LDAP - Lightweight Directory Access Protocol ================================================= .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is LDAP?** LDAP is a protocol used to access and manage directory services over a network. A directory service is like a specialized database optimized for reading, searching, and browsing, rather than frequent updates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is LDAP useful?** * Centralizes user information: One place to manage users, groups, and permissions * Supports authentication: Used for login systems (e.g., corporate logins) * Is scalable: Works well for small to very large organizations * Is standardized: Supported by many systems (Windows, Linux, macOS, etc.) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Client connects to the LDAP server * Authentication: The client may bind (log in) using credentials * Search or query: The client sends a query * LDAP server responds with the requested information * Client disconnects when done .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is LDAP used?** * Enterprise networks (e.g., Microsoft Active Directory) * Email systems (e.g., Microsoft Exchange, Zimbra) * Single Sign-On (SSO) systems * Web applications for user authentication .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why OSI Layer: Application Layer (Layer 7)?** * Provides network services directly to end-user applications * Uses protocols like TCP/IP underneath (typically port 389 for LDAP, 636 for LDAPS) * Defines how data is structured and exchanged, not how it’s transported .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is a directory in LDAP?** A directory is a hierarchical database that stores structured information — typically about users, groups, devices, and services. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is LDAP used for?** * Centralized authentication (e.g., login credentials) * Storing user/group information * Directory lookups (email, phone, etc.) * Integration with apps (Active Directory, OpenLDAP) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are common LDAP operations?** * **Bind**: Authenticate a user * **Search**: Query for entries * **Compare**: Check an attribute value * **Add / Modify / Delete**: Manage entries .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What's the difference between LDAP and LDAPS?** * **LDAP**: Transmits data in plaintext (insecure) * **LDAPS**: Uses SSL/TLS encryption for secure communication .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How can we secure an LDAP server?** * Use LDAPS (TLS/SSL) * Disable anonymous bind (if not needed) * Implement access control rules * Regularly audit logs .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the working flow of LDAP?** * **User Requests Access**: A user tries to log in to an app/service (e.g., email, web app) * **App Sends Credentials to LDAP Server** * **LDAP Server Searches for User’s DN** * **LDAP Verifies Password** * **App Receives Response** (success/failure) * **App Grants or Denies Access** (may check group membership too) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the real-time applications of LDAP?** * User Authentication and Single Sign-On (SSO) * Centralized User Management * Integration with Active Directory * Application Authorization * Email Systems .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`LDAP Version&IEEE Details ` * :ref:`LDAP Basic Setup on Ubuntu using IPv4 ` * :ref:`LDAP Basic Setup on Ubuntu using IPv6 ` * :ref:`LDAP Protocol Packet Details ` * :ref:`LDAP Usecases ` * :ref:`LDAP Basic Features ` * :ref:`LDAP Feature : Hirerarchical Structure ` * :ref:`LDAP Feature : Standard Protocol ` * :ref:`LDAP Feature : Centralized Authentication ` * :ref:`LDAP Feature : Scalability ` * :ref:`LDAP Feature : Flexible Schema ` * :ref:`LDAP Feature : Access Control ` * :ref:`LDAP Feature : Replication ` * :ref:`LDAP Feature : Search Capabilities ` * :ref:`Reference links ` .. _LDAP_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _LDAP_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _LDAP_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _LDAP_step5: .. tab-set:: .. tab-item:: LDAP Version&RFC Details .. csv-table:: :file: ./LDAP/LDAP_RFC.csv :widths: 10,10,10,30 :header-rows: 1 .. _LDAP_step18: .. tab-set:: .. tab-item:: LDAP Basic Setup on Ubuntu using IPv4 **LDAP Basic Test Case** * To set up and validate an **LDAP (Lightweight Directory Access Protocol)** environment over **IPv4** using two Ubuntu virtual machines, where one acts as the **LDAP server** and the other as the **LDAP client**, and to verify directory operations through packet captures (tcpdump/Wireshark). * Step-1: Network Setup * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo ip addr add 192.168.2.1/24 dev enp0s8 # In enp0s8 add ur ip interface test:~$ ip a test:~$ ping 192.168.2.10 # ping with vm2 IP address * On **VM2 (Client)**: .. code-block:: shell test:~$ sudo ip addr add 192.168.2.10/24 dev enp0s8 test:~$ ip a test:~$ ping 192.168.2.1 * Step-2: Install Services * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo apt update test:~$ sudo apt install -y slapd ldap-utils * During setup: * Set admin password (example: ``yourname``) * Set domain: ``dc=nodomain`` (or ``dc=example,dc=com``) * On **VM2 (Client)**: .. code-block:: shell test:~$ sudo apt update test:~$ sudo apt install -y ldap-utils * Step-3: Verify Connection * On **VM2 (Client)**: .. code-block:: shell test:~$ nc -vz 192.168.2.1 389 # IP of server * expected : connection established. * Step-4: Check LDAP Suffix * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo slapcat | grep dn: * Example dn: dc=nodomain dn: cn=admin,dc=nodomain * Step-5: Capture Packets with tcpdump * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo tcpdump -i tcp port 389 -vv -X * Step-6: Run LDAP Commands * On **VM2 (Client)**: * BindRequest / BindResponse: .. code-block:: shell test:~$ ldapwhoami -x -H ldap://192.168.2.1 -D "cn=admin,dc=nodomain" -w adminpassword * SearchRequest / SearchResult: .. code-block:: shell test:~$ ldapsearch -x -H ldap://192.168.2.1 -b "dc=nodomain" * AddRequest / AddResponse: .. code-block:: shell test:~$ sudo nano add.ldif * Example: test:~$ dn: uid=john,dc=nodomain objectClass: inetOrgPerson cn: John Doe sn: Doe uid: john userPassword: test123 test:~$ ldapadd -x -D "cn=admin,dc=nodomain" -w -H ldap://192.168.2.1 -f add.ldif # In adminpassword give the password * ModifyRequest / ModifyResponse: .. code-block:: shell test:~$ sudo nano modify.ldif * Example: test:~$ dn: uid=john,dc=nodomain changetype: modify replace: description description: Updated entry test:~$ ldapmodify -x -D "cn=admin,dc=nodomain" -w -H ldap://192.168.2.1 -f modify.ldif * DelRequest / DelResponse: .. code-block:: shell test:~$ ldapdelete -x -D "cn=admin,dc=nodomain" -w -H ldap://192.168.2.1 "uid=john,dc=nodomain" * UnbindRequest: * Happens automatically after each command. * ModifyRequest / ModifyResponse: .. code-block:: shell test:~$ sudo nano modify.ldif * Example: test:~$ dn: uid=john,dc=nodomain changetype: modify replace: description description: Updated entry test:~$ ldapmodify -x -D "cn=admin,dc=nodomain" -w -H ldap://192.168.2.1 -f modify.ldif * DelRequest / DelResponse: .. code-block:: shell test:~$ ldapdelete -x -D "cn=admin,dc=nodomain" -w -H ldap://192.168.2.1 "uid=john,dc=nodomain" * UnbindRequest: * Happens automatically after each command. * Step 7: Capture Packets with Wireshark * Start Wireshark on **VM1 (Server)** or your host. * Select the correct interface (e.g., ``enp0s8``). * Apply display filter: .. code-block:: shell test:~$ tcp.port == 389 test:~$ ldap * Run LDAP commands from **VM2 (Client)**. * Observe these packets in Wireshark:\ * BindRequest / BindResponse * SearchRequest / SearchResult * AddRequest / AddResponse * ModifyRequest / ModifyResponse * DelRequest / DelResponse * UnbindRequest * Step-8: Wireshark Capture. :download:`Download wireshark capture ` .. _LDAP_step19: .. tab-set:: .. tab-item:: LDAP Basic Setup on Ubuntu using IPv6 **LDAP Basic Test Case** * To set up and validate an **LDAP (Lightweight Directory Access Protocol)** environment over **IPv6** using two Ubuntu virtual machines, where one acts as the **LDAP server** and the other as the **LDAP client**, and to verify directory operations through packet captures (tcpdump/Wireshark). * Step-1: Network Setup * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo ip addr add 2001:db8:1::1/64 dev enp0s8 # In enp0s8 add ur ip interface test:~$ ip a test:~$ ping 2001:db8:1::2 # ping with vm2 IP address * On **VM2 (Client)**: .. code-block:: shell test:~$ sudo ip addr add 2001:db8:1::1/64 dev enp0s8 test:~$ ip a test:~$ ping 2001:db8:1::1 * Step-2: Install Services * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo apt update test:~$ sudo apt install -y slapd ldap-utils * During setup: * Set admin password (example: ``yourname``) * Set domain: ``dc=nodomain`` (or ``dc=example,dc=com``) * On **VM2 (Client)**: .. code-block:: shell test:~$ sudo apt update test:~$ sudo apt install -y ldap-utils * Step-3: Verify Connection * On **VM2 (Client)**: .. code-block:: shell test:~$ nc -vz 2001:db8:1::1 389 # IP of server * expected : connection established. * Step-4: Check LDAP Suffix * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo slapcat | grep dn: * Example dn: dc=nodomain dn: cn=admin,dc=nodomain * Step-5: Capture Packets with tcpdump * On **VM1 (Server)**: .. code-block:: shell test:~$ sudo tcpdump -i tcp port 389 -vv -X * Step-6: Run LDAP Commands * On **VM2 (Client)**: * BindRequest / BindResponse: .. code-block:: shell test:~$ ldapwhoami -x -H ldap://2001:db8:1::1 -D "cn=admin,dc=nodomain" -w adminpassword * SearchRequest / SearchResult: .. code-block:: shell test:~$ ldapsearch -x -H ldap://2001:db8:1::1 -b "dc=nodomain" * AddRequest / AddResponse: .. code-block:: shell test:~$ sudo nano add.ldif * Example: test:~$ dn: uid=john,dc=nodomain objectClass: inetOrgPerson cn: John Doe sn: Doe uid: john userPassword: test123 test:~$ ldapadd -x -D "cn=admin,dc=nodomain" -w -H ldap://2001:db8:1::1 -f add.ldif # In adminpassword give the password * ModifyRequest / ModifyResponse: .. code-block:: shell test:~$ sudo nano modify.ldif * Example: test:~$ dn: uid=john,dc=nodomain changetype: modify replace: description description: Updated entry test:~$ ldapmodify -x -D "cn=admin,dc=nodomain" -w -H ldap://2001:db8:1::1 -f modify.ldif * DelRequest / DelResponse: .. code-block:: shell test:~$ ldapdelete -x -D "cn=admin,dc=nodomain" -w -H ldap://2001:db8:1::1 "uid=john,dc=nodomain" * UnbindRequest: * Happens automatically after each command. * Step 7: Capture Packets with Wireshark * Start Wireshark on **VM1 (Server)** or your host. * Select the correct interface (e.g., ``enp0s8``). * Apply display filter: .. code-block:: shell test:~$ tcp.port == 389 test:~$ ldap * Run LDAP commands from **VM2 (Client)**. * Observe these packets in Wireshark:\ * BindRequest / BindResponse * SearchRequest / SearchResult * AddRequest / AddResponse * ModifyRequest / ModifyResponse * DelRequest / DelResponse * UnbindRequest * Step-8: Wireshark Capture. :download:`Download wireshark capture ` .. _LDAP_step6: .. tab-set:: .. tab-item:: LDAP Protocol Packet Details **LDAP BIND REQUEST Packet** .. csv-table:: :file: ./LDAP/LDAP_Bind_Request_Packet.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP BIND RESPONSE Packet** .. csv-table:: :file: ./LDAP/LDAP_Bind_Response_PAcket.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP SEARCH REQUEST Packet** .. csv-table:: :file: ./LDAP/LDAP_Search_Request_Packet.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP SEARCH ENTRY RESPONSE Packet** .. csv-table:: :file: ./LDAP/LDAP_Search_Entry_Response_Packet.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP SEARCH DONE RESPONSE Packet** .. csv-table:: :file: ./LDAP/LDAP_Search_Done_Response_Packet.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP MODIFY REQUEST Packet** .. csv-table:: :file: ./LDAP/LDAP_Modify_Request_Packet.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP MODIFY RESPONSE Packet** .. csv-table:: :file: ./LDAP/LDAP_Modify_Response_Packet.csv :widths: 10,20,30,10 :header-rows: 1 **LDAP UNBIND REQUEST Packet** .. csv-table:: :file: ./LDAP/LDAP_Unbind_Request_Packet.csv :widths: 10,20,30,10 :header-rows: 1 .. _LDAP_step7: .. tab-set:: .. tab-item:: LDAP Usecases .. csv-table:: :file: ./LDAP/LDAP_Use_Cases.csv :widths: 10,20,30 :header-rows: 1 .. _LDAP_step8: .. tab-set:: .. tab-item:: LDAP Basic Features .. csv-table:: :file: ./LDAP/LDAP_Features.csv :widths: 10,10,30 :header-rows: 1 .. _LDAP_step9: .. tab-set:: .. tab-item:: LDAP Feature : Hirerarchical Structure **Hirerarchical Structure - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature1_Hirerarchical_structure_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step10: .. tab-set:: .. tab-item:: LDAP Feature : Standard Protocol **Standard Protocol - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature2_standard_protocol_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step11: .. tab-set:: .. tab-item:: LDAP Feature : Centralized Authentication **Centralized Authentication - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature3_Centralized_Authentication_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step12: .. tab-set:: .. tab-item:: LDAP Feature : Scalability **Scalability - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature4_Scalability_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step13: .. tab-set:: .. tab-item:: LDAP Feature : Flexible Schema **Flexible Schema - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature5_Flexible_schema_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step14: .. tab-set:: .. tab-item:: LDAP Feature : Access Control **Access Control - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature6_Access_control_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step15: .. tab-set:: .. tab-item:: LDAP Feature : Replication **Replication - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature7_Replication_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step16: .. tab-set:: .. tab-item:: LDAP Feature : Search Capabilities **Search Capabilities - Testcases** .. csv-table:: :file: ./LDAP/LDAP_Feature8_Search_Capabilities_Test_Cases.csv :widths: 10,10,30,20 :header-rows: 1 .. _LDAP_step17: .. tab-set:: .. tab-item:: Reference links * Reference links