The purpose of this guide is to convey a basic understanding of how to manipulate data that is stored within an LDAP server. It does not speak to setting up the server, configuring the LDAP service itself, or securing the LDAP server. For information on these topics, see this article.
A hell of a lot of entirely new acronyms are going to be introduced and then used throughout this article. It is critical you learn them, as LDAP possess an extensive and unique vocabulary. LDAP itself will become a lot less confusing the more you readily recognize and understand its associated acronyms. Scroll to the bottom of this article for an LDAP glossary.
There are three command-line tools that we will use to manipulate LDAP data. They are:
- ldapsearch: A read-only tool that allows the querying of existing LDAP records for all or specific fields.
- ldapadd: The tool for adding a wholly new LDAP record (a collection of fields, belonging to a single distinguishing name, or DN).
- ldapmodify: Permits the modifying of an existing LDAP record through adding, replacing, or deleting one or more fields within a DN.
The basic structure within LDAP can be visualized as a series of nested "folders", each containing other "folders" or "files" (attributes). Unlike UNIX, which uses a / as both the path separator and point of origin, LDAP uses special record types and commas as path separators, and assumes you are using your domain's TLD as the point of origin.
For example, let us assume that the user John Doe is to be placed within the users "bucket", and that your FQDN is example.com:
Written in LDAP query nomenclature, the above is:
uid=johndoe,cn=users,dc=example,dc=com
uid stands for, as you might imagine, User ID. cn stands for Common Name (ou, or Organizational Unit, is often used in its place here.) Last but not least, dc stands for Domain Component. The whole string, which points to a specific LDAP record, is called a Distinguished Name, or dn.
Alternatively, assuming the same user appears within the Relative Distinguished Name, or RDN, of ou=employees,dc=example,dc=com, then the DN now looks like this:
Written in standard form, the above is:
uid=johndoe,ou=employees,dc=example,dc=com
This means that we can now positively identify one specific LDAP entry within the LDAP Directory Information Tree, or DIT (also called the naming-context.) Now, to make this useful, we can add individual fields, or attributes, to this DN that provide information about the user.
For example, let us now specify John Doe's email address and office telephone number. First, we will add the attribute mail which will contain his email address:
This means that the DN uid=johndoe,ou=employees,dc=example,dc=com now has an attribute, mail, which contains the data john@example.com.
Let's add his office phone number:
Now the DN uid=johndoe,ou=employees,dc=example,dc=com contains two attributes, mail and telephoneNumber.
You might now be wondering what attributes are available to a given DN, or is it entirely free-form? The answer is that the attribute names, and the kind of data each can contain, are specified by the schema you use for the DN. An in-depth discussion of schemata would fill an article twice the size of this one, and is beyond the scope of this particular article; but suffice to say, available schemata are defined on the LDAP server itself, and the most common one for use with address book-like LDAP implementations is called inetOrgPerson. The rest of this article assumes that the inetOrgPerson schema is configured and in use on your LDAP server.
Let us now return to the aforementioned command-line tools, and take a look at ldapsearch.
First, before we can simply query an LDAP server for data, we must authenticate ourselves. LDAP supports three levels of permissions:
- Bind
- Read
- Write
Bind simply allows us to connect to the LDAP server, usually for purposes of then authenticating with a username and password. Once authenticated, we are then allowed to read or write DNs based on how the server is configured. The most common default configuration is to allow everyone ("anonymous") to bind, and after authentication, to permit read for all DNs, and only write for our own DN ("self").
Thus, to use any of the LDAP command-line tools, we must pass certain authentication information when we invoke the command. For example:
$ ldapsearch -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W
The -h parameter specifies the hostname of the LDAP server. -D is the bind DN, that is, the DN with which we are binding (authenticating) to the server. -W prompts for the password; you can also specify the password on the command-line with -w "password".
So far all that has done is invoke the LDAP search command and authenticate to the server. We now need to specify something known as the search base, or RDN. This will limit our search to a specific portion of the Directory Information Tree, or DIT, so that our search is both fast and accurate:
$ ldapsearch -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -b "ou=users,dc=example,dc=com"
This means that our search will be performed only again DNs contained within the RDN of ou=users,dc=example,dc=com. How deep the search goes within that RDN is governed by something called search scope, the default for which is subtree, which is fine for our purposes here.
Last but not least, we must now specify what it is for which we are looking. If we skip this step, the ldapsearch command will return the entire contents of the RDN, which is (probably) not very useful and may be extremely large. Let us look specifically for the user "Jane Doe", except we don't know exactly what her User ID is. Let's assume it probably starts with jane:
$ ldapsearch -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -b "ou=users,dc=example,dc=com" "uid=jane*"
But what if it is jdoe?
$ ldapsearch -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -b "ou=users,dc=example,dc=com" "uid=j*"
Or if we have no idea where within the UID string "jane" might appear:
$ ldapsearch -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -b "ou=users,dc=example,dc=com" "uid=*jane*"
As you can see from the above examples, the wildcard * works exactly as you might expect.
Let us now refine our search further to just see Jane's email address:
$ ldapsearch -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -b "ou=users,dc=example,dc=com" "uid=jane*" mail
That will return only the attribute mail from the DN uid=janedoe,ou=users,dc=example,dc=com.
The data returned by the ldapsearch command is in LDAP Data Interchange Format, or LDIF. This is the same format used when adding and change data within LDAP, as we will now see.
To add a new record (usually, a DN and associated attributes) to a DIT, we will first need to create a text file that is formatted in LDIF.
Let's add a new user, "Joe Smith", to the DN ou=users,dc=example,dc=com, and specify both his email address and telephone number. Here's the LDIF, which we'll assume has been saved to a file named new_user.ldif:
dn: uid=joesmith,ou=users,dc=example,dc=com objectClass: inetOrgPerson uid: joesmith mail: joe@example.com telephoneNumber: (123) 555-2121
Note that first we specify the DN for all of the subsequent attributes; this tells LDAP where to put this new record. Next, we tell LDAP what schema we are using for this DN. We then specify the attributes.
To import this LDIF data into LDAP we use the ldapadd command. It uses many of the parameters we've previously seen from ldapsearch, as we must bind to the LDAP server before we can write to it; however, we do not need to specify a search base:
$ ldapadd -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -f new_user.ldif
The -f parameter specifies the file to read the LDIF entry from. You can specify more than one LDIF entry in a single file simply by separating each entry with an empty line.
While ldapadd is useful for inserting new data into LDAP, it cannot be used to overwrite existing data. To add a new attribute to a DN, delete an existing attribute from a DN, or to modify an existing attribute, you need to use the ldapmodify command.
Like the ldapadd command, the ldapmodify command reads LDIF from a file and applies the changes on the LDAP server.
Let's update Joe's email address. Here is the LDIF, which we will save to a file named update_email.ldif:
dn: uid=joesmith,ou=users,dc=example,dc=com changetype: modify replace: mail mail: joe_smith@example.com
This will update the attribute mail with the new value joe_smith@example.com. To import this change into LDAP, run the ldapmodify command:
$ ldapmodify -h "ldap.example.com" -D "uid=johndoe,ou=users,dc=example,dc=com" -W -f update_email.ldif
The LDIF for modifying existing DNs can specify more than a single change at a time by separating them with a line containing a single hyphen; for example, to change both Joe's email and his telephone number at the same time:
dn: uid=joesmith,ou=users,dc=example,dc=com changetype: modify replace: mail mail: joe_smith@example.com - replace: telephoneNumber telephoneNumber: (555) 555-1234
You can also change more than one DN at a time, by separating the DNs and their associated attribute changes with an empty line:
dn: uid=joesmith,ou=users,dc=example,dc=com changetype: modify replace: mail mail: joe_smith@example.com dn: uid=janedoe,ou=users,dc=example,dc=com changetype: modify replace: mail mail: jane_doe@example.com
When modifying (or adding) multiple records from a single LDIF file, the default behavior is to abort upon the first error. It may be useful to continue despite an error, however; to do this, pass the -c parameter to the ldapadd or ldapmodify command.
If SASL is broken on your LDAP server for some reason, you can instruct any of the ldap* commands to use simple authentication instead. Simply pass the -x parameter to the command.
If your LDAP server requires TLS before it will do more than let you bind to it, pass the -Z parameter to the command. To force TLS to be used (always a good idea assuming your LDAP server supports TLS) add a second Z like this: -ZZ.
| anonymous | A session is described as anonymous if neither a DN nor a password (credentials) is supplied when initiating the session (sending the bind). LDAP defines a state called unauthorized in which a DN is supplied with the bind but no password. The net effect of such a bind in OpenLDAP is to create an anonymous session. | |
| ASN.1 | The ITU-T's Abstract Syntax Notation One (X.208/X.680 series). A language for describing and encoding rules for data representation. ASN.1 is used to encode protocol data units (PDUs a.k.a messages, blocks or frames) using a variety of encoding systems including BER (Basic Encoding Rules X.690), CER (Canonical Encoding Rules), DER (Distinguished Encoding Rules), XER (XML Encoding Rules) and PER (Packed Encoding Rules X.691). In the case of LDAP only the simpler BER is used rather than the terrifyingly complicated PER. ASN.1 OIDs described. | |
| Attribute | The data in an entry is contained in attribute-value pairs. Each attribute has a name (and sometimes a short form of the name) and belongs to an objectClass. The attributes characteristics are fully described by an ASN.1 definition. One or more objectClasses may be included in a Schema. Depending on the ASN.1 definition of the attribute there can be one (SINGLE-VALUE) or more that one (default) attribute-value pair of the same named attribute in an entry. One (or more) attribute(s), the naming attribute or RDN, will always uniquely identify an entry. | |
| authenticated | A session is described as authenticated if a user DN and secret is supplied when initiating the session (sending the bind). | |
| AVA | Attribute Value Assertion. | |
| Base | The base entry (a.k.a root and suffix) is one of many terms commonly used to describe the topmost entry in a DIT or naming-context. The term base seems to be used because the search scope base in a LDAP URL or other search typically uses this value. The Root DSE is the highest level in an LDAP enabled directory. | |
| BER | Basic Encoding Rules an ITU-T binary format (defined in X.690) for formating ASN.1 fields for transmission within a protocol. In a number of cases, notably search filters, LDAP uses strings rather than binary (BER) encodings. | |
| bind | When connection is made to an LDAP server the first operation of the sequence is called a bind. The bind operation sends the dn of the entry that will be used for authentication and the password to be used. In the case of an anonymous bind both values will be NULL. | |
| Chaining | When a Referral ObjectClass is encountered by an LDAP server during a search operation it may be returned as a Referral to the requesting client or the Server may be configured to follow the referral using a process known as chaining through use of the overlay chain directive. By default OpenLDAP returns referrals but may be configured to implement chaining with consequent performance overheads. | |
| Client | Client a.k.a LDAP Client describes a piece of software that provides access to an LDAP sever. Most standard web browsers (MSIE and Gecko) provide limited LDAP client capabilities using LDAP URLs. LDAP browsers and web interfaces are both very common examples of LDAP clients. | |
| Component Matching | Component Matching (RFC 3687) provides both an alternative (but longer) search filter syntax for simple attributes and a method by which components (parts or instances) of compound attributes may be extracted and searched. | |
| contextCSN | The Change Sequence Number (CSN) of the context (the highest entryCSN used in the context or synchronization search scope). CSNs (both entryCSN and contextCSN) are extensively used in OpenLDAP syncrepl style replication operations. The contextCSN is included in the SyncCookie. CSNs appear to be only defined in an expired RFC draft draft-chu-ldap-csn-xx.txt and for version 2.4 in this FAQ to consist of a timestamp - including microseconds, an operation-within-second counter (6 octets), a 3 octet replica id (as defined by ServerID) and a 6 octet count-within-modify operation. | |
| consumer | Describes a server which uses (consumes) a service which is supplied by a provider server. An example of a consumer is an RFC 4533 Sync Client used in replication. | |
| CSN | The Change Sequence Number (CSN) used OpenLDAP to identify changes in a replicated configuration. CSNs appear to be only defined in an expired RFC draft draft-chu-ldap-csn-xx.txt and for version 2.4 in this FAQ to consist of a timestamp - including microseconds, an operation-within-second counter (6 octets), a 3 octet replica id (as defined by ServerID) and a 6 octet count-within-modify operation. | |
| DAP | Directory Access Protocol. X.500 term for an OSI based network protocol that enables access to a DSA and which implies the directory data model. | |
| DIT | The Directory Information Tree (a.k.a the naming-context. The DIT is the hierarchy of objects that make up the local directory structure. More than one DIT may be supported by an LDAP server. The Root DSE will provide this information. | |
| DN | The Distinguished Name. A DN is comprised of a series of RDNs that uniquely describe the naming attributes on the path UP the DIT from the required entry to the directory root. A DN is written LEFT to RIGHT and looks something like this: DN: uid=bill,ou=people,dc=example,dc=com | |
| DSA | Directory System Agent. X.500 term for any DAP or LDAP enabled directory service e.g. an LDAP server. | |
| DSE | DSA Specific Entry (DSE). A control entry in a local directory server. | |
| entry | The name given to a stored object in a LDAP enabled directory. Each entry has one parent entry (object) and zero or more child entries (objects). The data content of an entry consist of one or more attributes one (or more) of which is (are) used as the naming attribute (more correctly the RDN) to uniquely identify this object in the DIT. | |
| entryCSN | The Change Sequence Number (CSN) of the entry. CSNs (both entryCSN and contextCSN) are extensively used in OpenLDAP syncrepl style replication operations. CSNs appear to be only defined in an expired RFC draft draft-chu-ldap-csn-xx.txt and for version 2.4 in this FAQ to consist of a timestamp - including microseconds, an operation-within-second counter (6 octets), a 3 octet replica id (as defined by ServerID) and a 6 octet count-within-modify operation. | |
| entryUUID | An attribute containing the Universally Unique ID (UUID) of a DIT entry. Servers are now mandated to create an entryUUID attribute when adding new entries to any DIT. The UUID is defined in RFC 4122 and the LDAP implementation and syntax of entryUUID in RFC 4530. The RFC defines both the entryUUID syntax together with uuidMatch and uuidOrderingMatch matching rules. | |
| EQUALITY | EQUALITY defines the comparison rule of an attribute when used in a search filter which contains NO wildcards both contents and length must be exactly the same. When wildcards are used this is called a substring and the SUBSTR rule is used. | |
| filter | An LDAP search is carried out by defining a base DN, a scope and a search filter. | |
| LDAP | Lightweight Directory Access Protocol. IETF term for an TCP/IP based network protocol that enables access to a DSA. Some reduced functionality from X.500 DAP specification. | |
| LDIF | LDAP Data Interchange Format. IETF term for a textual format for loading (importing) and saving (exporting) entries into a LDAP enables directory. LDIF is defined by RFC 2849. | |
| matchingRule | The method by which an attribute is compared in a search operation. A matchingRule is an ASN.1 definition which contains an OID (usually) a name e.g. caseIgnoreMatch (OID = 2.5.13.2) and the data type it operates on e.g. DirectoryString. | |
| name space | Term used to describe all DNs that lie in (or are contained within or bounded by) a given DIT i.e. if the DIT root is dc=example,dc=com then cn=people,dc=example,dc=com is said to lie in the name space but ou=people,dc=example,dc=net does not - it lies in the dc=example,dc=net name space. | |
| naming attribute | One attribute, the naming attribute (a.k.a RDN) is used to uniquely identify each entry in the DIT. | |
| naming context | a.k.a namingContext or DIT defines a unique name space starting from (and including) the root DN. | |
| objectClass | Object Classes are collections of attributes. They define:
Each objectclass is uniquely identified by an OID. |
|
| OID | An Object Identifier (OID) is a dot-separated valued e.g. 2.5.6.2 (OID of country objectclass) that uniquely defines an object and who is responsible for its definition. | |
| Operational | Operational Objects are used by the LDAP server to provide informational about the server or to control how the server behaves. They live under the Root DSE) and can be interrogated to yield the secrets of the known universe. | |
| ORDERING | ORDERING defines the comparison rule of an attribute when used in a search filter which contains >= or<= operators. | |
| Organizational Unit | organizationalUnit (ou) defines an arbitrary organisational unit and can be used at multiple levels in the hierarchy. Its value will typically be relevant in the context in which it is used. Thus in the context of defining an ITU format root name (ou,c format) it will likely be the name of the company or organization (or even organization), in the context of a lower level in the hierarchy it may be 'people' or or 'manufacturing' or 'usa' or 'usa-manufacturing' or anything else that makes sense and requires the attributes defined by the object. | |
| Ports | LDAP uses the TCP/IP protocol and connects to port 389 (ldap) for non-SSL access and 636 when using SSL (ldaps). | |
| primary | primary name is the first name that appears in an attributetype definition. The primary name MUST be used when indexing an attribute using the index directive in slapd.conf. Example: attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) SUP name ) In this example cn is the primary name of this attribute. | |
| provider | Describes a server which provides a service which is consumed (or used) by one or more other server or clients. An example of a provider is an RFC 4533 Sync Server used in replication. The more cynical would suggest that provider = master, consumer = slave, the more nuanced will spend hours describing the difference. | |
| RDN | The Relative Distinguished Name (frequently but incorrectly written as Relatively Distinguished Name). The name given to an attribute(s) that is unique at its level in the hierarchy. RDNs may be single valued or multi-valued in which case two or more attributes are combined using '+' (plus) to create the RDN e.g. cn+uid. The term RDN is only meaningful when used as part of a DN to uniquely describe the attributes on the path UP the DIT from a selected entry (or search start location) to the directory root (or more correctly the Root DSE). | |
| referral | A referral is where the LDAP server returns to an LDAP Client the name of (typically a LDAP URL) another LDAP server which may, or does, contain the requested information. Configuring Referrals. LDAP Servers may be configured to automatically follow referrals using a process known as chaining. | |
| root | The root entry (a.k.a base, suffix) is one of many terms used to describe the topmost entry in a DIT. The Root DSE is a kinda super root. | |
| rootdn | The rootdn is a confusingly named directive in the slapd.conf file which defines the DN of the superuser for each DIT which can bypass normal directory access rules. The rootdn does not need to appear in the directory, or even be related, in any way, to the DIT structure. | |
| Root DSE | Conceptually the topmost entry in a LDAP hierarchy - think of it as a super root and normally invisible i.e. not accessed in normal operations. Sometimes confused with root or base or suffix. DSE stands for DSA Specific Entry and DSA in turn stands for Directory System Agent (any directory enabled service providing DAP or LDAP access). Information about the rootDSE may be obtained in OpenLDAP by querying the OpenLDAP rootDSE classobject or to ant LDAP server (including OpenLDAP) by issuing an anonynmous bind with an empty base DN ("") and will provide information about protocol versions supported, services supported and the naming-context(s) or DIT(s) supported. | |
| scope | Used in two senses:
|
|
| Schema | A package of attributes and object classes that are sometimes (nominally) related. The schema(s) in which the object classes and attributes that the application will use (reference) are packaged are identified to the LDAP server so that it can read and parse all that wonderful ASN.1 stuff. In OpenLDAP this done using the slapd.conf file. | |
| search | An LDAP search is carried out by defining a base DN, a scope and a search filter. | |
| session | A session occurs between a LDAP client and a server when the client sends a bind command. A session may be either anonymous or authenticated. | |
| slapd | slapd is one of two daemons that run the OpenLDAP service (the other being slurpd). slapd provides the local LDAP service and is configured using the slapd.conf file. | |
| slapd.conf | slapd.conf is a static configuration file used by slapd and, where configured, slurpd. OpenLDAP version 2.2+ introduced an alternative, run-time configuration capability (slapd (cn=config). | |
| slurpd | slurpd is one of two daemons that run the OpenLDAP service (the other being slapd). slurpd provides the LDAP replication service if required and is configured using the slapd.conf and ldap.conf files. slurpd style replication was obsoleted in OpenLDAP version 2.4+ and replaced with syncreply style replication. | |
| subordinate | OpenLDAP documentation uses the term subordinate database (DIT) to define a DIT which is referenced in a referral object. Since referral objects delegate the search for the remaining part of the DN to the referred DIT they may be viewed as a hierarchy and the referred DIT as subordinate in that hierarchy. Unfortunately OpenLDAP also uses the term superior whose definition is much more dubious. | |
| SUBSTR | SUBSTR defines the comparison rule of an attribute when used in a search filter which contains wildcards. When the whole string is used the EQUALITY rule is used. | |
| substring | substring refers to any string values used in a search filter which contains wildcards. The form of the comparison e.g. case sensitive or case insensitive is defined by the SUBSTR rule in the attribute definition. | |
| subtype | LDAPv3 defines a number of subtypes at this time two have been defined binary (in RFC 2251) and lang (in RFC 2596). subtypes may be used when referencing an attribute and qualify e.g. cn;lang-en-us=smith would perform a search using US English. The subtype does not affect the encoding since UTF-8 (used for cn) allows for all language types. lang subtypes are case insensitive. | |
| suffix | suffix (a.k.a root, base) is one of many terms used to describe the topmost entry in a DIT. The term is typically used because this entry is usually defined in the suffix parameter in a OpenLDAP's slapd.conf file. The Root DSE is a kinda super root. | |
| superior | OpenLDAP documentation uses the term superior database (DIT) to define a DIT from which another DIT is referenced in a referral object. Since referral objects delegate the search for the remaining part of the DN to the referred DIT they may be viewed as a hierarchy and the DIT which contains the referral is superior to the referred DIT. A DIT which is the destination of a referral is known as subordinate. | |
| supportedExtension | The LDAP specifications (RFCs) allow for optional capabilities and extensions. If an LDAP server supports a particular extension its OID will be published in the rootDSE. RFC3674 defines the attribute supportedFeatures in the rootDSE which will yield a list of supported features and extensions. | |
| SyncCookie | A cookie sent by a provider to a consumer during sysncrepl style replication. | |
| syncrepl | A method of Replication based on the LDAP Content Synchronization protocol (RFC 4533) and released in OpenLDAP version 2.2. From OpenLDAP version 2.4 all other replication methods are obsoleted. Named from the syncrepl configuration directive. | |
| types | types (a.k.a. data types) is commonly used to refer to the ASN.1 SYNTAX of an attribute. | |
| unauthorized | A session is described as unauthorized if a DN is supplied without a password (credentials) when initiating the session (sending a bind). The net effect of such a bind in OpenLDAP (it must be explicitly permitted with a allow bind_anon_dn) is to create an anonymous session. | |
