Useful Commands when Using OpenLDAP

Useful Commands when Using OpenLDAP

0
Created On 09/25/18 19:25 PM - Last Modified 07/19/22 23:11 PM


Resolution


This article provides some useful commands and tip on working with OpenLDAP when attempting to configure a PAN firewall to use OpenLDAP for authentication/user identification.

To check out the setup of an existing OpenLDAP server, run the following command on a Unix/Linux/Mac terminal.

This will return the setup and the objects in the OpenLDAP database.

If the OpenLDAP server is remote, use the -h option to specify the server IP.

  • ldapsearch -x -b 'dc=paloaltonetworks,dc=com' '(objectclass=*)'
  • ldapsearch -x -b 'dc=paloaltonetworks,dc=com' '(objectclass=*)' -h 10.1.2.3

The output will be similar to the following. This information contains objects to use when setting up the LDAP server profile, authentication profile and group mapping

dn: dc=mycompany,dc=com
dc: mycompany
objectClass: dcObject
objectClass: organization
o: My Company

dn: ou=people,dc=mycompany,dc=com
ou: people
objectClass: organizationalUnit

dn: ou=groups,dc=mycompany,dc=com
ou: groups
objectClass: organizationalUnit

dn: cn=Manager,ou=people,dc=mycompany,dc=com
objectclass: organizationalRole
cn: Manager

dn: cn=John Doe,ou=people,dc=mycompany,dc=com
objectclass: inetOrgPerson
cn: John Doe
sn: Doe
uid: johndoe
userpassword: password
ou: people

dn: cn=Jane Doe,ou=people,dc=mycompany,dc=com
objectclass: inetOrgPerson
cn: Jane Doe
sn: Doe
uid: janedoe
userpassword: password
ou: people

dn: cn=marketing,ou=groups,dc=mycompany,dc=com
objectclass: groupOfNames
cn: mycompany
member: cn=John Doe,ou=people,dc=mycompany,dc=com
member: cn=Jane Doe,ou=people,dc=mycompany,dc=com

The output of the above ldapsearch command can also be edited (by cutting away the extraneous header and trailer at the start and the end - not shown here) and saved as an LDIF file (e.g. mycompany.ldif).

To test an OpenLDAP server, you can then load this into the server to replicate the customer's OpenLDAP server (note the passwords will be encrypted/hashed and not viewable, but you can edit it in the LDIF file to something you know, such as "admin").

  • Stop the OpenLDAP server and remove/backup existing data
  • /usr/local/bin/ldapadd -x -D "cn=manager,dc=mycompany,dc=com" -W -f /home/root/mycompany.ldif
  • Start the OpenLDAP server

owner: ttan
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClYCCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail