User Tools

Site Tools



Count Persons (objects derived from 'person')

ldapsearch [-h hostname] -D "cn=root" -w '?' -b "o=/usr/local,c=de" -s sub 'objectclass=person' dn | grep -c =
  • -w '?' will prompt for a password (without echo)1)
  • -s scope search scope (base, one, or sub)
  • dn is a dummy output attribute (distinguished name is printed in any case)

Courtesy of Oliver D. 2010/05/04 15:04

Read cn=config

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no '(objectclass=*)' \
| sed -e '/^olcAccess: /s/ by /\n  by /gi' -e '/olcSyncrepl/s/ \([a-zA-Z0-9_-]\+\)=/\n  \1=/gi' \
| less -S


ldapsearch -Y EXTERNAL -H ldapi:/// (objectclass=*) dn \
| sed -ne 's/^dn: [a-zA-Z0-9_]\+=[^,]\+,\(.*\)$/\1/gp'\
| sort -u

Use OpenLDAP and phpldapadmin on Ubuntu 14.04



apt-get install slapd phpldapadmin ldap-auth-config

Configure phpldapadmin

  • Disable
    in /etc/phpldapadmin/config.php to get automatically the base DN you configured on your LDAP server
  • Before creating a Posix Account you have to create a Posix Group (Thanks)
  • To get rid of the error “Error trying to get a non-existant value (appearance,password_hash)” replace password_hash by password_hash_custom in line 2469 of /usr/share/phpldapadmin/lib/TemplateRender.php (Thanks)
  • Uncomment und edit the line
    in /etc/phpldapadmin/config.php to get a numerical uid range different from the one selected by local useradd.
  • When creating Posix groups, the gid is preset and fixed by phpldapadmin, but you can modify it afterwards in the editor.
  • The ldap adminstrator account is of the object class organizationalRole with auxilary class simpleSecurityObject. Maybe this can be used for simple accounts to authenticate against ldap itself with cn=… as well?

Configure OpenLDAP Logging

It should be done by ldapmodify, but as ldapsearch did not work2), I modified /etc/ldap/slapd.d/cn=config.ldif

olcLogLevel: ACL stats stats2 shell

to confirm that did use the right accounts, DNs and credentials.3)

Enable ldapi access with apparmor

If you get the error ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) when using authentication options -Y External -H ldapi:/// this might be due to slapd's apparmor profile. Run

aa-complain slapd

and try again to verify. If this helps, add the following lines to /etc/apparmor.d/local/usr.sbin.slapd:

/run/slapd/ldapi rw,

In any case, make sure to re-enforce with

aa-enforce slapd
/etc/init.d/slapd stop
/etc/init.d/slapd start

Only leave it in complain mode (on your own responsibility), if you know what you're doing


Set password for cn=config

To configure OpenLDAP you need to access it by ldapmodify and Bind DN cn=config4) , which does not have a known password by default. To set it, create an ldif file

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: <PW in Clear>

and load it as root with5)

ldapmodify -Y EXTERNAL -H ldapi:/// -f <file>

NOTE: :!: This will leave the password in cleartext in the config files. To avoid this, use the cli-tool slappasswd to create a SSHA hash of the password. The output of the tool can be pasted directly into the ldif file. Create the hash:

 ~ $ slappasswd
New password: 
Re-enter new password: 
 ~ $ 

and paste it into the ldif file:

dn: olcDatabase={0}config,cn=config
changetype: modify
replace: olcRootPW
olcRootPW: {SSHA}Dine679cmHIezcn<Kwae0asdfSSrdgJx

Afterwards you cann access the config by

ldapsearch -x -D cn=config -w <PW in Clear> -b cn=config

(Finally found here)

Of course you can skip setting the password and using external SASL authorization for ldapsearh by running:

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config '(objectClass=*)'

as root.

Enable "memberOf"


su - 
ldapadd -Y EXTERNAL -H ldapi:/// -f enableMemberOf.ldif


dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleLoad: memberof


su - 
ldapadd -Y EXTERNAL -H ldapi:/// -f configureMemberOf.ldif


dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

:!: I assume this depends on where your LDAP tree data is stored - this example assumes it to be in olcDatabase={1}hdb,cn=config. You can list all database objects with their respective suffix by calling

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' dn olcSuffix

as root.


Write olcAccess.ldif in "human readable" format from actual config

ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' \
| sed -e '/^dn: /{s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/;h;d};/^olcAccess/{s/ by /\n  by /gi;H;s/^.*$//;x;s/^\nolcAccess/olcAccess/g;p;d};d'


ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config -o ldif-wrap=no -L '(objectclass=*)' | ./olcAcces.sed
#!/bin/sed -f
/^dn: /{
s/^\(.*\)$/\n\1\nchangetype: modify\nreplace: olcAccess/
s/ by /\n  by /gi

Read olcAccess and convert it into "human readable" format


Configure nsswitch

Add ldap to list of methods in /etc/nsswitch.con behind passwd and groups

passwd:         compat ldap
group:          compat ldap

Configure PAM

add to common-session

session required

Override Home Directory settings

 apt-get install libpam-ldapd libnss-ldapd

This will remove libpam-ldap and libnss-ldap but install nslcd which is capable of overwriting values from LDAP entries more flexible. I.e. to have all users their home directories in /local/home instead of the LDAP entries value homeDirectory, add this line to /etc/nslcd.conf:

map passwd homeDirectory "/local/home/$uid"

(Found here)

Self Service Password on Ubuntu 14.10

dpkg -i self-service-password_0.9-1_all.deb
apt-get install php5-mcrypt''
php5enmod mcrypt
  • Edit Apache configuration:
Alias /passwd /usr/share/self-service-password/
  • Edit /usr/share/self-service-password/conf/config.ini.php
    • (ldap_url)
    • ldap_binddn
    • ldap_bindpw
    • ldap_base
    • hash
    • mail_from
    • (notify_on_change)
    • (debug)
/etc/init.d/apache2 stop
/etc/init.d/apache2 start

Change Loglevel of OpenLDAP

Simply change attribute olcLogLevel of the object cn=config by phpLDAPAdmin or ldapmodify using the credentials for the OLC6) access, by default cn=config and value of attribute olcRootPW of object olcDatabase={0}config,cn=config, e.g.

ldapmodify -Y EXTERNAL -H ldapi:/// -f config.ldif


dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: stats stats2 shell


dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: none

Adding indexes

Find out what is the right suffix for your tree by either of the following lines7):

ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix
ldapsearch -D cn=config -W          -b "cn=config" '(olcSuffix=*)' olcDbIndex olcSuffix

This will also show you the indices already existing. Now create a file in LDIF format, using the database found out in the previous step for the dn:

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: uid eq
add: olcDbIndex
olcDbIndex: cn eq

Apply it with either of the following commands8):

ldapmodify -Y EXTERNAL -H ldapi:/// -f add_indices.ldif
ldapmodify -D cn=config -W          -f add_indices.ldif

References & Credits

true for IBM LDAP installations, when using OpenLDAP utilities, use -W instead
see "Set password for cn=config" below for how to get it working
See Change Loglevel of OpenLDAP for a more elaborate explanation on how to change log levels
unless olcRootDN was modified in olcDatabase={0}config,cn=config
In case of errors, see above
on-line configuration
7) , 8)
The first one works only by the local root account, the second one will require a password
docs/tips_n_tricks/ldap.html.txt · Last modified: 27.02.2024 23:32 CET by peter

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki