{dev_notes}

LDAP

Published 5 years ago.
Last updated

About LDAP

LDAP (Lightweight Directory Access Protocol) is a vendor-neutral, request-response protocol using queries to find, view, or edit information in a distributed directory. Distributed Directories, directory information services, or just Directories are network databases that store information in data trees. For more info see the Basic LDAP Concepts page at ldap.com.

DN (Distinguished Name)

Objects in LDAP are stored in a heaicrhcical tree called DIT (Directory Information Tree).
Every object in the tree has a uniqie name called a DN (Distingueished Name).

  • A DN is the objects path from the root (much like a directory path), starting with the leaf object and progressing towards the root.
  • The DN path has multiple components sperated by commas.
  • DN components have a name (attribute type) and a value.

Example DN:

uid=jsmith,ou=-people,dc=ucar,dc=edu

This example DN is requesting:

  • An object with the User ID smith.
  • In the Organizational Unit people.
  • In the Domain Component ucar.
  • In the Domain Component edu.

ldapsearch

Example:

ldapsearch -x -LLL -H ldaps://fdbdev-2.ucar.edu -b "ou=people,dc=ucar,dc=edu" -s sub 'uid=kenyan'

This query can also be broken into lines:

ldapsearch -x -LLL \
-H ldaps://fdbdev-2.ucar.edu \
-b "ou=people,dc=ucar,dc=edu" \
-s sub 'uid=kenyan'
  • -x: Signifies simple authentication, which means using a username and password directly for authentication, rather than relying on more complex methods like Kerberos.
  • -LLL: Output results in a more compact, single-line format, which is useful for scripting or when you need to parse the output. It essentially disables multiline output for attributes and entries.
  • -H ldaps://fdbdev-2.ucar.edu:
    The -H identifies the URL of LDAP server. Use ldaps:// for SSL.
  • -b "ou=people,dc=ucar,dc=edu":
    The -b is the search base DN, which is "ou=people,dc=ucar,dc=edu".
  • -s sub: The search scope. base for base of tree, one for on level down and sub for recursively searching down the tree (can take a while).
  • 'uid=kenyan': The search filter as a non-option argument. In this case we will search for the uid of kenyan.