I have written the following ldap command to test ldap connection
ldapsearch -x -h ldap.com -b "uid=user1,ou=people,dc=domain,dc=com"
I am getting the following output
# extended LDIF
#
# LDAPv3
# base <uid=user1,ou=people,dc=domain,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 1 Operations error
text: 000004DC: LdapErr: DSID-0C0907C2, comment: In order to perform this opera
tion a successful bind must be completed on the connection., data 0, v2580
# numResponses: 1
Please suggest how to resolve bind error
The error implies you need to bind to the server to be able to perform the search. As an example:
ldapsearch -D "cn=directory manager" -w secret -p 389 -h server.example.com -b "dc=example,dc=com" -s sub "(objectclass=*)"
The man page for ldapsearch
Related
I have installed openLDAP on a Centos 7 server that is already running FreeIPA for user authentication. http://www.tecmint.com/setup-ldap-server-and-configure-client-authentication
The purpose of openLDAP is for a Nodejs application to manage users for the app. and will be running on separate server.
I can see that slapd is running (ps -ef | grep slapd):
ldap 1287 1 0 06:40 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldapi:/// ldap:///
So I was trying to change the defaults using the ldapadd command and I suspect to be connecting to the FreeIPA LDAP that is configured on the box (on some coammands using -x -h it is asking for a password which hasn't been set yet):
sudo ldapadd -H ldapi:/// -f ldaprootpasswd.ldif
SASL/GSS-SPNEGO authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)
If I run an ldapsearch then I seem to be able to connect to openLDAP:
sudo ldapsearch -H ldapi:/// -Y EXTERNAL -b "cn=config" "(olcRootDN=*)" olcSuffix olcRootDN olcRootPW -LLL -Q
dn: olcDatabase={2}hdb,cn=config
olcSuffix: dc=my-domain,dc=com
olcRootDN: cn=Manager,dc=my-domain,dc=co
I thought maybe that I could connect externally using a Windows LDAP tool but I get a connection error. I did confirm that the port is open and visible externally.
nmap -p 389 10.18.16.243
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-28 11:25 GMT Daylight Time
Nmap scan report for 10.18.16.243
Host is up (0.00s latency).
PORT STATE SERVICE
389/tcp filtered ldap
MAC Address: BB:BB:BB:BB:BB:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 19.92 seconds
I tried using -h instead of -H:
sudo ldapadd -a -x -h localhost -p 389 -D cn=Manager,dc=my-domain,dc=com -W -f ldaprootpasswd.ldif
This prompts me for a password but I have only just installed openLDAP and not set a password yet (olcRootPW is in the ldif file I am trying to apply).
Does anyone have experience with openLDAP for user authentication or have any ideas what config needs changing to get this up an running?
The secret incantation was:
sudo ldapmodify -a -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
Since "-a" forces add new entries when using ldapmodify this would be the same as above:
sudo ldapadd -Q -Y EXTERNAL -H ldapi:/// -f ldaprootpasswd.ldif
"-Q" -- Enable SASL Quiet mode. Never prompt.
"-Y" -- Specify the SASL mechanism to be used for authentication. If it's not specified, the program will choose the best mechanism the server knows.
The url of my login page is 119.xx.xxx.xxx:8080/webpage/ .
When I enter this url in browser to go to the login page, I see this request header GET /webpage/ HTTP/1.1.
The url in the action attribute of the login form is /webpage/login/loginCheck.
In Thc-hydra I am giving this command hydra -t 1 -V -f -l user1234 -P pass.txt 119.xx.xxx.xxx http-post-form "/webpage/login/loginCheck:userId=^USER^&password=^PASS^:F=Login page" .
But the result says that Child with pid 1234 terminating, cannot connect
When I try this command hydra -t 1 -V -f -l user1234 -P pass.txt 119.xx.xxx.xxx:8080/webpage/ http-post-form "/login/loginCheck:userId=^USER^&password=^PASS^:F=Login page" I get the error network size may only be between /16 and /31: 119.xx.xxx.xxx:8080/webpage/
Where I am making the mistake? How can I solve this?
As said, the first example does not have the port number, and the second example contains a mixture of different URL path formats.
I would try this format
hydra -t 1 -V -f -l user1234 -P pass.txt "http-post-form://192.168.1.2:8080/login/loginCheck:userId=^USER^&password=^PASS^:F=Login page"
I'm trying to execute a paginated ldapsearch to an LDAPs with a certificate:
export LDAPTLS_CACERT=/home/test/ssl.pem
ldapsearch -x -H ldaps://test.test.com:636 -b "dc=test,dc=com" -E pr=100/noprompt
The above commands after 500 results, ldapsearch return Size limit exceeded:
search: 6
result: 0 Success
control: 1.2.840.113556.1.4.319 false MA0CAQAECOYFAAAAAAAA
pagedresults: cookie=5gUAAAAAAAA=
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with pagedResults control: size=100
#
# search result
search: 7
result: 4 Size limit exceeded
# numResponses: 506
# numEntries: 500
But when I pass not only the certificate but also the username/password the things works perfectly:
export LDAPTLS_CACERT=/home/test/ssl.pem
ldapsearch -x -H ldaps://test.test.com:636 -b "dc=test,dc=com" \
-E pr=100/noprompt -D "cn=admin,dc=test,dc=com" -w myamazingpassword
The above commands after 1006 results, ldapsearch returns Success:
# search result
search: 12
result: 0 Success
control: 1.2.840.113556.1.4.319 false MAUCAQAEAA==
pagedresults: cookie=
# numResponses: 1017
# numEntries: 1006
Why is this happening? Why I'm not be able to perform paginated search on ldap without the username/password?
Most servers enforce different size limits for different users (admin vs regular user vs anonymous).
When you run plain LDAPS search, there is no LDAP authentication. The server is probably limiting the number of entries to 500 for anonymous users.
If you want to authenticate the client at LDAP level using the certificate, you should request SASL EXTERNAL authentication, with the option -Y EXTERNAL.
I am working on a bash script to configure openldap and add ldif script with users and groups.
How can I write the password from the bash script ?
This is the script I run when it asks for password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif
EDIT:
I tried this and created a passwd.txt file with the password:
ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -y'passwd.txt' -f /etc/ldap/base.ldif
But gets this error:
Warning: Password file passwd.txt is publicly readable/writeable
ldap_bind: Invalid credentials (49)
man ldapadd.
-W
Prompt for simple authentication. This is used instead of specifying the password on the command line.
-w passwd
Use passwd as the password for simple authentication.
-y passwdfile
Use complete contents of passwdfile as the password for simple authentication.
So seems you are looking for option of -w or -y, not -W
There're two possibilities:
ldapadd reads the password from the standard input.
ldapadd reads the password directly from the current TTY.
In the first case it's enough to use something like this echo 'MySecretPassword' | ldapadd -h localhost -D "cn=admin,dc=sysadmin1,dc=hioa,dc=no" -W -x -f /etc/ldap/base.ldif. The second one is more complicated because you need a tool like expect. Check if the simple redirection works first.
using an OPENLDAP server i want to retrieve informations from it with ldapsearch. I created a custom class called iduriclass, this class is used to store an id and an uri. in my ldapsearch command i want it to return only the uri for a specified id.
EXAMPLE : the directory contain now two entries id=test uri=server.com/test and id=test2 uri=server.com/test2
Trying it i get an ldif file that contains all uris in the server
I want to have an ldapsearch command that takes test as argument and returns only a value that is : server.com/test
Here's how you query your ldap server.
HOSTNAME=<your ladap hostname>
USERNAME=<your ldap username>
PASSWORD=<your ldap username's password>
SEARCHBASE=<your ldap's search base DN>
QUERYSTRING=test1
PORT=<your ldap port>
ldapsearch -LLL -h ${HOSTNAME} -p $PORT -D cn=${USERNAME} -w ${PASSWORD} -b "${SEARCHBASE}" "(id=${QUERYSTRING})" uri | sed -n 's/^[ \t]*uri:[ \t]*\(.*\)/\1/p'
The option -LLL will not print ldap comments on output. Your ldap may require -x (simple authentication) if it doesn't support SASL.
Adding the parameter -tt writes a file with ONLY the requested attribute(s) value as the OP requested. No preceding field name or anything else. Path is configurable with -T, otherwise is /tmp