Browse LDAP
This tutorial shows you how to use Apache Directory Studio to browse LDAP. Only system administrators will have access to the credentials required to get through a part of this tutorial. This tutorial also assumes you have SSH all set up.
Getting the software
First, you'll need to grab Apache Directory Studio from Apache Directory website. It's available for Linux, Windows, and macOS, so don't worry. This tutorial uses macOS Sierra but it should be fairly straightforward for other platforms.
macOS tip, if you have Homebrew, just run this command: brew install apache-directory-studio
Once you've got that installed (if you're a macOS user, you may run across this issue), run the software.
Finding the main interface
Right now you should be presented with the below welcome screen.
Hit the close button next to the Welcome tab (highlighted above) to get access to the main interface.
Adding a connection
Go to File -> New, and then navigate to the LDAP Connection wizard. It should be filed under LDAP Browser.
Navigating to LDAP Connection will bring us to the below screen:
Setting the Network Parameters
Set the name to Tardis localhost:1389. You may be wondering, why are we writing localhost? Isn't the LDAP server on Tardis?
Yes, the LDAP server is on Tardis, but it is behind the firewall. We'll be using SSH port forwarding to get a connection through to the LDAP VM on the Tardis network. Run this command to start SSH port forwarding.
ssh -NL 1389:ldap:389 ssh.tardis.ed.ac.uk
- -N: This means we do not want execute a remote command. This is useful for just forwarding ports, since we don't want to also access the machine using regular SSH.
- -L 1389:ldap:389: This means we want all traffic on the port 1389 of localhost to go to the ldap:389 address on the remote server.
The reason we use 1389 locally instead of 389, is that all ports under 1024 require sudo to be used.
Once you run the command, depending on how you have things set up, you will be prompted for a password. You'll then receive the welcome message, and then nothing will happen. This is good.
On the wizard, for the Hostname, type in localhost. For the Port, type in 1389. This is what your screen should look like:
Leave the other options as default, and press Next.
Get the LDAP password
There are two ways to get the password and binddn.
Way 1: Get Password From LDAP Server
- SSH to the LDAP server:
ssh root@jellybaby
- Start reasding the LDAP config file:
less /etc/ldap/slapd.conf
- Scroll down to the bottom (use page down / arrow keys)
- Find
rootpw "XXXXXXXXXXX"
to get the password, androotdn
for the dn
Way 2: Get Password From Shell Server
This works if you already have root access on the shell server.
We'll be grabbing these details from the LDAP config file on Fez. Open up SSH, and read the /etc/tardis/ldap.conf
file. You will need root privileges to do this, use sudo cat
.
The file has the structure of key/value pairs, as well as categories. It should look a little bit like this:
[server] ... binddn=some=stuff,exists=here bindpw=and,the,secure,password,here ...
[server]
is the server categorybinddn
has the valuesome=stuff,exists=here
bindpw
has the valueand,the,secure,password,here
The ellipsis just represents that there may be other key/value pairs in the file.
Authentication
This screen requires us to provide the details for Simple Authentication. On the wizard fill in Bind DN or user field with the binddn
value, and fill the password field with bindpw
value. Smack Check Authentication and make sure everything works fine.
Press Finish, and you should be in!
Connecting again
All of that was just a one time setup. In the future, when you start Apache Directory Studio, you just need to run ssh -NL 1389:ldap:389 ssh.tardis.ed.ac.uk
, and then select the connection in the bottom-left hand side of the main window.
Tips & Tricks
- Clear groups cache using sudo nscd --invalidate=group