If you have a hybrid network of Windows servers and computers in Active Directory (AD) Domain Names and Linux hosts hosting various Java / PHP / Python applications like many of the middle and big companies (organization) have, sooner or later you will have to deploy an application which uses some some user authentication from the Linux host to Windows Domain Controller, you will end up in need to be able to query the AD, which is using LDAP (Lightweight Directory Access Protocol) to store the AD user credentials and tons of other information important for proper Active Directory operations.
LDAP is a key industry standard for storing and accessing distributed directory information services over Internet Protocol (IP). LDAP is great for sharing of information about users, systems, networks, services, and applications throughout the network. The corporate world nowadays would have been impossible without LDAP.
As of time of writting latest RFC (Resource for Comment) 4511 document describes industrial specification of LDAP version 3.0 and therefore this is the most often used and implemented version.
LDAP protocol supports generally following operations:
Adding, Delete, Bind (Authenticate to LDAP server), Delete Search and Compare, Modify and Modify DN (Distringuished Name)
On Linux to retrieve / locate AD entries, there is ldapsearch command which opens connection to LDAP host server port, with set username and password. ldapsearch tool makes its search based on a filter.
To have make and modify queries in LDAP from GNU / Linux you will have to have installed ldap-utils on Debian, i.e.:
apt-get –yes install ldap-utils
to have ldapseach, ldapmodify, ldapsearch ldappasswd on CentOS / Redhat Linux, you need openldap-clients.x86_64
yum -y install openldap-clients.x86_64
Returned result from ldapsearch clients will be returned in LDIF format (LDAP Data Interchange format).
ldapsearch basic format is like thsi:
ldapsearch [optional_options] [optional_search_filter] [optional_list_of_attributes]
ldapsearch could query (LDAP – ADs) in unencrypted form simple LDAP, encrypted form with SSL certificate (LDAPs) or through LDAP with STARTTLS.
Logically most organizations nowadays are using LDAPs, as it offers the highest level of security. Unencrypted LDAP servers listen usually on port 389, LDAPs communicates on port 636 once an SSL handshake is made between client and server and LDAP with STARTTLS communicates on standard port 389.
Here is 3 examples of common ldapsearch queries
1. Return all entries in LDAP server
ldapsearch -D "cn=directory manager" -w secret -p 389 -h ldap.your-organization.org -b "dc=your-organization,dc=com" -s sub "(objectclass=*)"
"objectclass=*" is a serch filter matching all entries in the directory (time and size limits on output limit set for the server will take affect)
2. Searching the Root DSE Entry
root DSE is special entry containing list of all suffixes supported by local Directory Server. Getting root DSE is done with base of "", a search scope of base, and a filter of "objectclass=*"
ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldaps.your-organization.org -b "dc=your-organization,dc=com" -s sub "cn=babs jensen"
3. Searching Directory Server Schema Entry
LDAP server stores all directory server schema in special entry cn=schema.
schema entry contains information on every object class and attribute defined for the Directory Server. Command to searches contents of the
cn=schema entry is:
ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldaps.your-organization.org -b "cn=schema" -s base "objectclass=*"
4. Check whether cn=My-Account1 account is working and enabled
ldapsearch -H ldaps://ldaps.your-organization.org -b o=my-org,c=bg -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(&(cn=My-Acount1)(objectclass=my-org-Account))'
5. check all members of cn=MY_ADMINISTRATION
ldapsearch -H ldaps://ldaps.your-organization.org -b o=my-org,c=bg -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(&(cn=MY_ADMINISTRATION)(member=*))'
6. check all members of all groups belonging to user
ldapsearch -H ldaps://ldaps.your-organization.org -b ou=ABC,ou=ABC1,ou=ABC2,ou=groups,ou=ABC,o=my-org,c=ABC -s sub -D cn=My-Account1,ou=users,ou=ABC,o=my-org,c=ABC -W '(cn=*)'
Whether ldapsearch queries are to be common and scripted or just for simplification of readability of query to LDAP it is useful to use LDAP_BASEDN – a query search base. By setting search base you can further omit in query -b
ldapsearch -D "cn=directory manager" -w secret_pass -p 389 -h ldap.your-organization.org "cn=labs jordan"
In Linux LDAP's open-source implementation is called OpenLDAP.
On Linux LDAP protocol can be easily integrated / used in combination with FTP servers (such as proftpd), DNS servers, Mail Servers (Courier), Samba servers, Radius (IP Telephony), sudo, as well as most programming languages such as PHP, Python etc.