1. Overview
Clients usually provide authentication information to an LDAP server. Based on that, the LDAP server then figures out how much access to give the client.
In this tutorial, we’ll see how to perform LDAP authentication from the command line in Linux. Also, we’ll look at different authentication methods that apply here.
We’re using an Ubuntu 20.04 system. Also, we’ve already set up the OpenLDAP server, an LDAP implementation. Our base distinguished name (DN) is dc=example, dc=com. The admin user for this entry is cn=admin,dc=example,dc=com. The password for this user is the one chosen while setting up the slapd (stand-alone LDAP daemon) package.
2. Authentication Using ldapsearch Command
We can use the ldapsearch command to perform LDAP authentication. In essence, we can use three different authentication schemes:
- anonymous bind
- simple plaintext-based authentication
- Simple Authentication and Security Layer (SASL)
Notably, SASL is a more complex approach.
Let’s see each one of them.
2.1. Using Anonymous Bind
Anonymous bind is the most basic method of client authentication. It’s used when there’s no need for authentication, i.e., for certain public areas of the LDAP directory. In such cases, a user requires no identity or password for the given operations against the LDAP server.
Let’s process a search against our server using the ldapsearch command. Basically, the ldapsearch command looks for the entries in the LDAP database and returns the results.
Now, let’s use the -x option with the ldapsearch command for an anonymous bind:
$ ldapsearch -x -LLL -H ldap:/// -b dc=example,dc=com dndn: dc=example,dc=com dn: cn=admin,dc=example,d... dn: ou=People,dc=example... ...
Since we’ve not given any Bind DN using the -D option, no password is needed. Consequently, we have an anonymous bind.
2.2. Using Simple Bind
In simple authentication or simple bind, the DN of the account entry verifies that account for authentication. Along with that, it uses a password to confirm who we are.
Here’s the syntax for a simple bind or plain text authentication command:
$ ldapsearch -x -H ldap://ldap-server-hostname_or_IP -D "cn=username,ou=users,dc=example,dc=com" -W -b "dc=example,dc=com"We can put the values in the above expression as per our requirements:
- ldap-server-hostname – LDAP server’s hostname or IP address
- -D – user we want to authenticate with
- -b – DN of the search base
Now, let’s see this command in action by trying to authenticate our admin user:
$ ldapsearch -x -D "cn=admin,dc=example,dc=com" -W -H ldap://192.168.62.163 -b "ou=People,dc=example,dc=com"
...
id: baeldung
cn: Baeldung Linux
displayName: Baeldung Linux
uidNumber: 10000
gidNumber: 5000
loginShell: /bin/bash
...Importantly, the -x option means we use simple authentication. The -W option asks for the password of the user at runtime.
Since we’re working at the local server end, we can avoid using the LDAP server’s hostname or IP address. Thus, we can simply use the ldap:/// notation in this context.
2.3. Using SASL
SASL allows LDAP to work with any accepted authentication method between the LDAP client and server:
$ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b "dc=example,dc=com" dn
dn: dc=example,dc=com
dn: cn=admin,dc=example,dc=com
dn: ou=People,dc=example,dc=com
dn: ou=Groups,dc=example,dc=com
...Since we’re working on a local server, we can again leave out the server domain name or IP address. However, the ldapi scheme needs a local connection.
The -Q option enables the SASL quiet mode, while the -LLL option just formats the output style. In addition, the -Y option sets the SASL mechanism for authentication, EXTERNAL in this example.
3. Authentication Using ldapwhoami Command
Another way to perform LDAP authentication from the command line in Linux is via the ldapwhoami command. Basically, it has pretty much the same command structure as the ldapsearch command. Also, we can again use anonymous bind, simple bind, and SASL authentication here.
3.1. Using Anonymous Bind
First, let’s see how we can use ldapwhoami command with anonymous bind:
$ ldapwhoami -x -H ldap:///
anonymousAgain, the -x option indicates an anonymous bind. Further, providing no bind DN via the -D option confirms it as such.
3.2. Using Simple Bind
Let’s use ldapwhoami to authenticate our admin user using simple bind:
$ ldapwhoami -x -H ldap:/// -D "cn=admin,dc=example,dc=com" -W
Enter LDAP Password:
dn:cn=admin,dc=example,dc=comOn successful authentication, we see the DN of the user as the output. Otherwise, we see an error message.
Notably, the options in the above command are the same as the ones used in the ldapsearch case.
3.3. Using SASL Authentication
SASL authentication can also work in a similar way to simple bind with ldapwhoami. Again, in this case, we’re dealing with a local server. Thus, we don’t need to put in the server’s IP here:
$ ldapwhoami -Y EXTERNAL -H ldapi:/// -Q
dn:gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=authFor successful authentication, we’ll get the uid and gid of the connecting user along with the suffix cn=peercred,cn=external,cn=auth.
4. Conclusion
In this article, we’ve seen how to perform LDAP authentication from the command line. Overall, clients connecting to LDAP servers should be authorized through an authentication mechanism. An anonymous authentication performs an LDAP request without first doing a bind. In such a case, a client sees a limited view of the LDAP directory.
In simple authentication, the client’s password is sent in clear text along with the DN of the client (user). This makes it easy for an attacker to acquire the password from the network. It’s therefore a security problem. Thus, best practices dictate always using simple authentication over SSL/TLS.
With SASL, applications should find the best way to communicate and authenticate with each other. SASL lets us authenticate LDAP with more than just simple passwords and SSL.