Ping a Specific Port

Question

ujjain

Asked: 2013-06-12 00:15:04 +0800 CST2013-06-12 00:15:04 +0800 CST 2013-06-12 00:15:04 +0800 CST

How do I authenticate with LDAP via the command line?

772

The LDAP server is hosted on Solaris. The client is CentOS. OpenLDAP/NSLCD/SSH authentication via LDAP work fine, but I am not able to use the ldapsearch commands to debug LDAP issues.

[root@tst-01 ~]# ldapsearch
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
        additional info: SASL(-4): no mechanism available:
[root@tst-01 ~]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap1.tst.domain.tld ldap://ldap2.tst.domain.tld
BASE dc=tst,dc=domain,dc=tld
[root@tst-01 ~]# ls -al /etc/openldap/cacerts
total 12
drwxr-xr-x. 2 root root 4096 Jun  6 10:31 .
drwxr-xr-x. 3 root root 4096 Jun 10 10:12 ..
-rw-r--r--. 1 root root  895 Jun  6 10:01 cacert.pem
lrwxrwxrwx. 1 root root   10 Jun  6 10:31 cf848aa4.0 -> cacert.pem
[root@tst-01 ~]#

I have tried authentication with a certificate via ldapsearch giving /etc/openldap/cacerts/cacert.pem as a parameter, but it didn't accept this certificate for authentication.

4 Answers

Voted

Friedrich 'Fred' Clausen · Answer 1 · 2013-06-12T00:26:08+08:00

Best Answer

Friedrich 'Fred' Clausen

2013-06-12T00:26:08+08:002013-06-12T00:26:08+08:00

You may wish to turn off SASL and use simple authentication with the "-x" option. For example, a search to find a particular user

ldapsearch -x -D "uid=search-user,ou=People,dc=example,dc=com" \
           -W -H ldap://ldap.example.com -b "ou=People,dc=example,dc=com" \
           -s sub 'uid=test-user'

Will find "test-user" by

-D - Use bind user "search-user"
-W - Prompt for password
-H - URL of LDAP server. Non-SSL in this case; use "ldaps://" for SSL
-b - The search base
-s - Search scope - i.e. base for base of tree, one for on level down and sub for recursively searching down the tree (can take a while)
Finally the search filter as a non-option argument. In this case we will search for the uid of "test-user"

79

gavenkoa · Answer 2 · 2014-12-20T10:35:45+08:00

gavenkoa

2014-12-20T10:35:45+08:002014-12-20T10:35:45+08:00

Seems that I ask same question at: https://stackoverflow.com/questions/27571558/how-was-authentication-built-on-ldap

See http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :

Get a connection to the LDAP server.
Bind as the application user.
Search for the DN (distinguished name) of the user to be authenticated.
Bind as user to be authenticated using DN from step 3.

That may be summarized as (experiment in command line):

$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
    -s sub -b 'dc=europe,dc=com' "uid=XYZ"

7

turiyag · Answer 3 · 2019-04-13T11:16:45+08:00

turiyag

2019-04-13T11:16:45+08:002019-04-13T11:16:45+08:00

Note, if you don't know your full bind DN, you can also just use your normal username or email with -U

ldapsearch -v -h contoso.com -U [email protected] -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'

4

slm · Answer 4 · 2019-05-29T09:33:32+08:00

We're using FreeIPA/IDM and I was able to authenticate against this using the following:

$ ldapsearch -h idm-01a.somednsdom.com \
    -D 'uid=<my username>,cn=users,cn=accounts,dc=somedcdom,dc=com' \
    -o ldif-wrap=no \
    -b 'cn=accounts,dc=somedcdom,dc=com' \
    -W uid=<my username>

Explanation

This will return all the details around the uid=<my username>
uid=<my username> is the filter (RFC 4515 compliant LDAP search filter)
The uid=<my username> is the query/filter to perform
o ldif-wrap=no disables wrapping of results
The -W forces ldapsearch to query for the password for the bind distinguished name uid=<my username>,cn=users,cn=accounts,dc=somedcdom,dc=com
When prompted for the password for this user the prompt will look like this:
```
Enter LDAP Password:
```

Refereneces

For reference from the ldapsearch manpage & CLI help:

   -D binddn
          Use the Distinguished Name binddn to bind to the LDAP directory.  
          For SASL binds, the server is expected to ignore this value.

   -b searchbase
          Use searchbase as the starting point for the search instead of the 
          default.

   -W     Prompt for simple authentication.  This is used instead of specifying 
          the password on the command line.

  -o <opt>[=<optparam] general options
             nettimeout=<timeout> (in seconds, or "none" or "max")
             ldif-wrap=<width> (in columns, or "no" for no wrapping)

Full Example

$ ldapsearch -h idm-01a.somednsdom.com \
    -D 'uid=joeuser,cn=users,cn=accounts,dc=somedcdom,dc=com' \
    -o ldif-wrap=no \
    -b 'cn=accounts,dc=somedcdom,dc=com' \
    -W uid=joeuser

# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=somedcdom,dc=com> with scope subtree
# filter: uid=joeuser
# requesting: ALL
#

# joeuser, users, accounts, somedcdom.com
dn: uid=joeuser,cn=users,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=sysadmin,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=sudorules,cn=sudo,dc=somedcdom,dc=com
memberOf: cn=eng-systems,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=hbac,dc=somedcdom,dc=com
memberOf: cn=admins,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=sudorules,cn=sudo,dc=somedcdom,dc=com
memberOf: cn=User Administrator,cn=roles,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=User Administrators,cn=privileges,cn=pbac,dc=somedcdom,dc=com
memberOf: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=somedcdom,dc=com
...
...
krbLoginFailedCount: 0
krbLastFailedAuth: 20190320223946Z
loginShell: /bin/bash
krbExtraData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
krbPasswordExpiration: 20190829144625Z
krbLastPwdChange: 20190302144625Z
krbLastAdminUnlock: 20190111080021Z
ipaSshPubKey: ssh-rsa A....XXXXXXXXXXXX...jelByox0PM5Q== [email protected]
mepManagedEntry: cn=joeuser,cn=groups,cn=accounts,dc=somedcdom,dc=com
displayName: Joe User
uid: joeuser
krbCanonicalName: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
initials: JU
gecos: Joe User
sn: Mingolelli
homeDirectory: /home/joeuser
mail: [email protected]
krbPrincipalName: [email protected]
givenName: Joe
cn: Joe User
ipaUniqueID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
uidNumber: 900000000
gidNumber: 900000000
krbPwdPolicyReference: cn=admins,cn=SOMEDCDOM.COM,cn=kerberos,dc=somedcdom,dc=com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

How do I authenticate with LDAP via the command line?

Full Example

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?