-
Notifications
You must be signed in to change notification settings - Fork 6
LDAP Testing
Sample Domain :copper.test.lk cn : admin password : admin
Search Base and Scope
In LDAP, the place where a search begins is called the search base. This is an entry within a DIT from which the operation will commence and acts as an anchor. We specify the search base by passing the entry name with the -b flag.
For instance, to start at the root of our dc=example,dc=com DIT, we can use that as the search base, like this:
ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com"
Example
ldapsearch -H ldap:// -x -D "cn=admin,dc=copper,dc=test,dc=lk" -w admin -b "cn=admin,dc=copper,dc=test,dc=lk"
We have specified the base in these examples, but we can further shape the way that the tool looks for results by specifying the search scope. This option is set by the -s option and can be any of the following:
The default search scope if no other is specified. This searches the base entry itself and any descendants all of the way down the tree. This is the largest scope.
This only searches the search base itself. It is used to return the entry specified in the search base and better defined as a lookup than a search.
This searches only the immediate descendants/children of the search base (the single hierarchy level below the search base). This does not include the search base itself and does not include the subtree below any of these entries.
This functions the same as the sub scope, but it does not include the search base itself in the results (searches every entry beneath, but not including the search base).
Using the -s flag and the -b flag, we can begin to shape the areas of the DIT that we want the tool to look in. For instance, we can see all of the first-level children of our base entry by using the one scope, like this:
Example ldapsearch -H ldap:// -x -D "cn=admin,dc=copper,dc=test,dc=lk" -w admin -s "cn=admin,dc=copper,dc=test,dc=lk"
To actually perform a search instead of simply outputting the entirety of the search scope, you need to specify the search filter.
These can be placed towards the end of the line and take the form of an attribute type, a comparison operator, and a value. Often, they are specified within quotation marks to prevent interpretation by the shell. Parentheses are used to indicate the bounds of one filter from another. These are optional in simple, single-attribute searches, but required in more complex, compound filters. We'll use them here to better indicate where the search filter is.
As an example, we could see if there is an entry within the dc=example,dc=com DIT with a username (uid) attribute set to "jsmith". This searches each entry within the search scope for an attribute set to that value:
ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -LLL "(uid=jsmith)"
We used the equality operator in the above example, which tests for an exact match of an attribute's value. There are various other operator as well, which function as you would expect. For example, to search for entries that contain an attribute, without caring about the value set, you can use the "presence" operator, which is simply an equals sign with a wildcard on the right side of the comparison. We could search for entries that contain a password by typing:
ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -LLL "(userPassword=*)"
- Equality: Uses the = operator to match an exact attribute value.
- Presence: Uses =* to check for the attribute's existence without regard to its value.
- Greater than or equal: Uses the >= operator to check for values greater than or equal to the given value.
- Less than or equal: Uses the <= operator to check for values less than or equal to the given value.
- Substring: Uses = with a string and the * wildcard character as part of a string. Used to specify part of the value you are looking for.
- Proximity: Uses the ~= operator to approximately match what is on the right. This is not always supported by the LDAP server (in which case an equality or substring search will be performed instead).
You can also negate most of the searches by wrapping the search filter in an additional set of parentheses prefixed with the "!" negation symbol. For example, to search for all organizational unit entries, we could use this filter:
"(ou=*)"
To search for all entries that are not organizational unit entries, we could use this filter:
"(!(ou=*)"
Reff :https://medium.com/@tharangarajapaksha/openldap-configuration-for-email-f76efe6531f9
Check anonymous binding in TLS enabled with ldap server from the server
$ ldapwhoami -H ldap:// -x -ZZ
anonymous
Search with admin user privileges and ldap simple bind and admin user name is : admin, password : admin.
ldapsearch -H ldap:// -x -D "cn=admin,dc=copper,dc=test,dc=lk" -w admin -b "ou=users,dc=copper,dc=test,dc=lk"
Search from remote machines
ldapsearch -H ldap://<server ip or name> -x -D "cn=admin,dc=copper,dc=test,dc=lk" -w admin -b "ou=users,dc=copper,dc=test,dc=lk"
Search the DIT with the user privileges in simple bind use is : test and password is coppermail@lsf.
ldapsearch -H ldap:// -x -D "uid=test,ou=Users,dc=copper,dc=test,dc=lk" -w coppermail@lsf -b "uid=test,ou=Users,dc=copper,dc=test,dc=lk"
If all above steps are successful then TLS is successfully enabled in LDAP server.
Certificate generation for postfix ldap xls enableing
openssl genrsa -des3 -out rootCA.key 4096
For without password
openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
Do above with configuration automation
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -subj "/C=LK/ST=western/O=lsf, Inc./CN=local.com" -out rootCA.crt
Updating Root CA in the local machine
mkdir /usr/local/share/ca-certificates/extra
cp rootCA.crt /usr/local/share/ca-certificates/extra/rootCA.crt
update-ca-certificates
Developed by : Lanka Software Foundation