LDAP 🔗

LDAP 🔗

Memos 🔗

  • CN: Common Name

  • OU: Organizational Unit

  • DC: Domain Component

  • DN: Distinguished Name

A DN is basically a path identifying a directory in the database.

Interact with it... 🔗

Show the whole DB, binding as the RootDN:

ldapsearch -H ldaps://ldap.peori.space -x -D 'cn=root,dc=peori,dc=space' -W -b 'dc=peori,dc=space'

Show Applications without binding (i.e. anonymously):

ldapsearch -H ldaps://ldap.peori.space -x  -b 'ou=Applications,dc=peori,dc=space'

Show your own DN, binding as peoro:

ldapsearch -H ldaps://ldap.peori.space -x -D 'cn=peoro,ou=People,dc=peori,dc=space' -W -b 'cd=peoro,ou=People,dc=peori,dc=space'

Add some new stuff, binding as the RootDN:

ldapadd -H ldaps://ldap.peori.space -x -D 'cn=root,dc=peori,dc=space' -W
# INPUT SOME LDIF HERE NOW
# CLOSE WITH ^D

Add new user, binding as the RootDN:

ldapadd -H ldaps://ldap.peori.space -x -D 'cn=root,dc=peori,dc=space' -W -f <user>.ldif

An example of <user>.ldif is:

dn: cn=foo,ou=People,dc=peori,dc=space
uid: foo
cn: foo
displayName: foo
givenName: Name
sn: Surname
mail: foo@peori.space
uidNumber: 1001
gidNumber: 1001
loginShell: /bin/bash
homeDirectory: /home/foo/
labeledURI: foo.peori.space
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
userPassword: 
jpegPhoto:< file:///home/foo/.face.jpeg

or look at https://wiki.archlinux.org/index.php/LDAP_authentication#Adding_users It will ask for the root password

Change your own password:

ldappasswd -H ldaps://ldap.peori.space -x -D 'cn=peoro,ou=People,dc=peori,dc=space' -W -S

To apply general modification to your account, you can use the web interface at login.peori.space or again the .ldif format from the shell, Craft the request, edit.ldif :

dn: cn=foo,ou=People,dc=peori,dc=space
changetype: modify
replace: displayName
displayName: Foo

And execute it:

ldapadd -H ldaps://ldap.peori.space -x -D 'cn=foo,dc=peori,dc=space' -W -f edit.ldif

Change a different password, binding as the RootDN:

ldappasswd -H ldaps://ldap.peori.space -x -D 'cn=root,dc=peori,dc=space' -W -S 'cn=nginx_auth_ldap,ou=Applications,dc=peori,dc=space'

In general...

  • -H: LDAP server
  • -x: simple authentication (no SASL)
  • -D: bind DN: DN you're authenticating as
  • -W: password required

Backup 🔗

Backup 🔗

sudo slapcat -n 0 | sudo tee /tmp/config.ldif # the cn=config
sudo slapcat -n 1 | sudo tee /tmp/data.ldif # the DB content

Restore 🔗

sudo slapadd -n 0 -F /etc/openldap/slapd.d -l /tmp/config.ldif
sudo slapadd -n 1 -F /etc/openldap/slapd.d -l /tmp/data.ldif

Regenerate config 🔗

sudo systemctl stop slapd
sudo sh -c 'rm -rf /etc/openldap/slapd.d/*'
sudo slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/
sudo chown -R ldap:ldap /etc/openldap/slapd.d
sudo systemctl restart slapd