LDAP How To
How to install Apache Directory Studio as an Eclipse Plug-in
- Open eclipse-java-ganymede-SR2-win32.zip
- Extract to "C:\Program Files\". The archive contains an eclipse subfolder.
- Open the C:\Program Files\eclipse folder and drag eclipse.exe to the windows start button -> All Programs to create a shortcut for Eclipse.
Install Apache Directory Studio plug-in
- Start Eclipse
- Accept the default workspace location, mark do not ask again and click ok.
- In Eclipse, click Help->Software updates…->Available software tab->Add site…
- Enter http://directory.apache.org/studio/update/1.x/
- Click ok. Then in the previous window expand the http://directory.apache.org/studio/update/1.x/ item by clicking the + button. Wait for it to populate and select the LDAP Browser, the LDIF editor, RCP and the Schema Editor. Click install …
- On the installation window, click Next, then select accept license, Finish.
- On the certificate prompt, mark apache directory server certificate to trust, click ok
- Restart Eclipse when prompted
Open the ADS Prospective
- In Eclipse, click Window, Open Prospective, other…, select LDAP, click ok
- Now you are ready to start creating connections in the bottom left pane. You can close the Welcome pane on the very right.
How to change LDAP contents with ldapmodify
How to add an attribute to an existing LDAP class or to mod or delete an attribute from an existing LDAP class: First you need to clean up existing values of the attribute
ldapsearch -h server -D "cn=root" -w pass -b "" -s sub (ewldapprtl-accessstates=*) ewldapprtl-accessstates > output.txt
Parse it out to remove the attribute values
dn: erglobalid=7706150570390296643,ou=0,ou=accounts,erglobalid=00000000000000000000,ou=FBL,dc=com changetype: modify delete: ewldapprtl-accessstates
ldapmodify -h server -D "cn=root" -w pass -i input.txt
You can modify the attribute or delete it from the class and then from the attribute list (if needed) Then you could repopulate the ldap with the old attributes if needed.
How to create a user with a comma in the name (e.g lastname comma firstname)
Escape it with a single backslash like this "lastname\, firstname". same goes for othe special characters from Internet Engineering Task Force (IETF) Request for Comments (RFC): "2253 Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names" and "2254 The String Representation of LDAP Search Filters"
How to perform an LDAP search using SSL
An example for the ldapsearch bundled with IDS Make sure you have a kdb containing the LDAP server's signer's certificate in its trusted list
ldapsearch -h localhost -K "e:\client.kdb" -P kdbpwd -U"cn=root" -w pwd -p 636 -Z -b "dc=com" -s sub cn=masha*
How to retrieve user passwords from one-way encoded LDAP
There is no reversing of a one-way hash. Do brute-force cracking or add a program that will capture them in the middle when people logon on the website.
How to test LDAP Access
ldapsearch -D "cn=user" -w password -b "" -s base objectclass=*
How to use ldapsearch command to check if ldap is working
For cygwin/openldap ldapsearch:
ldapsearch -x -D cn=root -w password -h hostname -b "" -s base objectclass=*
For IBM Directory server client)
ldapsearch -D cn=root -w password -b "" -s base objectclass=*