Browse LDAP

From Tardis
Jump to navigation Jump to search

This tutorial shows you how to use Apache Directory Studio to browse LDAP. Only system administrators will have access to the credentials required to get through a part of this tutorial. This tutorial also assumes you have SSH all set up.

Getting the software

First, you'll need to grab Apache Directory Studio from Apache Directory website. It's available for Linux, Windows, and macOS, so don't worry. This tutorial uses macOS Sierra but it should be fairly straightforward for other platforms.

macOS tip, if you have Homebrew, just run this command: brew install apache-directory-studio

Once you've got that installed (if you're a macOS user, you may run across this issue), run the software.

Finding the main interface

Right now you should be presented with the below welcome screen.

LDAP Welcome Screen

Hit the close button next to the Welcome tab (highlighted above) to get access to the main interface.

LDAP Main Interface

Adding a connection

Go to File -> New, and then navigate to the LDAP Connection wizard. It should be filed under LDAP Browser.

Select LDAP Wizard

Navigating to LDAP Connection will bring us to the below screen:

New LDAP Connection

Setting the Network Parameters

Set the name to Tardis localhost:1389. You may be wondering, why are we writing localhost? Isn't the LDAP server on Tardis?

Yes, the LDAP server is on Tardis, but it is behind the firewall. We'll be using SSH port forwarding to get a connection through to the LDAP VM on the Tardis network. Run this command to start SSH port forwarding.

ssh -NL 1389:ldap:389

  • -N: This means we do not want execute a remote command. This is useful for just forwarding ports, since we don't want to also access the machine using regular SSH.
  • -L 1389:ldap:389: This means we want all traffic on the port 1389 of localhost to go to the ldap:389 address on the remote server.

The reason we use 1389 locally instead of 389, is that all ports under 1024 require sudo to be used.

Once you run the command, depending on how you have things set up, you will be prompted for a password. You'll then receive the welcome message, and then nothing will happen. This is good.

On the wizard, for the Hostname, type in localhost. For the Port, type in 1389. This is what your screen should look like:

New LDAP Connection Filled

Leave the other options as default, and press Next.

Get the LDAP password

There are two ways to get the password and binddn.

Way 1: Get Password From LDAP Server

  1. SSH to the LDAP server: ssh root@jellybaby
  2. Start reasding the LDAP config file: less /etc/ldap/slapd.conf
  3. Scroll down to the bottom (use page down / arrow keys)
  4. Find rootpw "XXXXXXXXXXX" to get the password, and rootdn for the dn

Way 2: Get Password From Shell Server

This works if you already have root access on the shell server.

We'll be grabbing these details from the LDAP config file on Fez. Open up SSH, and read the /etc/tardis/ldap.conf file. You will need root privileges to do this, use sudo cat.

The file has the structure of key/value pairs, as well as categories. It should look a little bit like this:

  • [server] is the server category
  • binddn has the value some=stuff,exists=here
  • bindpw has the value and,the,secure,password,here

The ellipsis just represents that there may be other key/value pairs in the file.


This screen requires us to provide the details for Simple Authentication. On the wizard fill in Bind DN or user field with the binddn value, and fill the password field with bindpw value. Smack Check Authentication and make sure everything works fine.

LDAP Authentication

Press Finish, and you should be in!

Browsing LDAP

Connecting again

All of that was just a one time setup. In the future, when you start Apache Directory Studio, you just need to run ssh -NL 1389:ldap:389, and then select the connection in the bottom-left hand side of the main window.

LDAP Connecting Again

Tips & Tricks

  • Clear groups cache using sudo nscd --invalidate=group