Questions tagged [ldap]

Lightweight Directory Access Protocol (LDAP) for reading and editing directories over an IP network

The Lightweight Directory Access Protocol is an application protocol for reading and editing directories that follow the Directory Information Model over an IP network using unsecured TCP/IP, TLS or SSL. LDAP is a binary protocol described in terms of ASN.1 and transmitted using ASN.1 Basic Encoding Rules (BER).

A directory is a hierarchical collection of records known as a Directory Information Base, or when visualized, as a Directory Information Tree. The directory model should be visualized as an upside-down tree, much like a UNIX file-system. The root of the Directory Information Tree is known as the prefix or namingContext. The namingContext, supported versions of the protocol, supported features and supported controls (operation semantics modifiers) and other information can be discovered by querying the root DSE, though the information might be protected by access controls.

Clients (Directory User Agents) issue requests to the directory server (Directory System Agent) and the directory server returns an appropriate response, which could be success (which might include requested entries from the Directory Information Tree in the case of a search), or an indication of success or failure of a search, add, modify, delete, moddn (rename) or extended operation. Controls might be used to alter the semantics of a request, for example, a sort control might be included with a search request to sort the returned entries (known as a server-side sort). Without the inclusion of the sort control in the search request, entries returned from search operations are not ordered, and must not be ordered. Clients must not expect that entries are ordered in any way.

Modern directory servers support a high-speed replication mechanism which is not defined by the standard, though there have been some attempts at defining a replication standard. Therefore, replication and the protocol used for replication is vendor-specific. If data must be synchronized between directory servers from different vendors, a synchronization device must be used.

Most modern programming languages have an LDAP SDK, including Java, PHP, Perl, C/C++, and others. Directory Server software usually comes equipped with a set of command line tools such as ldapsearch, ldapmodify, and others.

Directory Information Trees accessed by the LDAP protocol are used in authentication and authorization applications, configuration storage, profile storage, public-key infrastructure and other applications requiring:

  • speed of access
  • a small, light-weight protocol
  • A simple programming model
  • easily configured replication, redundancy, and failover

Questions that are specific to Active Directory should not be tagged with the LDAP tag unless the question is specifically related to the protocol or the Directory Information Model. Active Directory provides an LDAP interface, but that interface does not fully implement the LDAP standard, and deviates from it in important ways. Therefore, there are questions that can be answered specific to Active Directory that are not applicable to standards-compliant LDAP servers and vice versa. Correctly tagging a questions will result in a higher probability of an accurate, timely response.

2653 questions
120
votes
8 answers

How can I figure out my LDAP connection string?

We're on a corporate network thats running active directory and we'd like to test out some LDAP stuff (active directory membership provider, actually) and so far, none of us can figure out what our LDAP connection string is. Does anyone know how we…
Allen
  • 1,443
  • 3
  • 11
  • 8
72
votes
4 answers

SSH key authentication using LDAP

In short: Would like a way to do SSH key authentication via LDAP. Problem: We use LDAP (slapd) for directory services and we've recently moved to using our own AMI for building instances. The reason the AMI bit is important is that, ideally, we…
c4urself
  • 5,270
  • 3
  • 25
  • 39
66
votes
3 answers

How to test a LDAP connection from a client

How to check the LDAP connection from a client to server. I'm working on the LDAP authentication and this client desktop needs to authenticate via a LDAP server. I can SSH to the LDAP server using LDAP user but When in desktop login prompt, I can't…
FELDAP
  • 909
  • 2
  • 10
  • 22
53
votes
7 answers

How can I find the LDAP server in the DNS on Windows?

For Linux, this command should return the DNS record for the LDAP server host -t srv _ldap._tcp.DOMAINNAME (found at Authenticating from Java (Linux) to Active Directory using LDAP WITHOUT servername) How could I get the same on the Windows command…
mjn
  • 933
  • 2
  • 12
  • 26
51
votes
4 answers

How do I authenticate with LDAP via the command line?

The LDAP server is hosted on Solaris. The client is CentOS. OpenLDAP/NSLCD/SSH authentication via LDAP work fine, but I am not able to use the ldapsearch commands to debug LDAP issues. [root@tst-01 ~]# ldapsearch SASL/EXTERNAL authentication…
ujjain
  • 3,963
  • 15
  • 50
  • 88
35
votes
2 answers

How to get ldapsearch on Scientific Linux?

How do I get the ldapsearch on Scientific Linux? I am trying to find the ldapsearch client for Scientific Linux but cannot find how to install the client in order to do LDAP queries.
techsjs2012
  • 525
  • 2
  • 6
  • 10
35
votes
2 answers

How do I configure LDAP on Centos 6 for user authentication in the most secure and correct way?

During the last couple of days I have been using a lot of F-words, while browsing Internet for good documentation about how to setup an LDAP-server. So far I have found none, but plenty that are less than good, but better than bad. So I had to do it…
Arlukin
  • 1,203
  • 6
  • 18
  • 27
34
votes
2 answers

In LDAP, what exactly IS a bind DN?

I've written various pieces of code that connect to LDAP servers and run queries, but it's always been voodoo to me. One thing I don't really understand is the concept of a bind DN. Here's an example using the ldapsearch command-line tool available…
dirtside
  • 1,481
  • 4
  • 17
  • 22
32
votes
5 answers

Common wisdom about Active Directory authentication for Linux Servers?

What is the common wisdom in 2014 about Active Directory authentication/integration for Linux servers and modern Windows Server operating systems (CentOS/RHEL-focused)? Over the years since my first attempts with integration in 2004, it seems like…
ewwhite
  • 194,921
  • 91
  • 434
  • 799
29
votes
5 answers

How to use Google Apps as an OD/AD/LDAP Provider

I see tons of solutions for allowing Google Apps to use external AD and LDAP services for login. However, I already have a ton of users setup in Google Apps already, and I'm trying to go the other way around. That is, I'd like to allow users to log…
pixelcort
  • 391
  • 1
  • 3
  • 5
27
votes
18 answers

Are there any good and lightweight LDAP querying tools?

As developers we sometimes need querying LDAP. Do you know useful tools for this task? edit: I don't mean in code, I mean utility/tool (command-line or gui, mostly gui) for just to look/confirm data, or if possible to alter...
spinodal
  • 373
  • 1
  • 4
  • 7
26
votes
2 answers

Understand PAM and NSS

In the last days I have set up some Linux system with LDAP authentication and everything works fine, but there's still something I can't really understand regarding NSS and PAM, also after a lot of research. Citing: NSS allows administrators to…
ColOfAbRiX
  • 980
  • 2
  • 11
  • 22
26
votes
5 answers

ldapsearch password file format

How am I supposed to pass a password to ldapsearch using the -y option? If I write the password in the password file in plain text, I get this error: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr:…
Paolo Tedesco
  • 1,206
  • 7
  • 16
  • 23
23
votes
4 answers

Easiest way to set up LDAP for dev testing

I'm a developer for a product that integrates with LDAP for authentication. I need to set up a directory that I can test against. I'm not an expert with LDAP. To help ease the learning curve it'd be useful to have a real-world example directory. Are…
chroder
  • 634
  • 2
  • 7
  • 16
21
votes
4 answers

How to authenticate users in nested groups in Apache LDAP?

I've working LDAP authentication with the following setup AuthName "whatever" AuthType Basic AuthBasicProvider ldap AuthLDAPUrl …
mark
  • 1,516
  • 4
  • 21
  • 33
1
2 3
99 100