Skip to content

openldap

I found some help on this page : visit

Installation

source install

This seems to work better overall and certainly for an easier unattended install. From :

visit

First try to install it vanilla, only after that try to add the extra ldif formats.

Note that you do not have to match you database root with your real server domain. In the real world you would probably have

  • server ldap.klopt.org
  • prefix dc=klopt,dc=org

But in testing we now have

  • server ldap.local
  • prefix o=Universiteit nam Tilburg,c=NL

Works fine!

working with openldap

Run this command to check the base dn :

check base dn
1
2
3
4
ldapsearch -x -LLL -s base -b "" namingContexts

dn:
namingContexts: dc=ldap,dc=local

unattended

From this page, yet to be tested !https://unix.stackexchange.com/questions/362547/automating-slapd-install

If i adapt those settings to what we have set here :

unattended
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
cat > /root/debconf-slapd.conf << 'EOF'
slapd slapd/password1 password dmin
slapd slapd/internal/adminpw password admin
slapd slapd/internal/generated_adminpw password admin
slapd slapd/password2 password admin
slapd slapd/purge_database boolean true
slapd slapd/domain string ldap.local
slapd slapd/move_old_database boolean true
slapd slapd/backend select MDB
slapd shared/organization string UVT
slapd slapd/no_configuration boolean false
EOF
export DEBIAN_FRONTEND=noninteractive
cat /root/debconf-slapd.conf | debconf-set-selec
apt install ldap-utils slapd -y

This will be tested in the VM setup later.

setup

search
1
ldapsearch -x -LLL -H ldap:/// -b dc=ldap,dc=local dn

will print :

output
1
2
3
4
=local dn
dn: dc=ldap,dc=local

dn: cn=admin,dc=ldap,dc=local

Which seems ok ?! Note that the second dn: is the string you need to provide in apachestudio for instance !

Also see if all schemas are loaded :

all schemas
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
ldapsearch -LLLQ -Y EXTERNAL -H ldapi:/// -b cn=config dn
# output :
dn: cn=config
dn: cn=module{0},cn=config
dn: cn=schema,cn=config
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config

So cosine and inetorgperson are present, at RINIS i remember i had to load those from ldif files so that's a relief.

You can see more of the schemas with :

subschema
1
ldapsearch -x -LLL -b cn=Subschema -s base '(objectClass=subschema)' +

This script connects ok, but still gives an empty result. However the credentials work (try changing the password or something)

from python
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from ldap3 import Server, Connection
from ldap3.core.exceptions import LDAPException, LDAPSocketOpenError

def search_username_in_ldap(username):
    """
    :param username: the username to look for
    :return: success: ldap_attributes dict,
            error: ldap_attr['error']
    """
    base_dn = "o=Universiteit van Tilburg,c=NL"
    search_parameters = {
        "search_base": "o=Universiteit van Tilburg,c=NL",
        "search_filter": f"(uid={username})",
        "attributes": [
            "cn",
            "givenName",
            "sortableSurname",
            "mail",
            "employeeNumber",
            "emplId",
            "uid",
        ],
    }
    ldap_attributes = {}

    try:
        server = Server("ldaps.uvt.nl", use_ssl=True)
        conn = Connection(server, "employeeNumber=174439,o=Universiteit van Tilburg,c=NL", "thatperlthing", auto_bind=True)
        print(conn)
        print(server.info)
        conn.search(**search_parameters)
    except LDAPException as ldap_exception:
        print( ldap_exception.args[0]);

    print (response.connect)


search_username_in_ldap("beesen")

extending schema

Schemas are in the /etc/ldap/schema subdirectory.

To retrieve a list of supported features of a server :

query server
1
ldapsearch -x -h ldaps.uvt.nl -s base -b "" +

For uvt it will list :

output
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: o=Universiteit van Tilburg,c=NL
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.3.6.1.1.22
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.1466.20037
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
entryDN:
subschemaSubentry: cn=Subschema

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

The openldap server prints a similar but different list. To print the details :

details for openldap
1
ldapsearch -h ldaps.uvt.nl -x -s base -b "cn=subschema" objectclasses

It is rather long so lets pick out the interesting one :

output
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
objectClasses: ( 1.3.6.1.4.1.39401.1.3 NAME 'uvtUser' DESC 'All you need is...
' SUP top AUXILIARY MAY ( uid $ uidNumber $ accountBlocked $ accountStatus $
accountSuspended $ accountTemporarilyDisabled $ aselectAccountEnabled $ commo
nName $ datePasswdChanged $ emplId $ gecos $ gidNumber $ googleId $ googleMai
l $ googleMailDelivery $ googleOrgUnit $ homeDirectory $ info $ loginShell $
mail $ memberUid $ noResponseTelephoneNumber $ o $ organizationalStatus $ pas
swordExpirationStage $ passwordExpirationFinalDay $ passwordExpirationAttenti
on $ passwordExpirationWarning $ passwordExpirationReminder $ passwordExpirat
ionLastReminder $ passwordExpirationExpired $ passwordExpirationAdminRequired
 $ passwordChangeCount $ passwordChangeDate $ passwordInvalidated $ passwordS
tatus $ personalTitle $ preferredLanguage $ privateEmail $ program $ sportsCe
nterGroup $ rcryptPassword $ searchKeys $ shadowLastChange $ shadowExpire $ s
hadowInactive $ shadowMin $ shadowMax $ shadowWarning $ sortName $ sortableSu
rname $ tiasPrivateEmail $ tiasStatus $ unpaidFees $ userPassword $ uvt-auth
$ uvt-lau ) )

However we need to import all objectClasses and attributeTypes from the output so save the whole thing into uvt.ldif. Also the output as-is is not compatible with openldap, if we look at another .ldif file in the /etc/ldap/schema directory you will see entries like this :

/etc/ldap/schema
1
2
3
olcAttributeTypes: (...)
...
olcObjectClasses:  (...)

Also the header lines are different, and entries like ldapSyntaxes and matchinRules are absent, so :

  • rename all attributeTypes lines to olcAttributeTypes
  • rename all objectClasses to olcObjectClasses
  • remove all other entries
  • start with these lines
ldif
1
2
3
dn: cn=uvt,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: uvt

Add the ldif like this :

add ldif
1
2
3
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/uvt.ldif
ldap_add: Other (e.g., implementation specific) error (80)
    additional info: olcAttributeTypes: Duplicate attributeType: "2.5.4.0"

ldap browser

There is Apache Studio but it is WAY to massive, i like this one better

visit

The download links still works :

visit

gawor
1
2
3
4
5
wget https://community.microfocus.com/cfs-file/__key/communityserver-wikis-components-files/00-00-00-01-39/Gawor_5F00_ldapbrowser_5F00_282.zip
mkdir gawor; cd gawor; # it unpacks in the current directory
unzip Gawor_5F00_ldapbrowser_5F00_282.zip
chmod +x lbe.sh
./lbe.sh

It now starts up. Just change tabs to Quick Connect. type your servers ip address and port 389. Then hit Fetch DN. it will find it for you. Happy browsing

add users

lbe.sh
1
2
cd ~/Install/gawor
./lbe.sh

Now use the quick connect tab, but disable the 'Anonymous bind' option. You will now have to login, but the default user DN is wrong. Change it to cn=Manager. And you need to enable 'append base DN'

Now your 'edit' menu will be active. Note that you should select the toplevel before you add an entry because of the tree-like buildup.

Do edit->add entry and see if uvtUser is part of the list. If not you have to first select 'create template' you can then choose your object and it will be visible from then on.