# Use Authing's LDAP user directory
Authing supports viewing, modifying, adding and deleting user information using the LDAP protocol. This page contains some basic information and tutorials.
# Basic information
| Information | value |
|---|---|
| Hostname | ldap.authing.cn |
| Port | 1389 |
| LDAP Distinguished Name(BindDN) | ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn |
| Base DN | ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn |
BindDN mainly cooperates with secret to complete authentication, while BaseDN defines where users operate from。
dc=authing, dc=cn - Authing
└── o=YOUR_USERPOOL_ID - userPool
└── ou=users - users(commonly used as BindDN,and BaseDN)
├── uid=USER_ID - user
└── o=develop - self defined organization
└── uid=USER_ID - Members under the organization
# Authentication method
Access to the authoring LDAP server requires the application key of authoring(Secret),The authentication command is as follows:
Login with binddn information and secret key of user pool,search based on user pool, and return results include user data and organization data。
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-LLL \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"
If the key (secret) is incorrect, the following information will be returned:
ldap_bind: Invalid credentials (49)
matched DN: ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn
additional info: InvalidCredentialsError
# Search
Based on the user pool, the returned results include user data and organization data.-LLL means that the output of information that does not match the filter condition is prohibited. If this item is not included, you will get the number of entries to get the result and some information about the request
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-LLL \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"
# Search Filter
Search and filter based on user pool, the returned results include user data and organization data。
# Equality
This item is used to find all the information with gender attribute under the user pool and the attribute value is u. because the organization does not have the attribute, only the user has the attribute. The result will return the user information with the user gender of U.
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-LLL \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s sub '(gender=U)'
# Unequal
Similar to unequal, this item searches all information with CN (user name) attribute under the user pool, and the attribute value is not u, because the organization does not have this attribute, only users have this attribute, and the result will return the user information whose user gender is not U.
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-LLL \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s sub '(!(cn=hahhaha))'
# Greater than or equal to
Similar to the former two, this search will find all information with loginscount attribute under the user pool, and the attribute value is greater than or equal to 50. Because the organization does not have this attribute, only users have this attribute, and the result will return the user information whose login times are greater than or equal to.
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-LLL \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s sub '(loginsCount>=50)'
# Less than or equal to
This item is used to find all information with loginscount attribute under the user pool, and the attribute value is less than or equal to 50. Because the organization does not have this attribute, only users have this attribute. The result will return the user information whose login times are greater than or equal to.
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-LLL \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s sub '(loginsCount<=50)'
# Search mode
dc=authing, dc=cn - $BRAND_NAME
└── o=YOUR_USERPOOL_ID - userPool
└── ou=users - users(commonly used as BindDN,and BaseDN)
├── uid=USER_ID - user
└── o=develop - self defined organization
└── uid=USER_ID - Members under the organization
# Base mode(find only basedn information)
As shown in the figure above, the base mode will only find and return the basedn information, that is, the node information of the user pool
dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s base
# One mode(only find child nodes under basedn information)
As shown in the figure above, the one mode will search for basedn and basedn child nodes and return relevant information.
dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
dn: uid=USER1_ID,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
dn: o=develop,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s one
# Sub mode(find all nodes under basedn information)
As shown in the figure above, the sub mode will search for basedn and all nodes under basedn and return relevant information.
dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
dn: uid=USER1_ID,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
dn: o=develop,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
dn: uid=USER2_ID,o=develop,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s sub
# Return result filtering(only return the specified attributes)
If you have used SQL, this function is similar to select.Without increasing filtration, the results may be as follows:
dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
cn: testcn
username: testusername
uid: user1
...more properties...
As shown in the figure, the result is as follows
dn: ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn;
uid: user1;
$ ldapsearch -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-s sub dn uid
# Add
creates a user.ldif Then copy the following:
dn: cn=username,ou=users,o=YOUR_USERPOOL_ID,dc=authing,dc=cn
objectClass: users
cn: username
Then execute the following command:
This operation will add a new user to the user pool
$ ldapadd -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-f ./user.ldif
# Modify
Create a modify.ldif Then copy the following:
dn: cn=username, ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn
changetype: modify
replace: mail
mail: test@example.com
Then execute the following command:
This operation will search the relevant user information in the user pool according to the dn in the modify. If the search is successful, the
Change type select operation user information. The information comes from the information under changetype
$ ldapmodify -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
-f ./modify.ldif
# Delete
This operation will find the relevant user information in the user pool according to the DN. If the search is successful, it will be deleted. This is a sensitive operation
$ ldapdelete -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
"cn=username, ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn"
# Other
# compare
This operation is used to determine whether the dn value and the specified entry value in the LDAP server directory tree belong to the same entry. If yes, it returns true, otherwise it returns false
$ ldapcompare -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
"uid=uid,o=oid,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
"gender:U"
# modifyDN
Modifydn is used to modify the RDN entry in the LDAP server. It can be input from the standard entry information. For example, cn=oldusername, o=Org_ID, ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn" "CN = newusername", 'cn = oldusername', because whether it is the user's DN or Most of the information related to the dn of the organization structure is the value related to the id, so when you modify it CN=oldusername is actually equivalent to modifying the user name
$ ldapmodrdn -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET" \
"cn=oldUserName,o=Org_ID,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
"cn=newUserName"
# whoami
It is used to verify the identity of the LDAP server. If you enter the correct binding DN and password, the specified information will be returned. No 'LDAP' will be prompted ldap_bind: invalid credentials (49) error. This is usually caused by a password error. Please check the corresponding password and binding DN information. Return information test@example.com
$ ldapwhoami -H https://ldap.authing.cn:1389 \
-x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
-w "USERPOOL_SECRET"