ldapsearch command examples with advanced options

Leave a comment Linux Leave a comment

The ldapsearch command used to query the required information from LDAP databases. The ldapsearch command can be used on many occasions with different filter statement. Various ldapsearch command examples and use cases with advanced options discussed here.

Note: Replace the password ($PASS) and ROOTDN with your server values. You may need to specify LDAP URI and authentication methods depend upon configuration. Here i am working from LDAP server.

Filter user with UID

Look for the users with given UID value. This command list the users whoever UID set to 20005. Continue reading “ldapsearch command examples with advanced options”


Openldap migrate to TLS/SSL communication

Leave a comment Linux Leave a comment

Q. My ldap server currently configured to accept only non-encrypted connections. The server listens to port 389. I want to make my server to accept only TLS/SSL encrypted connections. How to migrate to TLS/SSL communication with very minimal downtime window? Most important is current LDAP directory data should not be disturbed.

Benefits

By upgrading to TLS/SSL encrypted communication we ensure data transferred between LDAP client and server will be encrypted. This is most important when the data travel through untrusted or public network. The normal LDAP communication over TLS/SSL channel specified as “ldaps” (same like https) in URI. Continue reading “Openldap migrate to TLS/SSL communication”


LDAP TLS negotiation failure error

1 Comment Linux 1 Comment

Q. I am trying to configure LDAP client. Have copied the certificate to client and enabled TLS in pam_ldap.conf. Still the client failed to communicate with LDAP server. At server end found TLS negotiation failure error. How to fix it?

Sep 11 10:35:12 rhel4 slapd[5241]: conn=1130 fd=12 ACCEPT from IP=10.20.31.140:37309 (IP=0.0.0.0:636)
Sep 11 10:35:12 rhel4 slapd[5241]: conn=1130 fd=12 closed (TLS negotiation failure)

Continue reading “LDAP TLS negotiation failure error”


Openldap configuration files and usage

Leave a comment Linux Leave a comment

How to identify the Openldap configuration files? What is the importance and usage of each file/directory? The Openldap configuration files are same in any distribution but the location may vary.

This image illustrate how the configuration files are used by Openldap service. Followed by the brief description about each component. Continue reading “Openldap configuration files and usage”


delegate access control in Openldap

Leave a comment Linux Leave a comment

I have an OU (organizational unit) named “vendor”. How to delegate access control management to one user for this OU alone? Is it possible like windows AD?

Yes, using Openldap access control rules you can create fine grained access control policies. Have tested personally and discussed here. In two places you must need this.

  1. It will be useful in organizations where multiple parties involved but using common authentication system. Because other third parties no need to depend on LDAP admin for password reset stuff.
  2. Another massive usage is for organizations with large or medium number of users. For delegating password reset task to service desk team.

Continue reading “delegate access control in Openldap”


Configure password quality check – Openldap

1 Comment Linux 1 Comment

Topics

1.  Password quality check options – Openldap

2.  Configure password quality check – Openldap

How to implement password quality (complexity) enforcement rules? How to test the functionality?

In my previous discussion explained about various options available to implement password quality (complexity) check. Now I am going to demonstrate enforcing password complexity rules using “pqchecker” library. Continue reading “Configure password quality check – Openldap”


Fix insufficient access (50) error – Openldap

3 Comments Linux 3 Comments

Are you trying to update Openldap global or config database configuration? Getting insufficient access error (50)?

So, What is the BIND dn (i.e username) you are using? The error simply says that BIND dn authentication successful but it does not have write access to database you are trying to modify.

# ldapmodify –axw ppsswwdd -D "cn=manager,dc=sunt,dc=com" -f db.ldif
modifying entry "olcDatabase={2}bdb,cn=config"
ldap_modify: Insufficient access (50)

Continue reading “Fix insufficient access (50) error – Openldap”