LDAP (Lightweight Directory Access Protocol)

The default LDAP port is 389 and 636 over SSL.


Entry is a container for attribute-value pairs. Every Entry has a unique DN (Distiguished Name) and one or more objectclasses. An objectclass is a packaging of one or more attributes. Attribute is a word to describe a basic piece of information about an Entry or object. For examples, attribute cn which is a short name for ‘common name’; sn which is short name for ‘surname’; o which is short name for ‘organization’; etc. Attributes and objectclasses are contained in schema files. Schema files are physical containers that stores attributes and objectclasses. Directory Information Tree (DIT) is the base LDAP data structure. It is an Information database arranged like branches in a tree.

The root DSE is a special entry that provides information about the contents and capabilities of the server.


An objectclass is a packaging of attributes. Before we can use attributes to describe our Entry these have to be packaged. It defines where and how to use attributes. An objectClass can be STRUCTURAL, AUXILLARY, or ABSTRACT.

LDAP Data Interchange Format (LDIF)

The LDIF is a standard plain text data interchange format for representing LDAP directory content and update requests. LDIF files are used for the following:

  • To populate the DIT structure.
  • To import entries.
  • To restore entries.
  • To archive a DIT.
  • To edit entries.

To add new entries stored in LDIF file execute the following command:

$ ldapadd -x -D "cn=admin,dc=example,dc=com" -w password123 -f example.ldif

Common erors

White space at the end of the line:

ldap_add: Invalid syntax (21)
        additional info: objectClass: value #0 invalid per syntax

Every line in LDIF file must end with new line symbol. Comments are ignored so a space before the comment at the end of the line is also an error. E.g.:

"dn: dc=example,dc=com #This is syntax error!!!"

Common attributes

  • CN - common name.
  • DC - domain component.
  • OU - organizational unit.
  • DN - distinguished name.

Querying server

On Debian systems there’s ldap-utils package which contains a number of tools to communicate with LDAP server. There’s also a nice GUI tool called Apache Directory Studio. It runs on Windows, Linux and Mac OS X.


OpenLDAP is an open source implementation of LDAP protocol. On Debian:

$ sudo apt-get install slapd

It’s configs are located in /etc/ldap/slapd.d/.


By default OpenLDAP logs to syslog facility local4. We can forward those log to specific file, simply add followin lines to /etc/rsyslog.conf:

local4.* /var/log/openldap.log

By default OpenLDAP log level is stats (connections/operations/results). Usually, this is not enough to understand what is going on. To change the log level apply such LDIF file:

dn: cn=config
changetype: modify
replace: olcLogLevel
olcLogLevel: -1

Use lpadd to execute the LDIF file:

$ lpdadd -D "cn=admin,cn=config" -W -f update_log_level.ldif


olc prefix from olcLogLevel attribute stands for on-line configuration.

If you are prompted with error that you have no credentials see the section on how to configure access for config DIT.

Gain access to cn=config

  1. Generated MD5 password hash.

  2. Create update_config_password.ldif:

    dn: cn=config
    changetype: modify
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootDN
    olcRootDN: cn=admin,cn=config
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    add: olcRootPW
    olcRootPW: {MD5}your password here
    dn: olcDatabase={0}config,cn=config
    changetype: modify
    delete: olcAccess
  3. ldapadd -f update_config_password.ldif


[2]Why use LDAP?: https://www.centos.org/docs/5/html/5.2/Deployment_Guide/s1-ldap-adv.html
[3]Intro to OpenLDAP: https://sites.google.com/site/openldaptutorial/Home/openldap—beginners