Authenticating against LDAP


ldapsearch is a command used to gather information from LDAP, but it can be used to test login auth too, if a user can bind successfully, they can be considered to authenticated, depending on what groups a user is a member of can be used to determine if they are authorized to access a specific resource.

ldapsearch -h <LDAPserverHostname> -D “bind DN” -W -b “searchbase DN”

-h LDAP server hostname
-b searchbase
-D bind DN
-W prompt for password on screen


ldapsearch -x -W -D  'cn=Manager,dc=company,dc=net' -b "" -s base -h inet01.fqdn

-x Simple Auth, not SASL
-W Prompt for simple Auth, not on command line
-D Distinguished name to bind with
-b search Base
-s Scope of search, base, onelevel or subtree.
-h Host to search on

eg. to see all users and UID's:-
ldapsearch -x -W -D 'uid=user1,ou=People,dc=prod,dc=company,dc=net' -b 'ou=People,dc=prod,dc=company,dc=net' -s onelevel | grep -E 'cn:|uidN|# '

eg. to see just one user:-
ldapsearch -x -W -D 'uid=user1,ou=People,dc=prod,dc=company,dc=net' -b 'cn=testuser,ou=People,dc=prod,dc=company,dc=net' -s base

eg. to get email address for one user:-
 ldapsearch -x -W -D 'uid=user1,ou=People,dc=prod,dc=company,dc=net' -b 'cn=testuser,ou=People,dc=prod,dc=company,dc=net' -s base mail
Enter LDAP Password:
# extended LDIF
# LDAPv3
# base <cn=testuser,ou=People,dc=prod,dc=company,dc=net> with scope base
# filter: (objectclass=*)
# requesting: mail

# testuser, People,
dn: cn=testuser,ou=People,dc=prod,dc=company,dc=net

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


Cannot find group info

[root@cube etc]# ssh -l andrew
andrew@'s password:
Last login: Mon Dec  3 01:01:27 2012
id: cannot find name for group ID 1001
[andrew@cube ~]$

[andrew@cube ~]$ getent group andrew
[andrew@cube ~]$ getent passwd andrew
[andrew@cube ~]$

In /etc/ldap.conf, set:-

nss_base_group          ou=group,dc=mydomain,dc=pri?one

Controlling logins with group access

So far, you can log in to the server solely based on being able to authenticate against LDAP. If you need to allow some LDAP users but not others to access your server, you can use LDAP groups and specify groups allowed to login in /etc/security/access.conf (on RedHat/Centos etc, maybe others too). You can test the existence of the appropirate groups with getent group as above.

[root@myserver]# cat /etc/security/access.conf                                                                                                 
# Login access control table.
# Format of the login access control table is three fields separated by a
# ":" character:
#       permission : users : origins
# The first field should be a "+" (access granted) or "-" (access denied)
# character.
# The second field should be a list of one or more login names, group
# names, or ALL (always matches). 
# The third field should be a list of one or more tty names , host names, 
# domain names (begin with "."), host addresses, internet network numbers or ALL

#Always allow root from console
+ : root : LOCAL

# LDAP groups to allow from local subnet
+ : LDAPallowedUsersGroup : 192.168.0.

#LDAP groups to forbid from everywhere
- : LDAPforbiddenUsersGroup : ALL

ACL on LDAP server

Allow only auth users to see the encrypted password.

In slapd.conf:-

access to attrs=userpassword
	by dn="cn=admin,o=company,c=GB" write
	by anonymous auth
	by self write
	by * none


rb/authagainstldap.txt · Last modified: 24/07/2019 16:00 by andrew