ldapsearch is your friend

Need a friend to help you in the war against seemingly complex LDAP configuration tasks? Let me introduce you to a handy dandy tool called ldapsearch.

Next to an LDAP browser (they cheat, by the way, but I’ll talk more about this later), ldapsearch is your friend when it comes to configuring Splunk, or any other LDAP capable app for that matter, to authenticate against LDAP as it allows you to test out your configuration purely from command-line and then implement once you know its working.

The most important things you’ll need to know about your LDAP server are its hostname or IP address, the LDAP port number and base DN. If you don’t know any of the aforementioned ldapsearch can’t help you there — it does not perform magic. If you’re guessing the LDAP port number, your first guess should be 389 which is the default port for LDAP. (Second guess would be 636, the default LDAPS port. However, that would be treading into SSL waters and I’d like to keep it simple here.) Not knowing any of the required items usually means you should contact your IT/OPS department or someone who manages the LDAP or AD infrastructure at your organization.

STEP 1: Assuming you know the LDAP hostname (or IP),port and base DN, let’s find out if you have access to ldapsearch. Most *nix systems, including OSX, ship with ldapsearch so its a matter of launching the terminal and typing:

$ which ldapsearch
/usr/bin/ldapsearch

If you haven’t got ldapsearch, go online and find one and download it. Stay away from the LDAP browsers (GUI) if possible. I mentioned earlier that LDAP browsers, at least the ones I’ve seen, particularly the ones that run on Windows cheat. They do things like follow ldap referrals (which is just silly.)

STEP 2: Run ldapsearch and pray that the LDAP server you’re connecting to allows anonymous bind. If your LDAP server allows anonymous bind, you can bind to it without providing a bind account and password!

$ ldapsearch -h ldaphostname -p 389 -x -b "dc=splunkers,dc=com"

All of the above options are necessary to perform a simple, anonymous bind to the LDAP server.

-h hostname
-p port number
-x tells ldapsearch to perform a simple_authentication (yes, you need this even for anonymous bind)
-b baseDN

If your organization is relaxed about LDAP access, it should just work. You’ll get human readable output in ldif format that you can pipe to a file for review. If your organization is not so relaxed (most responsible ones are NOT), you may need to provide a bind_account and password:

-D "uid=tina,ou=People,dc=splunkers,dc=com"
-W will prompt you for your password

Example:

$ ldapsearch -h ldaphostname -p 389 -x -D "uid=tina,ou=People,dc=splunkers,dc=com" -b "dc=splunkers,dc=com" -W

Enter LDAP Password:

Here’s what sample user and group entries look like:

# tina, People, splunkers.com
dn: uid=tina,ou=People,dc=splunkers,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgPerson
uid: tina
givenName: Tiny
sn: Ina
cn: Tiny Ina
userPassword::

# TechSupport, Groups, splunkers.com
dn: cn=TechSupport,ou=Groups,dc=splunkers,dc=com
cn: Technical Support
objectClass: top
objectClass: groupOfNames
ou: Groups
member: uid=tina,ou=People,dc=splunkers,dc=com

NOTE: It is possible that LDAP returns no entries even when a proper bind_dn, password and base DN are provided. LDAP can be configured to prevent listing of entries starting at the root base, e.g. “dc=splunkers, dc=com”. In this case, you’ll have to provide a more specific base DN, for example:

-b "ou=People,dc=splunkers,dc=com"
or
-b "ou=Groups,dc=splunkers,dc=com"

Stay tuned for my blog post on how to use this information to configure Splunk to authenticate against LDAP.