ClueNet is looking for a new Chief Technical Admin. More information here.

From ClueWiki

LDAP stands for Lightweight Directory Access Protocol. It is essentially a database protocol. But it's a special kind of database, called a directory. Entries in the database are hierarchical, there's a structure to them. The name of a single object in the database is called a Distinguished Name, or DN. A DN is composed of the object name and the layers above it. For example, the DN of the object representing my user in the Cluenet LDAP database is uid=crispy,ou=people,dc=cluenet,dc=org . The UID (User ID) is crispy, the ou (Organizational Unit) is people (it's actually user accounts, but the standard is "people"), and dc stands for "Domain Component". dc=cluenet,dc=org is the suffix for all DNs in the Cluenet directory.

The command that you use to get data from an LDAP directory is called ldapsearch. You can look at the manual page for ldapsearch for all the exact options. Try this command, for example:

ldapsearch -x -H ldap://ldap.cluenet.org/ -b dc=cluenet,dc=org

That command should dump all public database data. Here's what the options mean:

• The -x option specifies that the command should use simple authentication. LDAP supports multiple types of authentication. Simple authentication is a simple validation of the username (which is called the bind DN) and associated password. If no username (bind DN) is specified, it logs in with anonymous access.
• The -H option specifies the server to connect to. In this case, ldap://ldap.cluenet.org/ tells it to connect to the host ldap.cluenet.org with the normal LDAP protocol. In addition to ldap://, you can also use ldaps:// in some cases, which encrypts the connection. On Cluenet servers, the -H option shouldn't need to be specified, because it will be the system default.
• The -b option specifies the search base. In this case, the base is dc=cluenet,dc=org. This should also be the system default on Cluenet servers.

You can also use the ldapsearch command to search for specific entries. The man page for ldapsearch will give you the exact way to do this. To search for a specific thing, just add the search string to the ldapsearch command. For example, to see public information for my username, this command will work:

ldapsearch -x -H ldap://ldap.cluenet.org/ -b dc=cluenet,dc=org uid=crispy

Note that without specifically authenticating, you will only see public information. To bind with a specific DN, use the -D option. You will also have to specify a password. The -W option causes it to ask for a password. For example, to see all available information for your username, use this command:

ldapsearch -x -W -D uid=USERNAME,ou=people,dc=cluenet,dc=org -H ldap://ldap.cluenet.org/ -b dc=cluenet,dc=org uid=USERNAME

Remember that the -H and -b options should be system defaults on Cluenet systems.

On Cluenet, the current system of authentication (although it may soon change) is to try to bind to the LDAP server with the username's associated DN and the supplied password. If it can successfully bind with that username and password, then the user is authenticated. Account data is also stored in LDAP. If you look at the output of the above commands, you'll see that data is specified in data pairs. The first part of the pair is called the attribute, and the second is the value. Like:

attribute: value

For some types of attributes, multiple instances of the same attribute may be specified.

Some of the attributes which you may notice in the output of the above commands are:

• dn - This is the distinguished name of the entry.
• uid - This is the username of the user.
• uidNumber - This is the numeric user ID of the user.
• gidNumber - This is the numeric group ID of the group to which the user belongs.
• homeDirectory - This is the user's home directory.
• userPassword - This is the user's encrypted password.
• gecos - This is the user's gecos, or real name.
• loginShell - This is the user's default shell.

There are also other fields which are common and you can find in the LDAP documentation. The fields beginning with clue* are custom Cluenet fields. For a bit more detail about the attributes, see Cluenet LDAP Attributes.

One other very important attribute is the objectClass attribute. Each objectClass that a user belongs to allows the user to have certain other attributes. Which attributes belong to which objectClasses can be found in the LDAP documentation. A user can belong to multiple objectClasses, and all Cluenet users belong to several.

The output format of the ldapsearch command is in a format called LDIF (LDAP Data Interchange Format). Reading the data is pretty obvious. Just a few things to be aware of are that two colons (::) mean that the value is encoded with base64. Also, a line that starts with a space is a continuation of the last line.

The LDIF format can also be used for modifying the database. The command to modify the database is ldapmodify. The exact specifications for the LDIF format used to modify entries are in the manual page for ldapmodify. Most of the options to ldapmodify are the same as those to ldapsearch. By default, ldapmodify takes the LDIF data on standard input, but the -f option can be used to specify another file.

The manual page for ldapmodify also has an examples section which has examples on the LDIF format for modifying entries. It should be pretty self-explanatory. You can use the ldapmodify command to change many of the attributes for your Cluenet account, but be careful not to change something that would not allow you to log in.