LDAP - Fork My Brain

%% Last Updated: - [[2021-02-09]] %% LDAP stands for Lightweight Directory Access Protocol and is a protocol used to query and modify values in a database. LDAP requests are structured differently from HTTP requests. LDAP is commonly implemented over [[SSL]]. ## LDAP request structure ### Thread bind - Establishes a connection, can be via secure LDAP or not #### Request ```bash Servername: oi2nftsecovdext-vip.oes.esptest.aurtest.national.com.au Port: 7501 Username: uid=OSSSERVICEACCOUNT,ou=service accounts,ou=application admin,ou=user,ou=nab Password: password ``` #### Response ```html <ldapanswer><operation><opertype>bind</opertype> <baseobj/> <binddn>uid=OSSSERVICEACCOUNT,ou=service accounts,ou=application admin,ou=user,ou=nab</binddn> <connectionTO/> </operation> <responsecode>0</responsecode> <responsemessage>Success</responsemessage> </ldapanswer> ``` ### Actions - i.e. search #### Request ```bash Search base: ou=user,ou=nab Search Filter: (nagactualaccessid=${p_Users}) //where ${p_Users} is a file parameter in JMeter which contains user accounts.// ``` #### Response ```html <ldapanswer><operation><opertype>search</opertype> <searchfilter>([email protected]_UBANK)</searchfilter> <baseobj/> <searchbase>ou=user,ou=nab</searchbase> <scope>2</scope> <countlimit>1</countlimit> <timelimit>0</timelimit> <searchresults><searchresult><dn>uid=27840,ou=web channel,ou=ubank,ou=user,ou=nab</dn> <returnedattr>3</returnedattr> <attributes><cn>100000266369, 27840</cn> <nagSMSAuthNPhoneNumber>61403824308</nagSMSAuthNPhoneNumber> <nagcgid>100000266369</nagcgid> </attributes> </searchresult> </searchresults> </operation> <responsecode>0</responsecode> <responsemessage>Success</responsemessage> </ldapanswer> ``` ### Thread unbind #### Response ```html <ldapanswer><operation><opertype>unbind</opertype> <baseobj/> <binddn/> </operation> <responsecode>0</responsecode> <responsemessage>Success</responsemessage> </ldapanswer> ``` ## Usage At [[National Australia Bank]], capacity testing of the [[Oracle Security Stack]] required load to be injected from two sources: one external, simulating the login of users to UBank Customer Portal, and one internal, going from UBank to the OVD ([[Oracle Virtual Directory]] and [[Oracle Internet Directory]]) verifying whether the users had permissions to do various things (e.g. view transaction history, transfer funds, etc). ## Useful tools for testing LDAP - [[WireShark]] - Like [[Fiddler]], but for ALL requests, not just HTTP. Shows the exact requests that the client makes and the exact server response. Useful for determining whether or not JMeter has the appropriate permissions or configurations to actually send the LDAP request as well as determining the reason that the connection is being reset. - [[JExplorer]] - An LDAP administration tool written in Java - Allows importing of security certificates - Sends LDAP requests manually and views the structure of the directory being accessed. - [[Softerra LDAP Administrator]] (2014.1) - Like JExplorer, but not in Java. - [[LdapAdmin]] - Like [[Softerra LDAP Administrator]]