LDAP in the Solaris Operating Environment[c] Deploying Secure Directory Services

Examples of LDAP Enabled snoop In Action

In the following examples, the protocol exchange between an LDAP client and an LDAP directory server for common LDAP operations is examined. The first example (LDAP search) includes three snoop options. These are:

  • Non-verbose

  • Verbose summary ( -V )

  • Verbose ( -v )

For the other LDAP operations, only the verbose mode is shown.

LDAP Search Request Example

The following is a simple search for an entry with the uid equal to lruble with a search based of dc=example , dc=com . The output shows the matching entry that is returned to the client.

# ldapsearch -h veda.example.com -b "dc=example,dc=com" uid=lruble uid=LRuble,ou=People,dc=example,dc=com mail=lruble@example.com uid=LRuble givenName=Lucy objectClass=top objectClass=person objectclass=inetorgperson sn=Ruble cn=Lucy Ruble #

Non-verbose LDAP snoop Result

The following is the output of snoop when run without specifying the verbose mode when the previous LDAP search was performed.

# snoop ldap vipivot Using device /dev/hme (promiscuous mode) vipivot -> veda LDAP C port=32829 vipivot -> veda LDAP C port=32829 Search Request neverDerefAliases veda -> vipivot LDAP R port=32829 veda -> vipivot LDAP R port=32829 Search ResEntry veda -> vipivot LDAP R port=32829 Search ResDone Success vipivot -> veda LDAP C port=32829 vipivot -> veda LDAP C port=32829 vipivot -> veda LDAP C port=32829 Unbind Request vipivot -> veda LDAP C port=32829 veda -> vipivot LDAP R port=32829 . . .

Only the LDAP operation name and result code is displayed as shown in bold. The port number shown is the TCP port, not the LDAP port.

Verbose Summary Mode LDAP Search snoop Result

The following is an abbreviated output when the same search is performed with snoop in the verbose summary mode.

# snoop -V ldap vipivot Using device /dev/hme (promiscuous mode) ________________________________ vipivot -> veda ETHER Type=0800 (IP), size = 62 bytes vipivot -> veda IP D=129.148.181.130 S=129.148.181.142 LEN=48, ID=11313 vipivot -> veda TCP D=389 S=32849 Syn Seq=2825400714 Len=0 Win=49640 Options=<mss 1460,nop,nop,sackOK> vipivot -> veda LDAP C port=32849 ... vipivot -> veda LDAP C port=32849 Search Request neverDerefAliases . . .

Verbose LDAP Search snoop Result

The following is the output of a verbose snoop when the same LDAP search is performed. Because of the length of this example, and to show you the different output in specific sections, the snoop trace is divided into several parts .

Part 1 - Ethernet and TCP/IP Packet Information

# snoop -v ldap vipivot Using device /dev/hme (promiscuous mode) ETHER: ----- Ether Header ----- ETHER: ETHER: Packet 1 arrived at 14:22:19.03 ETHER: Packet size = 62 bytes ETHER: Destination = 8:0:20:8a:e5:71, Sun ETHER: Source = 8:0:20:ab:be:31, Sun ETHER: Ethertype = 0800 (IP) .... IP: ----- IP Header ----- IP: Version = 4 IP: Header length = 20 bytes IP: Protocol = 6 (TCP) IP: Header checksum = 9c4b IP: Source address = 129.148.181.142, vipivot IP: Destination address = 129.148.181.130, veda IP: No options ... TCP: ----- TCP Header ----- TCP: TCP: Source port = 32834 TCP: Destination port = 389 (LDAP) TCP: Sequence number = 3301917698 TCP: Acknowledgement number = 0 TCP: Data offset = 28 bytes

Part 2 - LDAP Search Request

LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 3: Search Request ] LDAP: [Base Object] LDAP: dc=example,dc=com LDAP: [Scope] LDAP: wholeSubtree LDAP: [DerefAliases] LDAP: neverDerefAliases LDAP: [SizeLimit] LDAP: [TimeLimit] LDAP: [TypesOnly] LDAP: Equality Match *[3] LDAP: [Attr Descr] LDAP: uid LDAP: [Value] LDAP: lruble LDAP: *[Sequence]

Part 3 - LDAP Search Results

LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 4: Search ResEntry ] LDAP: [Object Name] LDAP: uid=LRuble,ou=People,dc=example, LDAP: dc=com LDAP: *[Partial Attributes] LDAP: *[Attribute] LDAP: [Type] LDAP: mail LDAP: *[Vals] LDAP: [Value] LDAP: lruble@example.com LDAP: *[Attribute] LDAP: [Type] LDAP: uid LDAP: *[Vals] LDAP: [Value] LDAP: LRuble LDAP: *[Attribute] LDAP: [Type] LDAP: givenName LDAP: *[Vals] LDAP: [Value] LDAP: Lucy

Part 4 - LDAP Search Results ( continued )

LDAP: *[Attribute] LDAP: [Type] LDAP: objectClass LDAP: *[Vals] LDAP: [Value] LDAP: top LDAP: [Value] LDAP: person LDAP: [Value] LDAP: organizationalPerson LDAP: [Value] LDAP: inetorgperson LDAP: *[Attribute] LDAP: [Type] LDAP: sn LDAP: *[Vals] LDAP: [Value] LDAP: Ruble LDAP: *[Attribute] LDAP: [Type] LDAP: cn LDAP: *[Vals] LDAP: [Value] LDAP: Lucy Ruble

Verbose LDAP Add Operation

The following example shows what a verbose snoop of an LDAP add operation would look like.

First, the command that is run:

# ldapadd -h veda -D "cn=directory manager" -w dirmanager dn: uid=truble,ou=people,dc=example,dc=com objectclass: person objectclass: inetorgperson uid: truble cn: Chris Ruble sn: Ruble adding new entry uid=truble,ou=people,dc=example,dc=com ^D

Next, the snoop trace shows the BIND request and response:

LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 0: Bind Request ] LDAP: [Version] LDAP: [Object Name] LDAP: cn=directory manager LDAP: Authentication: Simple [0] LDAP: dirmanager ... LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 1: Bind Response ] LDAP: [Result Code] LDAP: Success LDAP: [Matched DN] LDAP: [Error Message]

Then, the actual LDAP operation is performed followed by the unbind operation:

LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 8: Add Request ] LDAP: [Entry] LDAP: uid=truble,ou=people,dc=example, LDAP: dc=com LDAP: *[Attributes] LDAP: *[Attribute] LDAP: [Type] LDAP: objectclass LDAP: *[Vals] LDAP: [Value] LDAP: person LDAP: [Value] LDAP: inetorgperson LDAP: *[Attribute] LDAP: [Type] LDAP: uid LDAP: *[Vals] LDAP: [Value] LDAP: truble LDAP: *[Attribute] LDAP: [Type] LDAP: cn LDAP: *[Vals] LDAP: [Value] LDAP: Chris Ruble LDAP: *[Attribute] LDAP: [Type] LDAP: sn LDAP: *[Vals] LDAP: [Value] LDAP: Ruble

LDAP: Operation *[APPL 9: Add Response ] LDAP: [Result Code] LDAP: Success LDAP: [Matched DN] ... LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation [APPL 2: Unbind Request ]

Verbose snoop Trace of an LDAP Delete Operation

The following command is issued:

# ldapdelete -h veda -D "cn=Directory Manager" -w dirmanager "uid= truble,ou=people,dc=example,dc=com"

The following is the corresponding snoop output:

LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 0: Bind Request ] LDAP: [Version] LDAP: [Object Name] LDAP: cn=directory manager LDAP: Authentication: Simple [0] LDAP: dirmanager ... LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 1: Bind Response ] LDAP: [Result Code] LDAP: Success LDAP: [Matched DN] ... LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation [APPL 10: Del Request ] LDAP: uid=truble,ou=people,dc=example,d LDAP: c=com LDAP: LDAP: ----- Lightweight Directory Access Protocol Header ----- LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation *[APPL 11: Del Response ] LDAP: [Result Code] LDAP: Success LDAP: [Matched DN] LDAP: [Error Message] LDAP: ... LDAP: *[LDAPMessage] LDAP: [Message ID] LDAP: Operation [APPL 2: Unbind Request ]

Категории