1
00:00:00,000 --> 00:00:18,160
Hey everyone and welcome back. So in the previous nugget we had talked about LDAP at a high

2
00:00:18,160 --> 00:00:23,440
level overview. Now what we want to do is to dig in and actually begin using some basic

3
00:00:23,440 --> 00:00:27,920
configurations that we have to be aware of for the purposes of the examination.

4
00:00:28,640 --> 00:00:35,840
Now the main daemon that LDAP is going to use here is something called slapd which I always

5
00:00:35,840 --> 00:00:42,320
thought was a really strange name for a daemon but the reality is it stands for the standalone

6
00:00:42,320 --> 00:00:47,840
LDAP daemon. So check this out we want to actually install this so what I will say is

7
00:00:47,840 --> 00:00:55,520
sudo apt install slapd and I'll type in my password I'll say yes hit enter. Now it's going to ask me

8
00:00:55,520 --> 00:01:01,359
for the password for the admin of the LDAP directory so I'm just going to have a password of

9
00:01:01,359 --> 00:01:07,120
let's just maybe say hello okay and I'll confirm it by saying hello and the installation should

10
00:01:07,120 --> 00:01:13,280
continue now. So the next thing I'm going to install is something called LDAP utils so sudo apt install

11
00:01:13,280 --> 00:01:20,719
LDAP hyphen utils hit enter. Okay perfect now remember we talked about how we would have

12
00:01:20,719 --> 00:01:27,519
some type of domain name like ipv0 right now I actually want to configure such a thing so I will

13
00:01:27,519 --> 00:01:36,079
say sudo dpkg reconfigure and I want to reconfigure slapd so if I hit enter it's going to ask me

14
00:01:36,079 --> 00:01:41,439
do I want to omit the LDAP server configuration I will say no so I will say the domain name is

15
00:01:41,439 --> 00:01:49,840
ipv0.com the organization can be ipv0 the admin password I will just say hello and I'll confirm

16
00:01:49,920 --> 00:01:56,560
as hello I'll just choose the mdb back end and I want the database to be removed I will just say

17
00:01:56,560 --> 00:02:01,600
no and move the old database I will just say yes perfect so let me just clear my screen.

18
00:02:01,600 --> 00:02:08,080
Now straight away we're going to have some very basic configurations within our LDAP directory

19
00:02:08,080 --> 00:02:13,680
the way we can read those configurations is we can use a particular command this is a command

20
00:02:13,680 --> 00:02:19,439
called slapcat think about it like using the regular cat command we can read a file but we're

21
00:02:19,520 --> 00:02:26,000
going to read the slapd information okay so slapcat hit enter we can see here since I've

22
00:02:26,000 --> 00:02:33,599
changed my name notice the dc is ipv0.com remember just like we talked about we've got our comdc at

23
00:02:33,599 --> 00:02:42,639
the top and then within ipv0 which was derived from the domain name ipv0.com remember we split that up

24
00:02:42,639 --> 00:02:48,319
put this to the top take this one here put it within notice we also have an additional entry below

25
00:02:48,400 --> 00:02:53,919
here okay so we can see the dn here this is the distinguished name so the distinguished name

26
00:02:53,919 --> 00:03:02,560
will uniquely identify this object and this is going to be the admin of ipv0.com now this cn here

27
00:03:02,560 --> 00:03:07,759
this is the common name again this is more of the alphabet soup that you encounter when dealing with

28
00:03:07,759 --> 00:03:15,359
LDAP dns or use cns sns all this stuff but don't get too worried about that just now the cn here

29
00:03:15,360 --> 00:03:20,720
is just an attribute of this particular object which in this case here just identifies the name

30
00:03:20,720 --> 00:03:25,440
of the admin just simply in this case admin now you're going to see that we have according to the

31
00:03:25,440 --> 00:03:31,440
schema all of these different types of object classes i.e. what type of object is this we can see here

32
00:03:31,440 --> 00:03:37,600
this is an organizational role being that this is the administrator of our LDAP server now when we

33
00:03:37,600 --> 00:03:43,920
actually want to modify the entries within our LDAP server which we see here from the slapcat

34
00:03:43,919 --> 00:03:49,759
command we want to be sending this information in this type of structure now this type of structure

35
00:03:49,759 --> 00:03:54,879
can be quite intimidating because there is a lot of information and the reality is for the purposes

36
00:03:54,879 --> 00:03:59,679
of the examination you don't have to have all of this memorized not even close we just want to

37
00:03:59,679 --> 00:04:04,959
understand the very basics of how this is laid out and the general rules that play here so all of

38
00:04:04,959 --> 00:04:12,719
this stuff here is conforming to the schema we talked about now if we happen to go and go into our

39
00:04:12,719 --> 00:04:19,360
ecidirectory and i go into LDAP if i do an ls we can see here we have this directory called schema

40
00:04:19,360 --> 00:04:25,680
if i go in here and do an ls we can see all of these different files we can say schema files which

41
00:04:25,680 --> 00:04:34,240
will tell us the schema and we can also see the ldif files now the LDAP files these are the LDAP

42
00:04:34,240 --> 00:04:41,279
data interchange format files basically these are the files which happen to be structured in the

43
00:04:41,279 --> 00:04:48,479
correct way with the right values according to the particular schema set out as defined and these

44
00:04:48,479 --> 00:04:54,879
files are what we can use to create a new object within the LDAP database so let's have a look at

45
00:04:54,879 --> 00:05:03,279
say for example core dot schema if i say sudol vim core dot schema and hit enter if you happen to

46
00:05:03,279 --> 00:05:08,239
scroll down throughout this file you're going to see a ton of information so what i will do is i will

47
00:05:08,560 --> 00:05:14,720
forward slash within vim so i can do some searching and i will search for organization now we can see

48
00:05:14,720 --> 00:05:19,199
this part right here i'm going to stop this so look at this right here this is the schema defined

49
00:05:19,199 --> 00:05:25,759
for this particular object class called organization now we see this keyword here saying must this means

50
00:05:25,759 --> 00:05:34,000
that we must supply this attribute when creating an organization in an ldap file so we see the must

51
00:05:34,000 --> 00:05:39,360
is o so we would have to say o equals and then in this case here the name of the organization we

52
00:05:39,360 --> 00:05:45,519
want to be creating notice below we have this option called may this would be an optional

53
00:05:45,519 --> 00:05:51,199
attribute so we could also add in things like the post office box the postal code the telephone

54
00:05:51,199 --> 00:05:56,720
number all of this additional information we want to supply when creating an organization within the

55
00:05:56,720 --> 00:06:03,360
LDAP directory but again this is all optional the only thing we must supply is this o value

56
00:06:03,360 --> 00:06:08,240
denoting the actual organization and if we scroll on down a little bit we can see another one called

57
00:06:08,240 --> 00:06:14,720
organizational unit so this is an o you notice here when we create an organizational unit we must

58
00:06:14,720 --> 00:06:21,600
provide the attribute o you however we can also if we so wish add in all of these additional values

59
00:06:21,600 --> 00:06:27,439
very very similar to what we saw before and again if we move on down to the person class we can see

60
00:06:28,079 --> 00:06:35,279
must we've got to provide the sn and the cn the sn is the surname of the person so that could be

61
00:06:35,279 --> 00:06:41,839
my govern in my case and the cn would be my common name which is john so if you want to create a person

62
00:06:41,839 --> 00:06:48,319
you would have to provide these values in order to work but again we do have the option within the

63
00:06:48,319 --> 00:06:55,040
payload to add in a user password or a telephone number or a description if we so choose now again

64
00:06:55,040 --> 00:07:00,800
there are tons of these object classes LDAP can be very very complex we don't have to worry about

65
00:07:00,800 --> 00:07:05,520
all of that just now just understand that we're looking at the schema and what we want to do is

66
00:07:05,520 --> 00:07:10,800
to take this type of information that we can see here and build a little template say for example

67
00:07:10,800 --> 00:07:15,840
if we wanted to add an organizational unit we would know the type of things that we could supply

68
00:07:15,840 --> 00:07:23,200
and the type of things we must supply within our LDAP file that we will send to the server okay now

69
00:07:23,199 --> 00:07:28,479
one thing i just want to point out is that historically all of this information would be

70
00:07:28,479 --> 00:07:36,399
called in using include statements in a file within the etsy directory called slapd.conf

71
00:07:36,399 --> 00:07:42,639
that is how these schemas are ultimately read in now in more modern implementations you tend to

72
00:07:42,639 --> 00:07:48,800
find that we're not going to have just one file instead we're going to have within our etsy LDAP

73
00:07:48,800 --> 00:07:56,560
directory we will have a slapd.d directory and within this directory like we see so often with

74
00:07:56,560 --> 00:08:02,080
linux we have multiple files which ultimately call in this type of information that we're seeing right

75
00:08:02,080 --> 00:08:08,000
here so just be aware of that difference but for now what i will do is we'll just escape out if i go

76
00:08:08,000 --> 00:08:15,120
back and i do an ls if i go into my root user account and i go into the slapd directory we can

77
00:08:15,120 --> 00:08:21,600
see we have cnconfig if we go into cnconfig and do an ls this is the more modern way in which your

78
00:08:21,600 --> 00:08:26,160
LDAP configurations are going to be managed via all of the information within here so we're not

79
00:08:26,160 --> 00:08:32,799
just using that global and singular slapd.conf configuration file anymore now what i want to

80
00:08:32,799 --> 00:08:38,159
show you is if i just go back a few directories and i'll change back to ipv0 clear the screen

81
00:08:38,159 --> 00:08:45,519
what i want to do is i want to start my slapd service also sudo service slapd start this is

82
00:08:45,519 --> 00:08:51,919
going to start the server and if i arrow up and do status to check the status as we can see this

83
00:08:51,919 --> 00:08:58,879
is active and running so let's try to add to the LDAP database then so what i'll do is i will create

84
00:08:58,879 --> 00:09:05,279
a little file and i'll just call that whatever i so wish let's just say my LDAP.LDAP okay so i'll

85
00:09:05,279 --> 00:09:10,399
just say the dn which will be the distinguished name and what i will do is i will create an

86
00:09:10,399 --> 00:09:18,879
organization just called let's maybe say myorg so dn equals and i will specify that the o is equal to

87
00:09:18,879 --> 00:09:27,199
myorg comma and then the dc can you remember what this is it's going to be ipv0 and then a comma and

88
00:09:27,199 --> 00:09:35,199
then the outer container will be com and again all i'm doing here is following the schema that i saw

89
00:09:35,280 --> 00:09:39,759
within those schema files and using it as a template so now what i'll say is the object class

90
00:09:39,759 --> 00:09:45,600
this is going to be an organization remember we can add a description as an optional attribute

91
00:09:45,600 --> 00:09:53,520
i'll just say this is a test org and one thing that we must add if you recall by looking at the

92
00:09:53,520 --> 00:09:59,600
schema for an organization is you must have this o value now the o value is just going to be quite

93
00:09:59,600 --> 00:10:07,519
simply myorg okay so if i save this file and i escape i can now cut it here we have here

94
00:10:07,519 --> 00:10:12,960
this is going to be the little file which i can use to send these new configurations over to my

95
00:10:12,960 --> 00:10:19,200
LDAP server okay so now what i want to do is i want to add something to the LDAP directory so the

96
00:10:19,200 --> 00:10:25,040
command i can use here is LDAP add and i'm going to say dash x and in fact before i do that let me

97
00:10:25,120 --> 00:10:31,039
just quickly refresh and show you the slapcat output that is all we have right now one thing i

98
00:10:31,039 --> 00:10:35,839
want you to note is that within the next command i'm going to have to show i'm going to have to

99
00:10:35,839 --> 00:10:43,199
specify the distinguished name of the LDAP administrator so that we can actually authenticate

100
00:10:43,199 --> 00:10:48,879
this request and here is the distinguished name right here for that administrator so i'm going to

101
00:10:48,960 --> 00:10:55,120
say sudo LDAP add and i'm going to say dash x this is for simple authentication and then i'm going to

102
00:10:55,120 --> 00:11:00,320
do dash d for the distinguished name and the distinguished name for the administrator as we

103
00:11:00,320 --> 00:11:11,120
can see here is cn equals admin dc equals ipv0 and dc equals com now what i want to do is to say dash

104
00:11:11,120 --> 00:11:17,360
capital w which means that when i send off this request i'm going to have to or rather i'm going

105
00:11:17,360 --> 00:11:23,759
to be prompted for my password which i'll then have to enter next i will say dash f to specify the

106
00:11:23,759 --> 00:11:30,800
file that i want to send for this configuration which in my case is called my ldap.ldap so if i

107
00:11:30,800 --> 00:11:36,480
happen to hit enter i'll actually have to spell my command correctly i don't know why i misspelled

108
00:11:36,480 --> 00:11:42,960
that that should be 2d's of course silly me try a game i have to enter the ldap password i believe

109
00:11:42,960 --> 00:11:49,120
that was hello i had for the administrator account and it appears i have an invalid format let me just

110
00:11:49,120 --> 00:11:55,440
check my ldap file i'll say sudo nano my ldap and i can see it straight away here i've got dn equals

111
00:11:55,440 --> 00:12:01,040
that should be a colon silly me apologies about that let's save this with the changes and i'll try

112
00:12:01,040 --> 00:12:06,960
the command again i will say hello and hit enter and as we can see here we're adding a new entry to

113
00:12:06,960 --> 00:12:13,759
the ldap directory so if i now say sudo slapcat notice here at the very bottom we actually have

114
00:12:13,759 --> 00:12:21,519
a new entry here now if i wanted to delete this entry what i could say is sudo ldap delete that

115
00:12:21,519 --> 00:12:27,040
would be the command here and what i want to do here is to specify the distinguished name of the

116
00:12:27,040 --> 00:12:32,400
object i want to delete now let me just delete this one which i just created so this is the dn here

117
00:12:32,399 --> 00:12:38,480
which will uniquely identify this object so i'll paste this in and then i will say dash x for

118
00:12:38,480 --> 00:12:44,000
simple authentication and once again dash d and the same information for my authentication for

119
00:12:44,000 --> 00:12:52,159
the admin admin ipv0 and do dash w to prompt me for my password enter the ldap password i'll say

120
00:12:52,159 --> 00:12:59,600
hello hit enter and now if i say sudo slapcat suddenly that entry has been deleted so for

121
00:12:59,600 --> 00:13:05,040
the different objects that we want to create or delete or modify we just keep following the type

122
00:13:05,040 --> 00:13:11,200
of schema that we saw within those files so what i could do is arrow up and i will re-add the my

123
00:13:11,200 --> 00:13:18,560
orc so it's now back in now one thing to note here is that i am adding and deleting files on my own

124
00:13:18,560 --> 00:13:24,639
server now i could be on a completely different machine sending queries remotely to my ldap server

125
00:13:24,639 --> 00:13:30,960
just by specifying the server domain name or the server ip address within the command so what i

126
00:13:30,960 --> 00:13:39,759
could actually do here is i could see my ip address 192.1680.44 and within my ldap delete command

127
00:13:39,759 --> 00:13:45,919
i could actually say dash h and then give the ip address of the server if i just type in my ip

128
00:13:45,919 --> 00:13:53,439
address right here and hit enter type in my ldap password of hello notice if i do my sudo slapcat

129
00:13:53,440 --> 00:14:00,080
we should have successfully deleted the my orc entry which we have so notice that we don't have

130
00:14:00,080 --> 00:14:05,520
to be working on the server itself we can send the commands remotely to the server so long as we

131
00:14:05,520 --> 00:14:10,240
can actually authenticate with the server improve we are say for example the administrator here who

132
00:14:10,240 --> 00:14:17,440
has the rights to do something like an ldap delete of the ldap directory now one thing we want to know

133
00:14:17,440 --> 00:14:24,080
is again if i happen to let me just add this org back in again say hello we do know we have the sudo

134
00:14:24,080 --> 00:14:30,160
slapcat command which is going to show us all the information within the directory if we want to be a

135
00:14:30,160 --> 00:14:35,680
little bit more targeted if the directory happens to be very large we can actually say sudo ldap

136
00:14:35,680 --> 00:14:42,000
search do dash x and then we can do dash b and then specify the search term we want to look for

137
00:14:42,000 --> 00:14:49,200
so i could actually be pretty generic and just say give me everything within dc ipv0 dc com

138
00:14:49,200 --> 00:14:56,399
and hit enter and we will get all the information within ipv0.com but again by providing the full

139
00:14:56,399 --> 00:15:00,960
distinguished name for a particular object we could drill in say for example i could say o

140
00:15:00,960 --> 00:15:06,799
equals my orc and comma here this will be more specific yet again if i hit enter notice here

141
00:15:06,799 --> 00:15:13,759
from the outputs of this command the output is much less it's just relating to this particular

142
00:15:13,759 --> 00:15:18,639
object right here so we have a whole bunch of commands that we can use with respect to ldap

143
00:15:18,639 --> 00:15:25,679
we can have commands to search ldap, deletes objects to add objects even modify objects and

144
00:15:25,679 --> 00:15:31,599
we can also change and set particular passwords using the ldap password command so let me quickly

145
00:15:31,600 --> 00:15:37,680
show you what i will do is i will create one more file i will say my user dot ldap in fact i should

146
00:15:37,680 --> 00:15:42,800
say sudo nano and i'm just going to follow the schema for this particular object i will say the

147
00:15:42,800 --> 00:15:50,399
uid is equal to john mcg and the organization john mcg will be in will be my orc that will be in

148
00:15:50,399 --> 00:15:59,040
the dc of ipv0 and com i will say object class is inet's orc person the cn this is going to be

149
00:15:59,039 --> 00:16:05,759
john which is the common name the surname is going to be my govern the uid will just be john mcg

150
00:16:05,759 --> 00:16:12,159
okay so let me save this i'll escape out i'll use my ldap add command this time i'll point it to the

151
00:16:12,159 --> 00:16:19,439
my user ldap file hit enter i will say hello and we can see here we're adding a new entry to our

152
00:16:19,439 --> 00:16:25,759
directory so i can say again sudo slackat at the very bottom we have this object right here notice

153
00:16:25,759 --> 00:16:30,799
we actually don't have a password for this particular user i could control this by using the

154
00:16:30,799 --> 00:16:37,919
command i just said ldap pass wd do dash x for simple authentication and again cn is going to be the

155
00:16:37,919 --> 00:16:45,600
admin of ipv0.com i'm going to say dash capital s so that the system prompts me to type in a new

156
00:16:45,600 --> 00:16:51,360
password that is the password for the account here that i'm going to be changing the password for

157
00:16:51,360 --> 00:16:57,039
and i also want to say dash w to prompt me for the admin password of the ldap server so that we

158
00:16:57,039 --> 00:17:01,919
can authenticate this request of a change and now what i will do is provide the distinguished name

159
00:17:01,919 --> 00:17:10,160
of the object i want to target so uid is equal john mcg o is equal to my orc dc is equal to ipv0

160
00:17:10,160 --> 00:17:16,720
and dc equal to com so if i hit enter it's going to ask me for the new password this is the new

161
00:17:16,799 --> 00:17:23,360
password for the john mcg account so i'll just have the password as john one and i'll type it in the

162
00:17:23,360 --> 00:17:30,880
game john one and now i have to enter the admin ldap password to authorize this request so that's

163
00:17:30,880 --> 00:17:38,640
going to be hello and to enter and now if i do my sudo slackat once again notice here with this

164
00:17:38,640 --> 00:17:45,680
object we now have a user password which has been held in cryptographically hashed form again notice

165
00:17:45,680 --> 00:17:51,680
we can actually control this by using the ldap password command which we see right here so there

166
00:17:51,680 --> 00:17:57,200
really is a lot of moving parts within ldap it can be very confusing with so much of this lettering

167
00:17:57,200 --> 00:18:04,080
dns cns sns uids or use but honestly we do not have to drown in all the available knowledge

168
00:18:04,080 --> 00:18:09,440
within ldap there just are some core components that we want to understand which we have outlined

169
00:18:09,440 --> 00:18:15,200
within this skill understand we have particular commands such as ldap password ldap delete

170
00:18:15,279 --> 00:18:21,920
ldap add if we want to add files we will use our ldap configuration file and that is going to have

171
00:18:21,920 --> 00:18:28,319
to conform to a particular schema set out for a particular object with some attributes being

172
00:18:28,319 --> 00:18:35,120
mandatory that we must specify and some attributes which are optional which we may specify okay so

173
00:18:35,120 --> 00:18:39,680
that is us for the basics of ldap configuration i hope this has been informative for you and i'd

174
00:18:39,680 --> 00:18:44,480
like to thank you for viewing