OpenLDAP noopsrch overlay and control

Installation

apt-get install openldap-ltb-contrib-overlays

(or whatever package manager / OS you use)

Configuration

Add these directives to /usr/local/openldap/etc/openldap/slapd.conf 1:

include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema

modulepath      /usr/local/openldap/libexec/openldap
moduleload noopsrch.so

Restart OpenLDAP:

systemctl restart slapd

Then populate some entries:

vim base.ldif

dn: dc=my-domain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: my-domain
dc: my-domain

dn: ou=users,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: users

dn: ou=groups,dc=my-domain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: groups

dn: uid=test1,ou=users,dc=my-domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: test1
sn: test1
uid: test1
userPassword: secret

dn: uid=test2,ou=users,dc=my-domain,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: test2
sn: test2
uid: test2
userPassword: secret

Finally, add these entries into OpenLDAP:

ldapadd -H 'ldap://localhost:389' -D 'cn=Manager,dc=my-domain,dc=com' -w secret -f base.ldif

Usage

Search for all entries:

ldapsearch -x -H 'ldap://localhost:389' -D 'cn=Manager,dc=my-domain,dc=com' -w secret -b 'dc=my-domain,dc=com' '(objectClass=*)' -e '!1.3.6.1.4.1.4203.666.5.18'

search: 2
result: 0 Success
control: 1.3.6.1.4.1.4203.666.5.18 false MAkCAQACAQUCAQA=

Search for branch entries :

ldapsearch -x -H 'ldap://localhost:389' -D 'cn=Manager,dc=my-domain,dc=com' -w secret -b 'dc=my-domain,dc=com' '(objectClass=organizationalUnit)' -e '!1.3.6.1.4.1.4203.666.5.18'

search: 2
result: 0 Success
control: 1.3.6.1.4.1.4203.666.5.18 false MAkCAQACAQICAQA=

Some explanations:

• no operation is done,

• instead, the number of operations is displayed, on the “control” line

• how to verify the number of operations ? See below

echo -n 'MAkCAQACAQUCAQA=' | base64 -d | od -x --endian=big
0000000 3009 0201 0002 0105 0201 0000

0x30 ber sequence
0x09 length (9 bytes)

0x02 ber int
0x01 length (1 byte)
0x00 "0" (value of would be search result code)

0x02 ber int
0x01 length (1 byte)
0x05 "5" (number of would be returned entries) --> Ok, there are 5 entries returned

0x02 ber int
0x01 length (1 byte)
0x00 "0" (number of would be returned search refs)

echo -n 'MAkCAQACAQICAQA=' | base64 -d | od -x --endian=big
0000000 3009 0201 0002 0102 0201 0000

0x30 ber sequence
0x09 length (9 bytes)

0x02 ber int
0x01 length (1 byte)
0x00 "0" (value of would be search result code)

0x02 ber int
0x01 length (1 byte)
0x02 "2" (number of would be returned entries) --> Ok, there are 2 organizational entries returned

0x02 ber int
0x01 length (1 byte)
0x00 "0" (number of would be returned search refs)

Footnotes

1

example is given for a slapd.conf configuration. See slapd-config manual for more information about corresponding cn=config configuration