ldap interview questions
Top ldap frequently asked interview questions
I know this is more like a serverfault question than a stackoverflow question, but since serverfault isn't up yet, here I go:
I'm supposed to move an application from one redhat server to another, and without very good knowledge of the internal workings of the application, how would I move the OpenLDAP database from the one machine to the other, with schemas and all.
What files would I need to copy over? I believe the setup is pretty standard.
Source: (StackOverflow)
Is it possible to create an LDAP query which will return (or check for) users in a nested group? e.g. UserA is a member of GroupA, and GroupA is a member of GroupB. I want a query on GroupB to return that UserA is a member. LDAP only. The server is Active Directory.
Source: (StackOverflow)
I want to write an LDAP query which tests whether a user (sAMAccountName) is a member of a particular group. Is it possible to do that so that I get either 0 or 1 result records?
I guess I can get all groups for the user and test each one for a match but I was wondering if I could pack it into one LDAP expression.
Any ideas?
Thanks
Source: (StackOverflow)
I would like to know how to setup an SVN repository with LDAP authentication.
I do not want to use Apache DAV though.
Source: (StackOverflow)
I'm looking for a way to authenticate users through LDAP with PHP (with Active Directory being the provider). Ideally, it should be able to run on IIS 7 (adLDAP does it on Apache). Anyone had done anything similar, with success?
- Edit: I'd prefer a library/class with code that's ready to go... It'd be silly to invent the wheel when someone has already done so.
Source: (StackOverflow)
I know that LDAP is used to provide some information and to help facilitate authorization.
But what are the other usages of LDAP?
Source: (StackOverflow)
I have a search query in LDAP like this. What exactly does this query mean?
("CN=Dev-India,OU=Distribution Groups,DC=gp,DC=gl,DC=google,DC=com");
Source: (StackOverflow)
When I run the following command:
sudo pip install python-ldap
I get this error:
In file included from Modules/LDAPObject.c:9:
Modules/errors.h:8: fatal error: lber.h: No such file or directory
Any ideas how to fix this?
Source: (StackOverflow)
I have an Active-Directory structure where User objects reside in OU for example, IT, Technical, HR, Accounts etc.. I want to write a PHP script that authenticates the user with AD and depending on their Group to provide the aproperiate web services.
ldap_search() requires base DN.
I tried to search with
ldap_search($ldap, "dc=country,dc=company,dc=co,dc=uk", "(samaccountname=$username)", array("memberof"));
but PHP gives "Operation Error". If instead i specify the OU
ldap_search($ldap, "ou=sales,dc=country,dc=company,dc=co,dc=uk", "(samaccountname=jake)", array("memberof"));
then the search is ok.
Is there a wildcard I can use?
On a side note, should user objects be in OU at all? Because I am the noob who moved them inside in the first place!
EDIT:
With credits to JPBlanc for guiding me in the right direction and http://blog.redbranch.net/?p=76
The solution is to add 2 lines between connect and bind.
ldap_connect(..)
ldap_set_option ($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_bind(..)
Thanks =)
EDIT 2 - Fullcode:
<?php
namespace ldap;
abstract class AuthStatus
{
const FAIL = "Authentication failed";
const OK = "Authentication OK";
const SERVER_FAIL = "Unable to connect to LDAP server";
const ANONYMOUS = "Anonymous log on";
}
// The LDAP server
class LDAP
{
private $server = "127.0.0.1";
private $domain = "localhost";
private $admin = "admin";
private $password = "";
public function __construct($server, $domain, $admin = "", $password = "")
{
$this->server = $server;
$this->domain = $domain;
$this->admin = $admin;
$this->password = $password;
}
// Authenticate the against server the domain\username and password combination.
public function authenticate($user)
{
$user->auth_status = AuthStatus::FAIL;
$ldap = ldap_connect($this->server) or $user->auth_status = AuthStatus::SERVER_FAIL;
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapbind = ldap_bind($ldap, $user->username."@".$this->domain, $user->password);
if($ldapbind)
{
if(empty($user->password))
{
$user->auth_status = AuthStatus::ANONYMOUS;
}
else
{
$result = $user->auth_status = AuthStatus::OK;
$this->_get_user_info($ldap, $user);
}
}
else
{
$result = $user->auth_status = AuthStatus::FAIL;
}
ldap_close($ldap);
}
// Get an array of users or return false on error
public function get_users()
{
if(!($ldap = ldap_connect($this->server))) return false;
ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapbind = ldap_bind($ldap, $this->admin."@".$this->domain, $this->password);
$dc = explode(".", $this->domain);
$base_dn = "";
foreach($dc as $_dc) $base_dn .= "dc=".$_dc.",";
$base_dn = substr($base_dn, 0, -1);
$sr=ldap_search($ldap, $base_dn, "(&(objectClass=user)(objectCategory=person)(|(mail=*)(telephonenumber=*))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))", array("cn", "dn", "memberof", "mail", "telephonenumber", "othertelephone", "mobile", "ipphone", "department", "title"));
$info = ldap_get_entries($ldap, $sr);
for($i = 0; $i < $info["count"]; $i++)
{
$users[$i]["name"] = $info[$i]["cn"][0];
$users[$i]["mail"] = $info[$i]["mail"][0];
$users[$i]["mobile"] = $info[$i]["mobile"][0];
$users[$i]["skype"] = $info[$i]["ipphone"][0];
$users[$i]["telephone"] = $info[$i]["telephonenumber"][0];
$users[$i]["department"] = $info[$i]["department"][0];
$users[$i]["title"] = $info[$i]["title"][0];
for($t = 0; $t < $info[$i]["othertelephone"]["count"]; $t++)
$users[$i]["othertelephone"][$t] = $info[$i]["othertelephone"][$t];
// set to empty array
if(!is_array($users[$i]["othertelephone"])) $users[$i]["othertelephone"] = Array();
}
return $users;
}
private function _get_user_info($ldap, $user)
{
$dc = explode(".", $this->domain);
$base_dn = "";
foreach($dc as $_dc) $base_dn .= "dc=".$_dc.",";
$base_dn = substr($base_dn, 0, -1);
$sr=ldap_search($ldap, $base_dn, "(&(objectClass=user)(objectCategory=person)(samaccountname=".$user->username."))", array("cn", "dn", "memberof", "mail", "telephonenumber", "othertelephone", "mobile", "ipphone", "department", "title"));
$info = ldap_get_entries($ldap, $sr);
$user->groups = Array();
for($i = 0; $i < $info[0]["memberof"]["count"]; $i++)
array_push($user->groups, $info[0]["memberof"][$i]);
$user->name = $info[0]["cn"][0];
$user->dn = $info[0]["dn"];
$user->mail = $info[0]["mail"][0];
$user->telephone = $info[0]["telephonenumber"][0];
$user->mobile = $info[0]["mobile"][0];
$user->skype = $info[0]["ipphone"][0];
$user->department = $info[0]["department"][0];
$user->title = $info[0]["title"][0];
for($t = 0; $t < $info[$i]["othertelephone"]["count"]; $t++)
$user->other_telephone[$t] = $info[$i]["othertelephone"][$t];
if(!is_array($user->other_telephone[$t])) $user->other_telephone[$t] = Array();
}
}
class User
{
var $auth_status = AuthStatus::FAIL;
var $username = "Anonymous";
var $password = "";
var $groups = Array();
var $dn = "";
var $name = "";
var $mail = "";
var $telephone = "";
var $other_telephone = Array();
var $mobile = "";
var $skype = "";
var $department = "";
var $title = "";
public function __construct($username, $password)
{
$this->auth_status = AuthStatus::FAIL;
$this->username = $username;
$this->password = $password;
}
public function get_auth_status()
{
return $this->auth_status;
}
}
?>
Usage:
$ldap = new ldap\LDAP("192.168.1.123", "company.com", "admin", "mypassword");
$users = $ldap->get_users();
Source: (StackOverflow)
Should I spend time implementing LDAP for authentication in my web application(php)? Is it a 'dead' technology?
If it is what are the alternatives? and, if its not, what are good resources i can use? (books, tutorials)
Source: (StackOverflow)
I wanted the SSL Certificate of my LDAP Server which is Novell eDirectory. I have used openssl to connect to ldap to view the certificate
openssl s_client -connect 192.168.1.225:636
it is just printing the certificate how can i save this to some certificate format file?
Thanks and regards,
Sunny.
Source: (StackOverflow)
How do I authenticate against AD using Python + LDAP. I'm currently using the python-ldap library and all it is producing is tears.
I can't even bind to perform a simple query:
import sys
import ldap
Server = "ldap://my-ldap-server"
DN, Secret, un = sys.argv[1:4]
Base = "dc=mydomain,dc=co,dc=uk"
Scope = ldap.SCOPE_SUBTREE
Filter = "(&(objectClass=user)(sAMAccountName="+un+"))"
Attrs = ["displayName"]
l = ldap.initialize(Server)
l.protocol_version = 3
print l.simple_bind_s(DN, Secret)
r = l.search(Base, Scope, Filter, Attrs)
Type,user = l.result(r,60)
Name,Attrs = user[0]
if hasattr(Attrs, 'has_key') and Attrs.has_key('displayName'):
displayName = Attrs['displayName'][0]
print displayName
sys.exit()
Running this with myusername@mydomain.co.uk password username
gives me one of two errors:
Invalid Credentials
- When I mistype or intentionally use wrong credentials it fails to authenticate.
ldap.INVALID_CREDENTIALS: {'info': '80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 52e, vece', 'desc': 'Invalid credentials'}
Or
ldap.OPERATIONS_ERROR: {'info': '00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece', 'desc': 'Operations error'}
What am I missing out to bind properly?
I am getting the same errors on fedora and windows.
Source: (StackOverflow)
I've been in touch with LDAP in many projects I've been involved in but, the truth be told, I don't really understand it. I thought it was just a person directory but after I discovered that it can contain any objects in a hierarchical structure.
I installed openldap in my box and I found many tutorials regarding just the installation.
What is LDAP? What are the scenarios where LDAP is the right choice? What are the LDAP concepts I should know for working with it? What are the advantages of LDAP? Is it used just because old applications used it? Is there a good doc anywhere on internet explaining all this questions?
UPDATE:
Complementing the answers I found this link which contains a quick start guide for LDAP newbie like me.
Source: (StackOverflow)
I have a simple task of authenticating against Active Directory using Java. Just verifying credentials and nothing else. Let's say my domain is "fun.xyz.tld", OU path is unknown, and username/password is testu/testp.
I know there's a few Java libraries out there that simplify this task, but I wasn't successful at implementing them. Most examples that I've found addressed LDAP in general, not specifically Active Directory. Issuing LDAP request means sending an OU path in it, which I don't have. Also, the application that issues LDAP request should be already bound to Active Directory in order to access it... Insecure, since the credentials would have to be stored someplace discoverable. I would like a test bind with test credentials, if possible - this would mean that account is valid.
Last, if possible, is there a way to make such authentication mechanism encrypted? I know that AD uses Kerberos, but not sure if Java's LDAP methods do.
Does anyone has an example of working code? Thanks.
Source: (StackOverflow)