For network guys configuring LDAP Authentication on the Cisco APIC Controller, it can be useful to query an LDAP server when configuring or troubleshooting LDAP Authentication. This page shows how ldapsearch(1) can be used to query a directory for information.
Basic Terms
- LDAP – Lightweight Directory Access Protocol.
- LDAP Schema – organization of information stored in an LDAP server. The two most common schemas are defined in RFC2307 and RFC2307bis.
- Distinguished Name (DN) – a string representing an object’s entire path to the root of the LDAP namespace.
- Relative Distinguished Name (RDN) – a component of a DN.
- Common Name (CN) – an object’s attribute type that specifies the identifies of an object. This can reference an object or a container of objects. Users and groups are common uses of CN, as are hosts and devices.
- Organizational Unit (OU) – a component within an LDAP schema to identify a delegation of authority within an LDAP namespace. Eg, a Directory Administrator might create “ou=BizUnit03” to delegate control of user accounts to a local Support Team for that Business Unit without granting access to the entire directory.
If you do not have access to a directory server in your test environment, consider FreeIPA or OpenLDAP in your lab using a CentOS virtual machine.
Assumptions:
- domain is coastlab.local
- LDAP server is running at 10.18.188.184
- Bind DN is “uid=admin,cn=users,cn=accounts,dc=coastlab,dc=local“
- Bind DN Password is Password1
Query the LDAP server running at 10.18.188.184 anonymously:
ldapsearch -x -h 10.18.188.184-x indicates simple authentication, even with anonymous queries.
-h references the host we wish to query.
Query with a Bind DN using assumptions above:
ldapsearch -x -h 10.18.188.184 -D "uid=admin,cn=users,cn=accounts,dc=coastlab,dc=local" -w Password1-D references the Bind DN of an account with permissions to query the directory. Usually a system account with non-expiring password for applications, or a user DN with appropriate a permissions
-w references the password for the
Note: FreeIPA permits anonymous queries by default, but does not show all attributes of objects unless authenticated.
Same, but prompt for password instead:
ldapsearch -x -h 10.18.188.184 -D "uid=admin,cn=users,cn=accounts,dc=coastlab,dc=local" -WFind a uid that equals “ldapy”:
ldapsearch -x -h 10.18.188.184 -D "uid=admin,cn=users,cn=accounts,dc=coastlab,dc=local" -W "uid=ldapy"Find “uid=ldapy” within the container (Base DN) “cn=accounts,dc=coastlab,dc=local”:
ldapsearch -x -h 10.18.188.184 -D "uid=admin,cn=users,cn=accounts,dc=coastlab,dc=local" -W -b "dc=coastlab,dc=local" -b cn=accounts,dc=coastlab,dc=local "uid=ldapy"