LDAP Interrogation Operations and the usage of ldapsearch Command-Line Utility Assignment 5

M.M.Nafees Mohamed M.N.M.Althaf

[IT09077744] [IT09061354]

LDAP Search Operation

LDAP search operation is used in LDAP directory to get specific entries according to the user expectations. So the user can get the information and attributes with a properly managed format according to what the user has expected. There are eight parameters need to form a search operation. 1. Base Object for the Search: This is the top node of the DIT (Directory Information Tree), that we want to search. 2. Search Scope: This specifies in which node searching should be functioning. There are three types of search scopes. a. Sub: it indicates to search for the result throughout the entire DIT. b. On-level: it indicates search results only from the immediate children of the entry. c. Base: it indicates to search results from one of the particular entry of the directory. 3. Alias Dereferencing Option: there are four values of this parameter. a. neverDerefAliases: there is no dereferencing ,while it is searching or locating a base object of the searching. b. derefInSearching: dereferencing aliases in searching but not in the locating a base object of the searching. c. derefFindingBaseObject: dereferencing aliases on a locating a base object but not in the searching on subroutine. d. derefAlways: do dereferencing on both searching on subroutine and the locating base object. 4. Size Limit: it indicates how much is the size of the result that the server responding. 5. Time Limit: it indicates what is the maximum number of seconds that the server is waiting to get the result, otherwise it will automatically close the connection. 6. A Attribute-only parameter: (attrsOnly) if the user sets this as true, client will be only returned attributes not the values. If it is false client will be returned attributes with values. 7. Search-Filters: it indicates what are the types of the entries to be returned. 8. List of attributes to be returned: it indicates what are the attributes to be listed for the result.

LDAP Search Filters

There are several search filters to filter the search result for client needs. a. Equality Filter: it indicates the exact value of the entry. Ex: (sn=smith) In this example search matches the exact value of the sn equal smith and return. b. Substring Filters: (sn=smith*) in this one, searching is performing to find sn with value of smith and pluse other value, ex: Smith, Smithers, Smithsonian c. Approximate Filters: (sn~=jensen) this example looking for the results which sounds like Jensen and return the all approximate values. d. Greater than or equal to OR less than or equal : we can use greater than (>) less than (<) or equality to perform search operation. Ex: (sn<=Smith) this example returns the all values which are less than value smith.

e. Presence Filter: this matches any entry that has at least one value and return to the client. Ex: (emailAddresses=*)this example return whatever the value it contains, even at least one value also it is returned.

f.

Extensible Matching: This type of search filter is only supported by the LDAPv3. This also used to compare the values in other languages. Following syntax explain the extensible matching, extensible = attr *:dn+ *: matchingrule] := value attr indicates the attribute to match on, :dn indicates that the matching rule must in the comparison match. If this specified in the search operation, the match is applied to all the attributes in an entrys distinguished name. := indicates that without a matching rule results in an equality match, and value indicates comparison value. Ex: (sn:dn:2.4.6.9:=Althaf Nafees)

g. Negation: This search operation will search all the matching entries except what we have specified to search. Here ! exclamation mark will do the job. Ex: (!sn=Altafnfs) will search all the entries which does not contain the sn value Altafnfs.

h. Combining filter terms: This search operation use AND operation as well as OR operation. These two operations doing the same thing here as they actually do in the logic operation. Ex: (&(sn=Althafnfs) (objectClass=person)) will search entries with an object class person and sn value exactly equal to Althafnfs.

LDAP Compare Operation

This operation will use only for check a specific entry contains a specific attribute. A client will give a compare command to the server with a DN, an attribute name and a value. The server will be response to the client if the requested attribute value in the specific dn. If it is not available inside the particular dn with the particular attribute value, a negative response is returned. It is ridiculous, only compare can use to check particular attribute in particular dn while search operation has many methods to get the desired value. Even search operations one method can do as same as what compare operation do by perform search with the search base equal to dn and the scope is base. But one thing different compare from search operation, that if the search attribute value is not present, search operation does not return anything while compare operation return a special indication to the client.

LDAP Command-Line Utilities

This will help to search a directory server. Search parameters are provide to the command line and the output of the search results are in LDIF format. The following code is an example of ldapsearch Command-Line Utility. 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. 14. 15. 16. 17. 18. 19. ldapsearch -h ldap.example.com -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" version: 1 dn: uid=bjensen, ou=People, dc=example,dc=com cn: Barbara Jensen cn: Babs Jensen sn: Jensen givenName: Barbara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson ou: Product Development ou: People L: Cupertino uid: bjensen mail: bjensen@example.com telephoneNumber: +1 408 555 1862 facsimileTelephoneNumber: +1 408 555 1992 20. roomNumber: 0209 Let take a look about the above coding. First we search the server running on the host. Here the host name is ldap.example.com. s sub indicates the search scope is subtree, -b dc=example,dc=com indicates which base we are going to search, cn=Barbara Jensen indicates that we have find the all entries that are matching with the attributes. We should note that, the search base and search filters must encloses between Quotation marks. If it is not done, these arguments will corrupted and confuse the Command-Line Utility. If we need to retrieve a single entry, it is same case as what we previously done in ldap search operation. We can use the base search as the DN and base scope as the base. Ex: base search -> -b dc=example, dc=com (Line 2) base scope -> -b base (Line 1)

Authentication is another important thing. Authenticating as a user is a preferable way to get more access to the directory, because without binding a client can be access to the limited data. A client can do a simple authentication by typing D bind DN and w bind password options. Ex: Modify the first 2 lines as below, ldapsearch -h localhost -D "uid=bjensen,ou=people,dc=example,dc=com" -w hifalutin -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)" By default, the server returns all the attributes of an entry that we request. But if we need to get only some attributes then we append the attributes to end of the ldapsearch command line. Ex: 1. ldapsearch -h localhost -s sub -b "dc=example,dc=com" 2. "(cn=Barbara Jensen)" mail roomNumber 3. version: 1 4. dn: uid=bjensen, ou=People, dc=example,dc=com 5. mail: bjensen@example.com 6. roomNumber: 0209 Above line number 2 , we append the mail attribute and rootNumber attribute. Then we can only retrieve the desired attributes. Another thing to consider is using SSL to search the directory. If we need to encrypt data between ldapsearch and the server we need to use the -Z and P options. Z use to enable SSL and P use to getting the path to the certificate database. Here we use another option which is W option. This is use to specify the password for the SSL key database. Ex: ldapsearch -h localhost -Z -P /home/bjensen/.netscape/cert7.db -W "mycertdbpassword" N "My Certificate" -s sub -b "dc=example,dc=com" "(cn=Barbara Jensen)"