Ldap

LDIF files

LDAP manual

Centralize Debian LDAP documentation

What happens on the wire when a TLS / LDAP or TLS / HTTP connection is set up?

LDAP TLS

LDAP filters syntax

Copy the cacert.pem from your CA to /etc/ssl/cert/cacert.pem.

In ldap.conf set:

TLS_CACERT /etc/ssl/certs/cacert.pem

Check LDAP Login:

ldapsearch -x -D 'cn=admin,dc=hummy,dc=org' -ZZ -W -d -1
ldapsearch -x -D 'admin@hummy.org' -W -h 127.0.0.1

Disable SASL binds by passing the -x argument to ldapadd.

You can also use these commands:

ldapsearch -x -LLL -h [host] -D [user] -w [password] -b [base DN] -s sub "([filter])" [attribute list]

ldapsearch -x -LLL -h192.168.0.81 -D admin -w PaSsWoRd -b"dc=hummy,dc=int" -s sub "(objectClass=user)" admin
ldapsearch -x -LLL -h192.168.0.81 -D admin -w PaSsWoRd -b"dc=hummy,dc=int" -s sub "(objectClass=user)" 
ldapsearch -x -LLL -h192.168.0.81 -D admin -w PaSsWoRd -b"dc=ad,dc=hummy,dc=int" -s sub "(objectClass=user)" admin

A good tool for troubleshooting that is the "s_client" tool in openssl. For example:

openssl s_client -connect ldap.mycompany.com:636

---

Another way to connect your openldap to your windows domain controller is:

1. obtain certificate for AD

2. Convert the certificate to pem format. Substitute the names of files as needed.
openssl x509 -in <copied certificate file> -out /etc/openldap/certs/<cert>.pem

3. Add a line in ldap.conf to use new root cert.
vi /etc/openldap/ldap.conf
TLS_CACERT /etc/openldap/certs/<cert>.pem

How to check if the given credentials and configured data are working in the ldap configuration:

1> Install the ldapscripts : apt-get install ldapscripts

2> Check the data give:

LDAP server address: 192.168.10.10
LDAP server port: 389
LDAP server baseDN: DC=company,DC=com
LDAP server filter for LDAP users: (&(sAMAccountName=%u)(objectCategory=person))
LDAP Username: moc.ynapmoc|nimda#moc.ynapmoc|nimda


Test a ldap server without SSL: port 389

ldapsearch -x -b "DC=company,DC=com" -D "moc.ynapmoc|nimda#moc.ynapmoc|nimda" -h 192.168.10.10 -ZZ -W '(&(sAMAccountName=%u)(objectCategory=person))


Test a ldap server with SSL: port 636

ldapsearch -x -b "DC=company,DC=com" -D "moc.ynapmoc|nimda#moc.ynapmoc|nimda" -H ldaps://192.168.10.10:636 -W '(&(sAMAccountName=%u)(objectCategory=person))'

The result of the test should yield something like the following if the user and passwords are correct.


RESULT: Sample in one of the customers USM

CHCCUSM:~# ldapsearch -x -b "dc=chcc,dc=org" -D "gro.cchc|ynapmoc#gro.cchc|ynapmoc" -h 10.0.2.54 -ZZ -W -ZZ "(&(sAMAccountName=%u)(objectCategory=person))"
Enter LDAP Password:

extended LDIF
#
LDAPv3
base <dc=chcc,dc=org> with scope subtree
filter: (&(sAMAccountName=%u)(objectCategory=person))
requesting: ALL
#
search reference
ref: ldap:ForestDnsZones.chcc.org/DC=ForestDnsZones,DC=chcc,DC=org
search reference
ref: ldap:DomainDnsZones.chcc.org/DC=DomainDnsZones,DC=chcc,DC=org
search reference
ref: ldap://chcc.org/CN=Configuration,DC=chcc,DC=org
search result
search: 3
result: 0 Success
numResponses: 4
numReferences: 3

page revision: 15, last edited: 19 Jul 2018 09:47
Edit Tags History Files Print Site tools + Options
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License