ldapsearch command examples with advanced options

The ldapsearch command used to query the required information from LDAP databases. The ldapsearch command can be used on many occasions with different filter statement. Various ldapsearch command examples and use cases with advanced options discussed here.

Note: Replace the password ($PASS) and ROOTDN with your server values. You may need to specify LDAP URI and authentication methods depend upon configuration. Here i am working from LDAP server.

Filter user with UID

Look for the users with given UID value. This command list the users whoever UID set to 20005.

Read More


Openldap migrate to TLS/SSL communication

Q. My ldap server currently configured to accept only non-encrypted connections. The server listens to port 389. I want to make my server to accept only TLS/SSL encrypted connections. How to migrate to TLS/SSL communication with very minimal downtime window? Most important is current LDAP directory data should not be disturbed.

Benefits

By upgrading to TLS/SSL encrypted communication we ensure data transferred between LDAP client and server will be encrypted. This is most important when the data travel through untrusted or public network. The normal LDAP communication over TLS/SSL channel specified as “ldaps” (same like https) in URI.

Read More


LDAP TLS negotiation failure error

Q. I am trying to configure LDAP client. Have copied the certificate to client and enabled TLS in pam_ldap.conf. Still the client failed to communicate with LDAP server. At server end found TLS negotiation failure error. How to fix it?

Sep 11 10:35:12 rhel4 slapd[5241]: conn=1130 fd=12 ACCEPT from IP=10.20.31.140:37309 (IP=0.0.0.0:636)
Sep 11 10:35:12 rhel4 slapd[5241]: conn=1130 fd=12 closed (TLS negotiation failure)

Read More


delegate access control in Openldap

I have an OU (organizational unit) named “vendor”. How to delegate access control management to one user for this OU alone? Is it possible like windows AD?

Yes, using Openldap access control rules you can create fine grained access control policies. Have tested personally and discussed here. In two places you must need this.

  1. It will be useful in organizations where multiple parties involved but using common authentication system. Because other third parties no need to depend on LDAP admin for password reset stuff.
  2. Another massive usage is for organizations with large or medium number of users. For delegating password reset task to service desk team.

Read More


Configure password quality check – Openldap

Topics

1.  Password quality check options – Openldap

2.  Configure password quality check – Openldap

How to implement password quality (complexity) enforcement rules? How to test the functionality?

In my previous discussion explained about various options available to implement password quality (complexity) check. Now I am going to demonstrate enforcing password complexity rules using “pqchecker” library.

Read More


Fix insufficient access (50) error – Openldap

Are you trying to update Openldap global or config database configuration? Getting insufficient access error (50)?

So, What is the BIND dn (i.e username) you are using? The error simply says that BIND dn authentication successful but it does not have write access to database you are trying to modify.

# ldapmodify –axw ppsswwdd -D "cn=manager,dc=sunt,dc=com" -f db.ldif
modifying entry "olcDatabase={2}bdb,cn=config"
ldap_modify: Insufficient access (50)

Read More