LDAP

A protocol for querying a user directory, designed to work over TCP/IP.
An LDAP entry is a collection of attributes.
Entries are arranged in a tree structure, and are uniquely identified by a Distinguished Name (DN) that is the path to that object in the tree.
Hierarchical, from right (root) to left (node)
Derived from X.500 (opens in a new tab) standards, with lots of concepts and terms still in use.
Resources
- Introduction to OpenLDAP Directory Services (opens in a new tab)

Concepts

Structure

LDAP directory servers present data arranged in tree-like hierarchies in which each entry may have zero or more subordinate entries. This structure is called the Directory Information Tree, or DIT. Each tree has a single root entry, which is called the naming context (or in some servers, a suffix).
Creating a new DIT (Directory Information Tree) involves the following steps:
- Create a new partition.
- Create suffix entry.
- Create additional entries.
All LDAP servers must expose a special entry, at the top of the LDAP server directory information tree, called the root DSE, whose DN is the zero-length string.
DN (Distinguished Name) is a LDAP entry that uniquely identifies and describes an entry in a directory (LDAP) server, a fully qualified path of names that trace the entry back to the root of the tree.
RDN (Relative Distinguished Name) is a component of the DN.

Attribute

Abbreviation
- User ID : uid
- Common Name : cn
- Surname : sn
- Location : l
- Organizational Unit : ou
- Organization : o
- Domain Component : dc
- State : st
- Country : c
- Street address : street

Filter

Only applies to attributes
And
- Examples
  - (&(objectClass=person)(objectClass=user))
Or
- Examples
  - (|(objectClass=person)(objectClass=user))
Not
- Examples
  - (&(objectClass=group)(&(ou:dn:=Chicago)(!(ou:dn:=Wrigleyville))))
Wildcard
- Wildcards are not supported when used in filters using ! (or NOT) logical operators.
- Examples
  - (&(objectClass=user)(cn=*Marketing*))
Match part of DN
- Examples
  - (&(objectClass=group)(ou:dn:=Chicago))
    
    Find groups with OU component of their DN is Chicago
Resources
- Active Directory: LDAP Syntax Filters - TechNet Articles - TechNet Wiki (opens in a new tab)
- Atlassian Documentation - How to write LDAP search filters (opens in a new tab)

Base

The base part of the DN
The base DN is relative to the LDAP URI

If the URI is ldap://localhost:389/dc=example,dc=org, and the base DN is ou=people, the query will be based on ldap://localhost:389/ou=people,dc=example,dc=org. So if base DN is already included in URI, no need to include it in the query.

LDIF

Every line in a LDIF is an attribute.
A plain text LDAP Data Interchange Format file
Can be opened by a LDAP browser such as Apache Directory Studio (opens in a new tab)
Directories often have at least one organization entry. Typically the organization entry is the first, or topmost entry in the directory. The organization entry often corresponds to the suffix set for the directory.

Authentication

BIND operation

Bind Authentication is the most common mechanism for authenticating users with LDAP. In bind authentication, the user’s credentials (username and password) are submitted to the LDAP server, which authenticates them. The advantage to using bind authentication is that the user’s secrets (the password) do not need to be exposed to clients, which helps to protect them from leaking.
An LDAP client transmits a BIND request to a LDAP server in order to change the authorization state of the client connection. When a LDAP client first connects to an LDAP server, the server sets the authorization state of the connection to unauthenticated. When the server receives a BIND request, the server sets the authorization state of the connection to unauthenticated immediately. Should the BIND request be successful, the server sets the authorization state of the connection to the state associated with the DN in the BIND request. LDAPv3 allows a connection to change states any number of times, with the caveat that no requests be outstanding when the BIND request is received.
Takeaway
- The LDAP client sends the password as part of the BIND request, and the LDAP server validates the password instead of the client. The LDAP server does not send the password back to the client and therefore no leaking of the password.
Resources
- LDAPv3 Wire Protocol Reference: The LDAP Bind Operation (opens in a new tab)
- Using an LDAP authentication server (opens in a new tab)

bind account

`openldap-clients`

`ldapsearch`

# search result
search: 2
result: 32 No such object     # 32 is result code, refer to result code reference at the bottom
 
# numResponses: 1             # 1 is the number of pieces of information returned including the meta information.
# numEntries: 84              # is the total number of entries that the search returned.

The ldapsearch Command-Line Tool (opens in a new tab)

Active Directory

Resources
- Active Directory Schema - All attributes (opens in a new tab)

Cheatsheet

Test Simple Authentication

ldapsearch -H ldap://<domain>:<port> -D '<bind_account_DN>' -w '<bind_account_password>' -b '<baseDN>' '(filters...)'

e.g. ldapsearch -H ldap://localhost:10389 -D 'cn=admin,dc=example,dc=org' -w 'adminpassword' -b 'ou=people,dc=example,dc=org' '(uid=userID)'

Return all entries in the directory

ldapsearch -h hostname -b "dc=example,dc=com" -s sub "objectclass=*"

Use LDAP_BASEDN environment variable

Equivalent to -b argument

References

AWS-SAA-C03 Picocli