Ldap: Difference between revisions

From Halfface
Jump to navigation Jump to search
No edit summary
(45 intermediate revisions by 4 users not shown)
Line 1: Line 1:
Change varables to suite your domain.
=what does it mean=
  /usr/share/openldap/migration/migrate_common.ph
dap        Directory Access Protocol, Ldap ancestor
dit        Directory Information Tree
dsa        Directory System Agent is the element of an X.500 directory service that provides User Agents with access to a portion of the directory
dse        Directory System Entry. A DSE is a special entry within the LDAP directory that provides information about the directory itself and its configuration.
  dua        Directory User Agent
rdn        parts of the DN are called Relative Distinguished Name (RDN)
sasl      Simple Authentication and Security Layer


Convert local users to ldap users.
=Install ldap server.=
  /usr/share/openldap/migration/migrate_passwd.pl /temp/user /temp/user.ldif
  dnf install 389*


Import users.
=Configure ldap.=
  ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/user.ldif -c
dscreate interactive
=ldapsearch examples=
Base64 decode. No line wrap.
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -pe"binmode(STDOUT,':utf8');" -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | strings
search for numbers higher than 42435.
ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"
search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test.
ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less
Wild card search.
  ldapsearch -o ldif-wrap=no -H ldap://ldap.int.redbridge.se:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=redbridge,dc=se" -w $COMPANY_PASSWORD -b "dc=redbridge,dc=se" -s sub -a always '(&(objectClass=*)(cn=*kompetensportalen*))'


Example ldif to add user.
=matching=
  dn: uid=bjorklun,ou=people,dc=halfface,dc=se
Match user belonging to one of the groups.
uid: bjorklun
  (|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
  cn: Andreas Bjorklund
Match user belonging to both groups.
objectClass: account
  (&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))
objectClass: posixAccount
=get root dse=
objectClass: top
root DSE (the top-level entry of the directory), supported LDAP versions, naming contexts, supported LDAP extensions, and other operational attributes. The root DSE, in particular, provides essential information about the LDAP server and the directory service it hosts, allowing LDAP clients to discover important details about the directory configuration and capabilities.
  objectClass: shadowAccount
  ldapsearch -o ldif-wrap=no -H ldaps://ldap.int.redbridge.se:636 -x -b "" -s base -a always "(objectClass=*)"
userPassword: {crypt}$1$encryptedpasswordheretowork
Get root dse using python
shadowLastChange: 13080
  python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org", get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.info) ;'
  shadowMax: 99999
Get schemas
  shadowWarning: 7
  python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org", get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.schema) ;'
loginShell: /bin/bash
uidNumber: 501
  gidNumber: 501
  homeDirectory: /home/bjorklun
gecos: Andreas Bjorklund


Adding local groups.
[[Category:Applications]]
cat /etc/group | sort -k3 -t : -n | tail -22 | head -20 > /temp/group
[[Category:Unix]]
/usr/share/openldap/migration/migrate_group.pl /temp/group /temp/group.ldif
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /temp/group.ldif -c
 
Adding passwd and group.
dn: ou=people,dc=halfface,dc=se
objectclass: organizationalUnit
ou: people
dn: ou=group,dc=halfface,dc=se
objectclass: organizationalUnit
ou: group
 
Organization Units.
dn: ou=Friends,dc=halfface,dc=se
ou: Friends
objectClass: top
objectClass: organizationalUnit
description: Members of Friends
dn: ou=Work,dc=halfface,dc=se
ou: Work
objectClass: top
objectClass: organizationalUnit
description: Members of Work
 
ldap attribute.
dn: dc=halfface,dc=se
dc: halfface
description: Root LDAP entry for halfface.se
objectClass: dcObject
objectClass: organizationalUnit
ou: rootobject
 
dn: ou=People, dc=halfface,dc=se
ou: People
description: All people in organisation
objectClass: organizationalUnit
 
dn: dc=halfface,dc=se
objectclass: dcObject
objectclass: organization
o: halfface
dc: halfface
dn: cn=Manager,dc=halfface,dc=se
objectclass: organizationalRole
cn: Manager
 
ldapadd -x -D "cn=Manager,dc=halfface,dc=se" -w secret -f /tmp/newentry -v
 
ldapsearch -x -b 'dc=halfface,dc=se' '(objectclass=*)'
 
Configure client.
authconfig --enableshadow --enablemd5 --enableldap --enableldapauth --ldapserver=ldap.halfface.se --ldapbasedn=dc=halfface,dc=se --disableldaptls --disablekrb5 --disablesmbauth --disablehesiod --update
 
Configure client. /etc/sysconfig/autofs
# Other common LDAP nameing
#
DEFAULT_MAP_OBJECT_CLASS="automountMap"
DEFAULT_ENTRY_OBJECT_CLASS="automount"
DEFAULT_MAP_ATTRIBUTE="ou"
DEFAULT_ENTRY_ATTRIBUTE="cn"
DEFAULT_VALUE_ATTRIBUTE="automountInformation"
#

Revision as of 19:49, 27 February 2024

what does it mean

dap        Directory Access Protocol, Ldap ancestor
dit        Directory Information Tree
dsa        Directory System Agent is the element of an X.500 directory service that provides User Agents with access to a portion of the directory
dse        Directory System Entry. A DSE is a special entry within the LDAP directory that provides information about the directory itself and its configuration.
dua        Directory User Agent
rdn        parts of the DN are called Relative Distinguished Name (RDN) 
sasl       Simple Authentication and Security Layer

Install ldap server.

dnf install 389*

Configure ldap.

dscreate interactive

ldapsearch examples

Base64 decode. No line wrap. 

ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n //g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | less -ISRM
ldapsearch -o ldif-wrap=no -u -H ldaps://www.halfface.se.se:636 -b 'DC=www,DC=halfface,DC=se' -D username -w _password_ "(&(objectClass=*)(anr=search_string" | perl -pe"binmode(STDOUT,':utf8');" -MMIME::Base64 -MEncode=decode -n -00 -e 's/\n +//g;s/(?<=:: )(\S+)/decode("UTF-8",decode_base64($1))/eg;print' | strings

search for numbers higher than 42435. 

ldapsearch -x -b ou=People,ou=Nordic,ou=eng,dc=infineon,dc=com "uidNumber>=42435"

search for next suitable gid. Look for good matching number. For some reason I get some low numbers in my test. 

ldapsearch -LLL -l 5 -o nettimeout=5 -x -b "dc=example,dc=net" -h ldap.example.com  "uidNumber>=68000" uidNumber | grep uidNumber | awk '{print $2}' | sort -n | less

Wild card search. 

ldapsearch -o ldif-wrap=no -H ldap://ldap.int.redbridge.se:389 -x -D "uid=$USERNAME,cn=users,cn=accounts,dc=redbridge,dc=se" -w $COMPANY_PASSWORD -b "dc=redbridge,dc=se" -s sub -a always '(&(objectClass=*)(cn=*kompetensportalen*))'

matching

Match user belonging to one of the groups. 

(|(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

Match user belonging to both groups. 

(&(memberOf=CN=%s,OU=Test_Users,DC=matthew,DC=com)(sAMAccountName=%s))

get root dse

root DSE (the top-level entry of the directory), supported LDAP versions, naming contexts, supported LDAP extensions, and other operational attributes. The root DSE, in particular, provides essential information about the LDAP server and the directory service it hosts, allowing LDAP clients to discover important details about the directory configuration and capabilities. 

ldapsearch -o ldif-wrap=no -H ldaps://ldap.int.redbridge.se:636 -x -b "" -s base -a always "(objectClass=*)"

Get root dse using python 

python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.info) ;'

Get schemas 

python3 -c 'from ldap3 import Server, Connection, ALL ; server = Server("ipa.demo1.freeipa.org",  get_info=ALL) ; conn = Connection(server, auto_bind=True) ; print(server.schema) ;'
Retrieved from "https://halfface.se/wiki/index.php?title=Ldap&oldid=15361"