# Use Authing's LDAP user directory

Authing supports viewing, modifying, adding and deleting user information using the LDAP protocol. This page contains some basic information and tutorials.

# Basic information

Information value
Hostname ldap.authing.cn
Port 1389
LDAP Distinguished Name(BindDN) ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn
Base DN ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn

BindDN mainly cooperates with secret to complete authentication, while BaseDN defines where users operate from。

dc=authing, dc=cn					- Authing
└── o=YOUR_USERPOOL_ID	    - userPool
    └── ou=users					- users(commonly used as BindDN,and BaseDN)
    	├── uid=USER_ID				- user
    	└── o=develop				- self defined organization
			└── uid=USER_ID			- Members under the organization

# Authentication method

Access to the authoring LDAP server requires the application key of authoring(Secret),The authentication command is as follows:

Login with binddn information and secret key of user pool,search based on user pool, and return results include user data and organization data。

$ ldapsearch -H https://ldap.authing.cn:1389 						      \
		     -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
		 	 -w "USERPOOL_SECRET"  							      \
		 	 -LLL 													      \
		 	 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"

If the key (secret) is incorrect, the following information will be returned:

	ldap_bind: Invalid credentials (49)
	matched DN: ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn
	additional info: InvalidCredentialsError

Based on the user pool, the returned results include user data and organization data.-LLL means that the output of information that does not match the filter condition is prohibited. If this item is not included, you will get the number of entries to get the result and some information about the request

$ ldapsearch -H https://ldap.authing.cn:1389 						   	  \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
			 -w "USERPOOL_SECRET"  							 	  \
			 -LLL 													   	  \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"

# Search Filter

Search and filter based on user pool, the returned results include user data and organization data。

# Equality

This item is used to find all the information with gender attribute under the user pool and the attribute value is u. because the organization does not have the attribute, only the user has the attribute. The result will return the user information with the user gender of U.

$ ldapsearch -H https://ldap.authing.cn:1389 							  \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
			 -w "USERPOOL_SECRET" 							 	  \
			 -LLL 													 	  \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	  \
			 -s sub '(gender=U)'

# Unequal

Similar to unequal, this item searches all information with CN (user name) attribute under the user pool, and the attribute value is not u, because the organization does not have this attribute, only users have this attribute, and the result will return the user information whose user gender is not U.

$ ldapsearch -H https://ldap.authing.cn:1389 								 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"    \
			 -w "USERPOOL_SECRET" 							         \
			 -LLL 													 		 \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"    	 \
			 -s sub '(!(cn=hahhaha))'

# Greater than or equal to

Similar to the former two, this search will find all information with loginscount attribute under the user pool, and the attribute value is greater than or equal to 50. Because the organization does not have this attribute, only users have this attribute, and the result will return the user information whose login times are greater than or equal to.

$ ldapsearch -H https://ldap.authing.cn:1389 								 \
  			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"  	 \
  			 -w "USERPOOL_SECRET" 							 		 \
  			 -LLL 													 		 \
  			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 	 \
  			 -s sub '(loginsCount>=50)'

# Less than or equal to

This item is used to find all information with loginscount attribute under the user pool, and the attribute value is less than or equal to 50. Because the organization does not have this attribute, only users have this attribute. The result will return the user information whose login times are greater than or equal to.

$ ldapsearch -H https://ldap.authing.cn:1389 								 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 \
			 -w "USERPOOL_SECRET" 							 		 \
			 -LLL 													 		 \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 	 \
			 -s sub '(loginsCount<=50)'

# Search mode

dc=authing, dc=cn					- $BRAND_NAME
└── o=YOUR_USERPOOL_ID		- userPool
    └── ou=users					- users(commonly used as BindDN,and BaseDN)
    	├── uid=USER_ID				- user
    	└── o=develop				- self defined organization
			└── uid=USER_ID			- Members under the organization
# Base mode(find only basedn information)

As shown in the figure above, the base mode will only find and return the basedn information, that is, the node information of the user pool

dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
$ ldapsearch -H https://ldap.authing.cn:1389 								 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"  	 \
			 -w "USERPOOL_SECRET" 							 		 \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 	 \
			 -s base
# One mode(only find child nodes under basedn information)

As shown in the figure above, the one mode will search for basedn and basedn child nodes and return relevant information.

dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...

dn: uid=USER1_ID,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...

dn: o=develop,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
$ ldapsearch -H https://ldap.authing.cn:1389 								 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 \
			 -w "USERPOOL_SECRET" 							 		 \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 	 \
			 -s one
# Sub mode(find all nodes under basedn information)

As shown in the figure above, the sub mode will search for basedn and all nodes under basedn and return relevant information.

dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...

dn: uid=USER1_ID,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...

dn: o=develop,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...

dn: uid=USER2_ID,o=develop,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
...atribute related information...
$ ldapsearch -H https://ldap.authing.cn:1389 								 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 \
			 -w "USERPOOL_SECRET" 							 		 \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	  	 \
			 -s sub

# Return result filtering(only return the specified attributes)

If you have used SQL, this function is similar to select.Without increasing filtration, the results may be as follows:

dn: ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn
cn: testcn
username: testusername
uid: user1
...more properties...

As shown in the figure, the result is as follows

dn: ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn;
uid: user1;
$ ldapsearch -H https://ldap.authing.cn:1389 								 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 \
			 -w "USERPOOL_SECRET" 							 		 \
			 -b "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 	 \
			 -s sub  dn uid

# Add

creates a user.ldif Then copy the following:

dn: cn=username,ou=users,o=YOUR_USERPOOL_ID,dc=authing,dc=cn
objectClass: users
cn: username

Then execute the following command:

This operation will add a new user to the user pool

$ ldapadd -H  https://ldap.authing.cn:1389 						  		 \
		  -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 \
		  -w "USERPOOL_SECRET" 							  		 \
		  -f ./user.ldif

# Modify

Create a modify.ldif Then copy the following:

dn: cn=username, ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn
changetype: modify
replace: mail
mail: test@example.com

Then execute the following command:

This operation will search the relevant user information in the user pool according to the dn in the modify. If the search is successful, the Change type select operation user information. The information comes from the information under changetype

$ ldapmodify -H https://ldap.authing.cn:1389 						 		 \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	 \
			 -w "USERPOOL_SECRET" 							 		 \
			 -f ./modify.ldif

# Delete

This operation will find the relevant user information in the user pool according to the DN. If the search is successful, it will be deleted. This is a sensitive operation

$ ldapdelete -H https://ldap.authing.cn:1389 						 		\
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" 	\
			 -w "USERPOOL_SECRET" 							 		\
			 "cn=username, ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn"

# Other

# compare

This operation is used to determine whether the dn value and the specified entry value in the LDAP server directory tree belong to the same entry. If yes, it returns true, otherwise it returns false

$ ldapcompare -H https://ldap.authing.cn:1389 						  				\
			  -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"  		\
			  -w "USERPOOL_SECRET" 							  				\
			  "uid=uid,o=oid,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"  \
			  "gender:U"

# modifyDN

Modifydn is used to modify the RDN entry in the LDAP server. It can be input from the standard entry information. For example, cn=oldusername, o=Org_ID, ou=users, o=YOUR_USERPOOL_ID, dc=authing, dc=cn" "CN = newusername", 'cn = oldusername', because whether it is the user's DN or Most of the information related to the dn of the organization structure is the value related to the id, so when you modify it CN=oldusername is actually equivalent to modifying the user name

$ ldapmodrdn -H https://ldap.authing.cn:1389 						 	    \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn"   \
			 -w "USERPOOL_SECRET" 							 		\
			 "cn=oldUserName,o=Org_ID,ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
			 "cn=newUserName"

# whoami

It is used to verify the identity of the LDAP server. If you enter the correct binding DN and password, the specified information will be returned. No 'LDAP' will be prompted ldap_bind: invalid credentials (49) error. This is usually caused by a password error. Please check the corresponding password and binding DN information. Return information test@example.com

$ ldapwhoami -H https://ldap.authing.cn:1389 						 	  \
			 -x -D "ou=users,o=YOUR_USERPOOL_ID,dc=authing, dc=cn" \
			 -w "USERPOOL_SECRET"