May 31, 2014

Newbie’s OpenLDAP tips

  1. Newbie’s OpenLDAP tips

    1. Following https://help.ubuntu.com/12.10/serverguide/openldap-server.html to get OpenLDAP server and tools installed and configured on your server.
    2. The binary is called slapd. The configuration file is not a file anymore, but a directory structure in LDAP file format. The files used in LDAP is using the LDIF format, which is plaintext. The configuration is stored at /etc/ldap/sldap.d/, in file “cn=config.ldif” and inside directory “cn=config”.
    3. The ldap server access credential is stored in  file “cn=config/olcDatabase={1}hdb.ldif”
      1. olcRootDN:
      2. olcRootPW:
    4. User LDAP data is stored in /var/lib/ldap using a binary DB format (Berkely DB or some other DB format). User LDAP data can only be viewed by using LDAP tools such as ldapsearch, and can be edited by ldapadd, ldapdelete, ldapmodify,etc
    5. Command to list all entries
      1. ldapsearch -x -LLL -b dc=advistatech,dc=com
    6. To authenticate to ldapserver when running command like ldapsearch, you can use “-x”, which is amount to local authentication. Or you can “bind” to the server using the credential listed above in “olcRootDN” and “olcRootPW” as follows. Only binding will print out user password information stored in LDAP DB.  See more at http://blogs.splunk.com/2009/07/30/ldapsearch-is-your-friend/
      1. -D "cn=admin,dc=advistatech,dc=com"
        -W will prompt you for your password
    7. PHP can act as a LDAP client. It has dedicated function to connect, bind, and query LDAP Servers.
    8. In PosixAccount object (like Unix user account), the password field name is “userPassword”. It is usually hashed with LDAP special seeded SHA1 hash function. If you query it when bound to the server, you will see something like {SSHA}….
    9. ldapcompare does not automatically hash clear password when comparing. So you would need to hash the password first (probably using ldappasswd) and then do the compare (to be validated)
    10. The usually way to testing an user’s account credential is actually try to bind (login) to the ldap server using that credential.
    11.  A simple PHP script to test a user credential:
    <?php
    $ds=ldap_connect("localhost");
    if (!$ds) {
        die ("Unable to connect to LDAP server.");
    }

    ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
    ldap_set_option($ds, LDAP_OPT_REFERRALS, 0);

    $dn = "uid=tony,ou=Users,dc=advistatech,dc=com";
    $pass= "mypass";

    // bind
    if (ldap_bind($ds,$dn,$pass))
    {
        echo ("bound successfully");
    } else {
        echo "Unable to bind to LDAP server.";
    }

    ldap_close($ds);

No comments:

Post a Comment