Symas OpenLDAP Knowledge Base



Anonymous Bind

LDAP requires that clients identify themselves so that the server can determine the level of access to grant requests. This works by using an LDAP mechanism called ““binding”“, which is basically just a term for associating your request with a known security entity. There are three separate types of authentication that LDAP understands. The most generic type of authentication that a client can use is an”“anonymous”” bind. This is pretty much the absence of authentication. LDAP servers can categorize certain operations as accessible to anyone (typically, by default, the public-facing DIT is configured as read-only for anonymous users). If you are using an anonymous bind, these operations will be available to you.

The OpenLDAP tools assume SASL authentication (we’ll discuss this momentarily) by default, so to allow an anonymous bind, we must give the -x argument. Combined with the server specification, this will look something like this:

ldapsearch -H ldap://server_domain_or_IP -x

Simple Bind

Uses a DN and a password

The DN and the password may be omitted, resulting in an anonymous session

SASL Authentication

SASL stands for simple authentication and security layer. It is a framework for hooking up authentication methods with protocols in order to provide a flexible authentication system that is not tied to a specific implementation. You can check out the wikipedia page to learn about the various methods available.

Your LDAP server will probably only support a subset of the possible SASL mechanisms. To find out which mechanisms it allows, you can type:

ldapsearch -H ldap:// -x -LLL -s base -b “” supportedSASLMechanisms

Attributes Search

sudo /opt/symas/bin ./ldapsearch -H uri (ldap:// -x -b desired_attribute (dc=symas,dc=com)

To authenticate w/credentials add -D cn=Username,dc=domain,dc=com -w secret”