html]
*[http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rzahy/rzahydeleteobj.htm Delete an objectclass]  
 
 


= Links =
= Links =
* [http://www.openldap.org/ http://www.openldap.org/]
*[http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html Red Hat Directory Server documentation, worth reading]
*[http://docs.sun.com/source/816-6064-10/ErrorMsg.doc7.html Error messages]


=FAQ=
*[http://www.openldap.org/ http://www.openldap.org/]
*[http://www.redhat.com/docs/manuals/dir-server/deploy/7.1/deployTOC.html Red Hat Directory Server documentation, worth reading]
*[http://docs.sun.com/source/816-6064-10/ErrorMsg.doc7.html Error messages]
 
= Client configuration =
In /etc/openldap/ldap.conf
 
 
== Ldapsearch ==
 
*[https://theitbros.com/ldapsearch/ https://theitbros.com/ldapsearch/]
*[[ldapsearch]]
 
 
 


==add indexes==
= FAQ =
http://forum.zentyal.org/index.php?topic=3006.0
 
== OLC ==
 
=== Change OLC config ===
 
ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
replace: olcLogLevel
olcLogLevel: None
CTRL + D
 
 
 
=== view configuration in OLC ===
 
slapcat -H "ldap:///cn=config??sub?(olcDatabase=*)"
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
 
=== LdapErr: DSID-0C090AE1, comment: In order to perform this operation a successful bind must be completed on the connection. ===
 
login?
 
 
=== ldap_sasl_interactive_bind_s: Unknown authentication method (-6) ===
 
try adding "-x" to the ldapsearch,
 
 
 
== ldapsearch ==
 
=== LdapErr: DSID-0C09127F, comment: TLS or SSL already in effect, data 0, v3839 ===
 
===TLS certificate verification: Error, unable to get local issuer certificate===
 
 
== add indexes ==
 
[http://forum.zentyal.org/index.php?topic=3006.0 http://forum.zentyal.org/index.php?topic=3006.0] [http://www.zytrax.com/books/ldap/apa/indeces.html http://www.zytrax.com/books/ldap/apa/indeces.html]
 
NOTE: there is no more need to run slapindex!!
 
== additional info: structuralObjectClass: no user modification allowed ==


==additional info: structuralObjectClass: no user modification allowed==
use slapadd instead of ldapadd, while slapd is NOT running:
use slapadd instead of ldapadd, while slapd is NOT running:
 
  slapadd -v < ldap.ldif
  slapadd -v < ldap.ldif


==AttributeType inappropriate matching rule: "integerMatch"==
== AttributeType inappropriate matching rule: "integerMatch" ==
 
  duh
  duh


== Replace LDAP database ==
service slapd stop
rm /var/lib/ldap/*
slapadd -l dump.ldif
chown -R openldap.openldap /var/lib/ldap
service slapd start
&nbsp;
== create a new database from ldif file ==


==create a new database from ldif file==
  slapadd -f dump.ldif
  slapadd -f dump.ldif
Remember to set rights to the db storage!
Remember to set rights to the db storage!


==add a record==
== add a record ==
ldapadd


==modify a record==
ldapadd
*http://docs.sun.com/source/816-6400-10/lmodify.html


== modify a record ==
*[http://docs.sun.com/source/816-6400-10/lmodify.html http://docs.sun.com/source/816-6400-10/lmodify.html]
&nbsp;


  ldapmodify -x -D "cn=admin, dc=bar, dc=com" -W << EOF
  ldapmodify -x -D "cn=admin, dc=bar, dc=com" -W << EOF
Line 73: Line 151:
  EOF
  EOF


Or  
Or
 
  ldapmodify -D "cn=admin,dc=bar,dc=com" -Y EXTERNAL -H ldapi:/// << EOF
  ldapmodify -D "cn=admin,dc=bar,dc=com" -Y EXTERNAL -H ldapi:/// << EOF
  ..
  ..
Line 79: Line 158:


Or even, also for reconfiguration of OLC
Or even, also for reconfiguration of OLC
  ldapmodify -Y EXTERNAL -H ldapi:/// < foo.ldif
  ldapmodify -Y EXTERNAL -H ldapi:/// < foo.ldif


==change olcAccess, olcSuffix etc==
== change olcAccess, olcSuffix etc ==
 
I managed this changing things in following order:
I managed this changing things in following order:
  olcAccess{2}
  olcAccess{2}
  olcAccess{0}
  olcAccess{0}
Line 88: Line 170:
  olcSuffix
  olcSuffix


&nbsp;


  EOF
  EOF


==add an attribute==
== add an attribute ==
 
  changetype: modify
  changetype: modify
  add: objectClass
  add: objectClass
  objectClass: qmailUser
  objectClass: qmailUser


==search for a record==
== search for a record ==
http://docs.sun.com/source/816-6400-10/lsearch.html


  ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
[http://docs.sun.com/source/816-6400-10/lsearch.html http://docs.sun.com/source/816-6400-10/lsearch.html]
 
  ldapsearch -x -b '' -s base '(objectclass="*)'" namingContexts''
  ldapsearch -x -b "dc=foo, dc=com" "uid=harry"
  ldapsearch -x -b "dc=foo, dc=com" "uid=harry"


*scope?
*scope?  


&nbsp;


==ber_get_next on fd 12 failed errno=0 (Success)==
== ber_get_next on fd 12 failed errno=0 (Success) ==
You're probably trying to use ldapadd without -x  
 
You're probably trying to use ldapadd without -x
 
== ber_get_next on fd 15 failed errno=11 (Resource temporarily Unavailable) ==


==ber_get_next on fd 15 failed errno=11 (Resource temporarily Unavailable)==
??
??


==rootdn is always granted unlimited privileges==
== rootdn is always granted unlimited privileges ==
 
== Error number: 0x50 (LDAP_OTHER) ==


=== Internal (implementation specific) error ===


==Error number: 0x50 (LDAP_OTHER)==
===Internal (implementation specific) error===
You probably ran slapindex as wrong user. Set rights on the directory you find under 'directory' in slapd.conf for the user slapd runs as ( openldap on debian )
You probably ran slapindex as wrong user. Set rights on the directory you find under 'directory' in slapd.conf for the user slapd runs as ( openldap on debian )


===search filters===
== search filters ==
*http://www.faqs.org/rfcs/rfc2254.html
 
*[http://www.faqs.org/rfcs/rfc2254.html http://www.faqs.org/rfcs/rfc2254.html]


==view configuration in OLC==
&nbsp;
slapcat -H "ldap:///cn=config??sub?(olcDatabase=*)"
 
== main: TLS init def ctx failed: -1 ==


==main: TLS init def ctx failed: -1==
Probably no access to one of the certificate files
Probably no access to one of the certificate files


&nbsp;
== ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif" ==


==ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif"==
You edited config file instead of using ldapmodify. This error will go away once you used ldapmodify on it.
You edited config file instead of using ldapmodify. This error will go away once you used ldapmodify on it.


=Keywords=
&nbsp;
==rootdn==
 
== php and ldap ==
===ignore certificates===
LDAPTLS_REQCERT=never
related to TLS_REQCERT in ldap.conf, so see
man ldap.conf
 
 
== check TLS connection ==
 
You might need to set up certs in /etc/openssl/ldap.conf
 
ldapsearch -x -ZZ -h hostname -p 389
 
or
 
openssl s_client -connect hostname:636 -cert /etc/openldap/certs/clientcert.pem -CAfile /etc/openldap/certs/cacert.pem
 
or
 
openssl s_client -starttls ldap -connect hostname:636
 
=== ldap_start_tls: Connect error (-11) ===
 
probably some cert missing
 
= Keywords =
 
== rootdn ==
 
The user/account with full access
The user/account with full access


&nbsp;
= Tools =


=Tools=
*phpldapadmin  
*phpldapadmin
*ldapbrowser  
*ldapbrowser
*lam  
*lam
*shelldap  
*shelldap
*ldapvi
*ldapvi

Latest revision as of 10:32, 14 June 2023

Lightweight Directory Access Protocol

In computer networking, the Lightweight Directory Access Protocol, or LDAP ("ell-dap"), is a networking protocol for querying and modifying directory services running over TCP/IP. An LDAP directory usually follows the X.500 model: it is a tree of entries, each of which consists of a set of named attributes with values. While some services use a more complicated "forest" model, the vast majority use a simple starting point for their database organization.

An LDAP directory often reflects various political, geographic, and/or organizational boundaries, depending on the model chosen. LDAP deployments today tend to use Domain Name System (DNS) names for structuring the most simple levels of the hierarchy. Further into the directory might appear entries representing people, organizational units, printers, documents, groups of people or anything else which represents a given tree entry, or multiple entries.

Its current version is LDAPv3. LDAPv3 is specified in a series of IETF Standard Track RFCs as detailed in RFC 4510.

Interfaces

Tutorials and docs

Access control

ldapmodify

 

Links

Client configuration

In /etc/openldap/ldap.conf


Ldapsearch

 


FAQ

OLC

Change OLC config

ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
replace: olcLogLevel
olcLogLevel: None

CTRL + D

 

view configuration in OLC

slapcat -H "ldap:///cn=config??sub?(olcDatabase=*)"

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config

LdapErr: DSID-0C090AE1, comment: In order to perform this operation a successful bind must be completed on the connection.

login?


ldap_sasl_interactive_bind_s: Unknown authentication method (-6)

try adding "-x" to the ldapsearch,

 

ldapsearch

LdapErr: DSID-0C09127F, comment: TLS or SSL already in effect, data 0, v3839

TLS certificate verification: Error, unable to get local issuer certificate

add indexes

http://forum.zentyal.org/index.php?topic=3006.0 http://www.zytrax.com/books/ldap/apa/indeces.html

NOTE: there is no more need to run slapindex!!

additional info: structuralObjectClass: no user modification allowed

use slapadd instead of ldapadd, while slapd is NOT running:

slapadd -v < ldap.ldif

AttributeType inappropriate matching rule: "integerMatch"

duh

Replace LDAP database

service slapd stop
rm /var/lib/ldap/*
slapadd -l dump.ldif
chown -R openldap.openldap /var/lib/ldap
service slapd start

 

create a new database from ldif file

slapadd -f dump.ldif

Remember to set rights to the db storage!

add a record

ldapadd

modify a record

 

ldapmodify -x -D "cn=admin, dc=bar, dc=com" -W << EOF
dn: cn=foo, dc=bar, dc=com
changetype: modify
replace: sn
sn: new name
EOF

Or

ldapmodify -D "cn=admin,dc=bar,dc=com" -Y EXTERNAL -H ldapi:/// << EOF
..
EOF

Or even, also for reconfiguration of OLC

ldapmodify -Y EXTERNAL -H ldapi:/// < foo.ldif

change olcAccess, olcSuffix etc

I managed this changing things in following order:

olcAccess{2}
olcAccess{0}
olcRootDN
olcSuffix

 

EOF

add an attribute

changetype: modify
add: objectClass
objectClass: qmailUser

search for a record

http://docs.sun.com/source/816-6400-10/lsearch.html

ldapsearch -x -b  -s base '(objectclass="*)'" namingContexts
ldapsearch -x -b "dc=foo, dc=com" "uid=harry"
  • scope?

 

ber_get_next on fd 12 failed errno=0 (Success)

You're probably trying to use ldapadd without -x

ber_get_next on fd 15 failed errno=11 (Resource temporarily Unavailable)

??

rootdn is always granted unlimited privileges

Error number: 0x50 (LDAP_OTHER)

Internal (implementation specific) error

You probably ran slapindex as wrong user. Set rights on the directory you find under 'directory' in slapd.conf for the user slapd runs as ( openldap on debian )

search filters

 

main: TLS init def ctx failed: -1

Probably no access to one of the certificate files

 

ldif_read_file: checksum error on "/etc/ldap/slapd.d/cn=config/olcDatabase={1}bdb.ldif"

You edited config file instead of using ldapmodify. This error will go away once you used ldapmodify on it.

 

php and ldap

ignore certificates

LDAPTLS_REQCERT=never

related to TLS_REQCERT in ldap.conf, so see

man ldap.conf


check TLS connection

You might need to set up certs in /etc/openssl/ldap.conf

ldapsearch -x -ZZ -h hostname -p 389

or

openssl s_client -connect hostname:636 -cert /etc/openldap/certs/clientcert.pem -CAfile /etc/openldap/certs/cacert.pem

or

openssl s_client -starttls ldap -connect hostname:636

ldap_start_tls: Connect error (-11)

probably some cert missing

Keywords

rootdn

The user/account with full access

 

Tools

  • phpldapadmin
  • ldapbrowser
  • lam
  • shelldap
  • ldapvi