Ubuntu
Ubuntu Version: Ubuntu 18.04
Openldap
Ldap database consist of DIT, that is Directory information tree.
The file type we used to record the ldap information is .ldif, that’s LDAP data interchange format.
Installation & configuraion file
apt install slapd ldap-utils
dpkg-configure slapd
service slapd status/start/stop/restart
/etc/ldap/ldap.conf
#BASE dc=blabla,dc=com
#URI ldap://ldap.blabla.com ldap://ldap.blabla.com:666
TLS_CACERT /etc/ssl/certs/mycacert.pem
Database
cn=config
ldap system-level database: /etc/ldap/slapd.conf/, the suffix is “cn=config” for the ldap configuration.
Only can be listed by SASL EXTERNAL.
root@bruce:/etc/ldap/slapd.d# tree
.
├── cn=config
│ ├── cn=module{0}.ldif
│ ├── cn=schema
│ │ ├── cn={0}core.ldif
│ │ ├── cn={1}cosine.ldif
│ │ ├── cn={2}nis.ldif
│ │ ├── cn={3}inetorgperson.ldif
│ │ └── cn={4}samba.ldif
│ ├── cn=schema.ldif
│ ├── olcBackend={0}mdb.ldif
│ ├── olcDatabase={0}config.ldif
│ ├── olcDatabase={-1}frontend.ldif
│ └── olcDatabase={1}mdb.ldif
└── cn=config.ldif
2 directories, 12 files
root@bruce:~# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "cn=config" dn
dn: cn=config \\global setting
dn: cn=module{0},cn=config \\module
dn: cn=schema,cn=config \\schema, olcAttributeTypes -> olcObjectClasses
dn: cn={0}core,cn=schema,cn=config
dn: cn={1}cosine,cn=schema,cn=config
dn: cn={2}nis,cn=schema,cn=config
dn: cn={3}inetorgperson,cn=schema,cn=config
dn: cn={4}samba,cn=schema,cn=config
dn: olcBackend={0}mdb,cn=config \\database
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
dn: olcDatabase={1}mdb,cn=config
dc=example,dc=com
ldap user-level database: /var/lib/ldap/, the suffix is “dc=blabla,dc=com”.
root@bruce:/var/lib/ldap# tree
.
├── data.mdb
└── lock.mdb
0 directories, 2 files
Authentication Type
- Anonymous bind: “-x” without “-D”
- Simple bind: “-X -D ‘’ -w passwd/-W”
- SASL bind: "-Y EXTERNAL -H ldapi:///"
root@bruce:/var/lib/ldap# ldapwhoami -x
anonymous
root@bruce:/var/lib/ldap# ldapwhoami -x -D "cn=admin,dc=blabla,dc=com" -w ldap
dn:cn=admin,dc=blabla,dc=com
root@bruce:/var/lib/ldap# ldapwhoami -Q -Y EXTERNAL -H ldapi:///
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Bind User
- SASL EXTERNAL wia the ldapi:/// transport
when use SASL EXTERNAL through ldapi:/// transport via /run/slapd/ldapi socket, the binddn becomes a combination of the uid & gid of the conencting local user, followed by the suffix cn=peercred,cn=external,cn=auth, like gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth for root, the ldap server could configue the local user permission