How do I authenticate with LDAP via the command line?
The LDAP server is hosted on Solaris. The client is CentOS. OpenLDAP/NSLCD/SSH authentication via LDAP work fine, but I am not able to use the ldapsearch commands to debug LDAP issues.
[root@tst-01 ~]# ldapsearch
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
[root@tst-01 ~]# cat /etc/openldap/ldap.conf
TLS_CACERTDIR /etc/openldap/cacerts
URI ldap://ldap1.tst.domain.tld ldap://ldap2.tst.domain.tld
BASE dc=tst,dc=domain,dc=tld
[root@tst-01 ~]# ls -al /etc/openldap/cacerts
total 12
drwxr-xr-x. 2 root root 4096 Jun 6 10:31 .
drwxr-xr-x. 3 root root 4096 Jun 10 10:12 ..
-rw-r--r--. 1 root root 895 Jun 6 10:01 cacert.pem
lrwxrwxrwx. 1 root root 10 Jun 6 10:31 cf848aa4.0 -> cacert.pem
[root@tst-01 ~]#
I have tried authentication with a certificate via ldapsearch giving /etc/openldap/cacerts/cacert.pem as a parameter, but it didn't accept this certificate for authentication.
Solution 1:
You may wish to turn off SASL and use simple authentication with the "-x" option. For example, a search to find a particular user
ldapsearch -x -D "uid=search-user,ou=People,dc=example,dc=com" \
-W -H ldap://ldap.example.com -b "ou=People,dc=example,dc=com" \
-s sub 'uid=test-user'
Will find "test-user" by
- -D - Use bind user "search-user"
- -W - Prompt for password
- -H - URL of LDAP server. Non-SSL in this case; use "ldaps://" for SSL
- -b - The search base
- -s - Search scope - i.e. base for base of tree, one for on level down and sub for recursively searching down the tree (can take a while)
- Finally the search filter as a non-option argument. In this case we will search for the uid of "test-user"
Solution 2:
Seems that I ask same question at: https://stackoverflow.com/questions/27571558/how-was-authentication-built-on-ldap
See http://thecarlhall.wordpress.com/2011/01/04/ldap-authentication-authorization-dissected-and-digested/ :
- Get a connection to the LDAP server.
- Bind as the application user.
- Search for the DN (distinguished name) of the user to be authenticated.
- Bind as user to be authenticated using DN from step 3.
That may be summarized as (experiment in command line):
$ ldapsearch -x -h ldap.company.com -s sub -b 'dc=europe,dc=com' "uid=XYZ"
....
dn: uid=XYZ,dc=sales,dc=europe,dc=com
...
$ ldapsearch -W -h ldap.company.com -D 'uid=XYZ,dc=sales,dc=europe,dc=com' \
-s sub -b 'dc=europe,dc=com' "uid=XYZ"
Solution 3:
Note, if you don't know your full bind DN, you can also just use your normal username or email with -U
ldapsearch -v -h contoso.com -U [email protected] -w 'MY_PASSWORD' -b 'DC=contoso,DC=com' '(objectClass=computer)'
Solution 4:
We're using FreeIPA/IDM and I was able to authenticate against this using the following:
$ ldapsearch -h idm-01a.somednsdom.com \
-D 'uid=<my username>,cn=users,cn=accounts,dc=somedcdom,dc=com' \
-o ldif-wrap=no \
-b 'cn=accounts,dc=somedcdom,dc=com' \
-W uid=<my username>
Explanation
- This will return all the details around the
uid=<my username>
-
uid=<my username>
is the filter (RFC 4515 compliant LDAP search filter) - The
uid=<my username>
is the query/filter to perform -
o ldif-wrap=no
disables wrapping of results - The
-W
forcesldapsearch
to query for the password for the bind distinguished nameuid=<my username>,cn=users,cn=accounts,dc=somedcdom,dc=com
-
When prompted for the password for this user the prompt will look like this:
Enter LDAP Password:
For reference from the ldapsearch
manpage & CLI help:
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-b searchbase
Use searchbase as the starting point for the search instead of the
default.
-W Prompt for simple authentication. This is used instead of specifying
the password on the command line.
-o <opt>[=<optparam] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
Full Example
$ ldapsearch -h idm-01a.somednsdom.com \
-D 'uid=joeuser,cn=users,cn=accounts,dc=somedcdom,dc=com' \
-o ldif-wrap=no \
-b 'cn=accounts,dc=somedcdom,dc=com' \
-W uid=joeuser
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=somedcdom,dc=com> with scope subtree
# filter: uid=joeuser
# requesting: ALL
#
# joeuser, users, accounts, somedcdom.com
dn: uid=joeuser,cn=users,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=sysadmin,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=sudorules,cn=sudo,dc=somedcdom,dc=com
memberOf: cn=eng-systems,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=hbac,dc=somedcdom,dc=com
memberOf: cn=admins,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=sudorules,cn=sudo,dc=somedcdom,dc=com
memberOf: cn=User Administrator,cn=roles,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=User Administrators,cn=privileges,cn=pbac,dc=somedcdom,dc=com
memberOf: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=somedcdom,dc=com
...
...
krbLoginFailedCount: 0
krbLastFailedAuth: 20190320223946Z
loginShell: /bin/bash
krbExtraData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
krbPasswordExpiration: 20190829144625Z
krbLastPwdChange: 20190302144625Z
krbLastAdminUnlock: 20190111080021Z
ipaSshPubKey: ssh-rsa A....XXXXXXXXXXXX...jelByox0PM5Q== [email protected]
mepManagedEntry: cn=joeuser,cn=groups,cn=accounts,dc=somedcdom,dc=com
displayName: Joe User
uid: joeuser
krbCanonicalName: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
initials: JU
gecos: Joe User
sn: Mingolelli
homeDirectory: /home/joeuser
mail: [email protected]
krbPrincipalName: [email protected]
givenName: Joe
cn: Joe User
ipaUniqueID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
uidNumber: 900000000
gidNumber: 900000000
krbPwdPolicyReference: cn=admins,cn=SOMEDCDOM.COM,cn=kerberos,dc=somedcdom,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1