Tuesday, November 22, 2011

LDAP Tool of the Day - getrootDSE

I'm an LDAP guy.  I'm not even sure what that means, but I am one.  I spend a lot of my work time looking at LDAPs.  For the purists, I look at directories.  LDAP is just an interface to the directory.  If I look at the protocol with Wireshark, does that mean I am looking at LDAPs, 'cuase I do that too.  Can you really look at a directory?  I've never been to our data centers.  Where was I?

There are a lot of great tools for working with LDAP, but there is always room for one more, right?   A common task for me is to need to look at the contents of the Root DSE and verify the SSL certificate being used, if SSL is used.

For those not familiar with the root DSE, it is an entry offered by all LDAP servers.  Its DN is null or empty, depending on how you interpret the RFCs.  It almost always accepts un-authenticated connections and lists information about the contents and capabilities of the LDAP server.  It will usually list the supported LDAP controls, authentication types offered, and often the naming contexts is holds.  Different vendors list different data, and it is this data that I am often interested in.

Here are a few typical entries:
Active Directory Domain Controller 

currentTime: 20111123000138.0Z
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=example,DC=org
dsServiceName: CN=NTDS Settings,CN=mydomcontr08,CN=Servers,CN=Food,CN=Sites,CN=Co
namingContexts: DC=example,DC=org
namingContexts: CN=Configuration,DC=example,DC=org
namingContexts: CN=Schema,CN=Configuration,DC=example,DC=org
defaultNamingContext: DC=example,DC=org
schemaNamingContext: CN=Schema,CN=Configuration,DC=example,DC=org
configurationNamingContext: CN=Configuration,DC=example,DC=org
rootDomainNamingContext: DC=example,DC=org
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.840.113556.1.4.801
supportedControl: 1.2.840.113556.1.4.473
supportedControl: 1.2.840.113556.1.4.528
supportedControl: 1.2.840.113556.1.4.417
supportedControl: 1.2.840.113556.1.4.619
supportedControl: 1.2.840.113556.1.4.841
supportedControl: 1.2.840.113556.1.4.529
supportedControl: 1.2.840.113556.1.4.805
supportedControl: 1.2.840.113556.1.4.521
supportedControl: 1.2.840.113556.1.4.970
supportedControl: 1.2.840.113556.1.4.1338
supportedControl: 1.2.840.113556.1.4.474
supportedControl: 1.2.840.113556.1.4.1339
supportedControl: 1.2.840.113556.1.4.1340
supportedControl: 1.2.840.113556.1.4.1413
supportedControl: 2.16.840.1.113730.3.4.9
supportedControl: 2.16.840.1.113730.3.4.10
supportedControl: 1.2.840.113556.1.4.1504
supportedControl: 1.2.840.113556.1.4.1852
supportedControl: 1.2.840.113556.1.4.802
supportedControl: 1.2.840.113556.1.4.1907
supportedControl: 1.2.840.113556.1.4.1948
supportedControl: 1.2.840.113556.1.4.1974
supportedControl: 1.2.840.113556.1.4.1341
supportedControl: 1.2.840.113556.1.4.2026
supportedLDAPVersion: 3
supportedLDAPVersion: 2
supportedLDAPPolicies: MaxPoolThreads
supportedLDAPPolicies: MaxDatagramRecv
supportedLDAPPolicies: MaxReceiveBuffer
supportedLDAPPolicies: InitRecvTimeout
supportedLDAPPolicies: MaxConnections
supportedLDAPPolicies: MaxConnIdleTime
supportedLDAPPolicies: MaxPageSize
supportedLDAPPolicies: MaxQueryDuration
supportedLDAPPolicies: MaxTempTableSize
supportedLDAPPolicies: MaxResultSetSize
supportedLDAPPolicies: MaxNotificationPerConn
supportedLDAPPolicies: MaxValRange
highestCommittedUSN: 124867805
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
dnsHostName: mydomcontr08.example.ORG
ldapServiceName: example.ORG:mydomcontr08$@example.ORG
serverName: CN=mydomcontr08,CN=Servers,CN=Food,CN=Sites,CN=Configuration,DC=examp
supportedCapabilities: 1.2.840.113556.1.4.800
supportedCapabilities: 1.2.840.113556.1.4.1670
supportedCapabilities: 1.2.840.113556.1.4.1791
supportedCapabilities: 1.2.840.113556.1.4.1935
isSynchronized: TRUE
isGlobalCatalogReady: TRUE
domainFunctionality: 2
forestFunctionality: 2
domainControllerFunctionality: 3

Oracle Virtual Directory
namingContexts: ou=Groups,dc=example,dc=com
namingContexts: ou=admins,dc=example,dc=com
namingContexts: ou=employees,dc=example,dc=com
namingContexts: ou=IDMUsers,dc=idm.example,dc=com
namingContexts: ou=partners,dc=example,dc=com
namingContexts: OU=portal users,dc=example,dc=com
namingContexts: dc=example,dc=com
namingContexts: ou=OIDUsers,dc=idm.example,dc=com
objectClass: top
subschemaSubEntry: cn=schema
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: CRAM-MD5
supportedLDAPVersion: 2
supportedLDAPVersion: 3

Oracle Internet Directory
supportedsaslmechanisms: DIGEST-MD5
supportedldapversion: 2
supportedldapversion: 3
supportedextension: 2.16.840.1.113894.1.9.1
supportedcontrol: 2.16.840.1.113730.3.4.2
supportedcontrol: 2.16.840.1.113894.1.8.1
supportedcontrol: 2.16.840.1.113894.1.8.2
supportedcontrol: 2.16.840.1.113894.1.8.3
supportedcontrol: 2.16.840.1.113894.1.8.4
supportedcontrol: 2.16.840.1.113894.1.8.5
supportedcontrol: 2.16.840.1.113894.1.8.6
supportedcontrol: 2.16.840.1.113894.1.8.7
supportedcontrol: 1.2.840.113556.1.4.473
supportedcontrol: 1.2.840.113556.1.4.319
supportedcontrol: 2.16.840.1.113894.1.8.14
supportedcontrol: 2.16.840.1.113894.1.8.16
supportedcontrol: 2.16.840.1.113894.1.8.23
supportedcontrol: 2.16.840.1.113894.1.8.29
subschemasubentry: cn=subschemasubentry
subregistrysubentry: cn=subregistrysubentry
subconfigsubentry: cn=subconfigsubentry
pwdpolicysubentry: cn=default,cn=pwdPolicies,cn=Common,cn=Products,cn=OracleCont
orclupgradeinprogress: FALSE
orcltimelimit: 3600
orclstatsperiodicity: 60
orclstatslevel: 0
orclstatsflag: 0
orclsizelimit: 100000
orclsimplemodchglogattributes: uniquemember
orclsimplemodchglogattributes: member
orclsimplemodchglogattributes: orcluserapplnprovstatus
orclsimplemodchglogattributes: orcluserapplnprovstatusdesc
orclsimplemodchglogattributes: orcluserprovfailurecount
orclservermode: rw
orclreplicaid: prdoidx401_poid1
orclreplagreements: cn=replication configuration
orcloptcontainsquery: 0
orclnormdn:: IA==
orclmaxtcpidleconntime: 120
orclmatchdnenabled: 0
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx001,cn=Registered Instance
 s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx401,cn=Registered Instance
 s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx002,cn=Registered Instance
 s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcllegacyoidsyncagent: cn=odisrv+orclhostname=prdoidx402,cn=Registered Instance
 s,cn=Directory Integration Platform,cn=Products,cn=OracleContext
orcleventlevel: 0
orclentrylevelaci: access to entry by * (browse, noadd, nodelete)
orclentrylevelaci: access to attr=(orclaci,orclguname,orclgupassword,orclprname,
 orclprpassword,orclcryptoscheme,orclsuname,orclsupassword) by * (none)
orclentrylevelaci: access to attr=(*) by * (search, read, nowrite, nocompare)
orclentrylevelaci: access to attr=(*) AppendToAll by group="cn=directoryadmingro
 up,cn=oracle internet directory" (search,read,write,compare)
orclentrylevelaci: access to entry AppendToAll by group="cn=directoryadmingroup,
 cn=oracle internet directory" (browse,add,delete)
orclentrylevelaci: access to attr=(orclstatsflag, orclstatsperiodicity,orclevent
 level) by dn="cn=emd admin,cn=oracle internet directory" (search,read,write,com
 pare) by * (search,read)
orclenablegroupcache: 1
orclecachemaxsize: 10000000
orclecachemaxentries: 25000
orclecacheenabled: 1
orcldirectoryversion: OID
orcldiprepository: FALSE
orcldebugop: 511
orcldebugflag: 0
orclcatalogentrydn: cn=catalogs
orclauditlevel: 0
orclanonymousbindsflag: 1
matchingrules: distinguishedNameMatch
matchingrules: caseIgnoreMatch
matchingrules: caseExactMatch
matchingrules: numericStringMatch
matchingrules: telephoneNumberMatch
changestatus: cn=changestatus
changelog: cn=changelog
authpassword;oid: {SASL/MD5}sHex432oGONWYembe52eKA==
authpassword;oid: {SASL/MD5-DN}UpdstrkdNdL5mxyQ8wFP5iQ==
authpassword;oid: {SASL/MD5-U}m0/awjpasdf346gaKaIHs9UQ==

One can get this all via the command line, with ldapsearch.  For windows, I use the OpenDS version.

>ldapsearch -h host.name.org  -p 389 -w "" -b "" -s base  objectclass=*

I often forget the command, and if you need SSL, then you need to add -Z -X.  Really, the -X is something that I'd complain about in most contexts, as it accepts any SSL certs.  In this case, I am meaning to investigate the cert as well.

This gets me the LDAP info, but, then I'd need to use openssl to get the SSL and cert info.

>openssl s_client -connect ovd.internal.example.com:636
I get the connect info:

Loading 'screen' into random state - done
depth=3 CN = Example USA Root CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate chain
 0 s:/C=US/ST=Washington/L=Bothell/O=Example USA, Inc./OU=Internal Systems/CN=ovd.internal.Example.com
   i:/DC=org/DC=Example/CN=Example USA Issuer CA 02
 1 s:/DC=org/DC=Example/CN=Example USA Issuer CA 02
   i:/CN=Example USA Intermediate CA 01
 2 s:/CN=Example USA Intermediate CA 01
   i:/CN=Example USA Root CA
 3 s:/CN=Example USA Root CA
   i:/CN=Example USA Root CA
Server certificate
subject=/C=US/ST=Washington/L=Bothell/O=Example USA, Inc./OU=Internal Systems/CN=ovd.internal.Example.com
issuer=/DC=org/DC=Example/CN=Example USA Issuer CA 02
No client certificate CA names sent
SSL handshake has read 6038 bytes and written 368 bytes
New, TLSv1/SSLv3, Cipher is EDH-RSA-DES-CBC3-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
    Protocol  : TLSv1
    Cipher    : EDH-RSA-DES-CBC3-SHA
    Session-ID: 4ECC3B5303F3EAB7AFDD9452D7671A08CA4E345DF07F7FF3A76A3B9C62B2DA10
    Master-Key: B074BCE20BBF51B4EF420994309A4CC3DD85DB48F9CB6C5305F984A936FD6B659588C942B63FBC0228EF570D7E05777F
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1322007377
    Timeout   : 300 (sec)
    Verify return code: 19 (self signed certificate in certificate chain)

Last, I have to cut and paste the certificate into a file and use openssl to read it.
>openssl asn1parse -in "cert.pem"

    0:d=0  hl=4 l=1557 cons: SEQUENCE
    4:d=1  hl=4 l=1277 cons: SEQUENCE
    8:d=2  hl=2 l=   3 cons: cont [ 0 ]
   10:d=3  hl=2 l=   1 prim: INTEGER       :02
   13:d=2  hl=2 l=  10 prim: INTEGER       :377AD6B200010005AAED
   25:d=2  hl=2 l=  13 cons: SEQUENCE
   27:d=3  hl=2 l=   9 prim: OBJECT        :sha1WithRSAEncryption
   38:d=3  hl=2 l=   0 prim: NULL
   40:d=2  hl=2 l=  82 cons: SEQUENCE
   42:d=3  hl=2 l=  19 cons: SET
   44:d=4  hl=2 l=  17 cons: SEQUENCE
   46:d=5  hl=2 l=  10 prim: OBJECT        :domainComponent
   58:d=5  hl=2 l=   3 prim: IA5STRING     :org
   63:d=3  hl=2 l=  23 cons: SET
   65:d=4  hl=2 l=  21 cons: SEQUENCE
   67:d=5  hl=2 l=  10 prim: OBJECT        :domainComponent
   79:d=5  hl=2 l=   7 prim: IA5STRING     :gsm1900
   88:d=3  hl=2 l=  34 cons: SET
   90:d=4  hl=2 l=  32 cons: SEQUENCE
   92:d=5  hl=2 l=   3 prim: OBJECT        :commonName
   97:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :Example USA Issuer CA 02
  124:d=2  hl=2 l=  30 cons: SEQUENCE
  126:d=3  hl=2 l=  13 prim: UTCTIME       :110130015629Z
  141:d=3  hl=2 l=  13 prim: UTCTIME       :120130015629Z
  156:d=2  hl=3 l= 144 cons: SEQUENCE
  159:d=3  hl=2 l=  11 cons: SET
  161:d=4  hl=2 l=   9 cons: SEQUENCE
  163:d=5  hl=2 l=   3 prim: OBJECT        :countryName
  168:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
  172:d=3  hl=2 l=  19 cons: SET
  174:d=4  hl=2 l=  17 cons: SEQUENCE
  176:d=5  hl=2 l=   3 prim: OBJECT        :stateOrProvinceName
  181:d=5  hl=2 l=  10 prim: PRINTABLESTRING   :Washington
  193:d=3  hl=2 l=  16 cons: SET
  195:d=4  hl=2 l=  14 cons: SEQUENCE
  197:d=5  hl=2 l=   3 prim: OBJECT        :localityName
  202:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :Bothell
  211:d=3  hl=2 l=  27 cons: SET
  213:d=4  hl=2 l=  25 cons: SEQUENCE
  215:d=5  hl=2 l=   3 prim: OBJECT        :organizationName
  220:d=5  hl=2 l=  18 prim: PRINTABLESTRING   :Example USA, Inc.
  240:d=3  hl=2 l=  25 cons: SET
  242:d=4  hl=2 l=  23 cons: SEQUENCE
  244:d=5  hl=2 l=   3 prim: OBJECT        :organizationalUnitName
  249:d=5  hl=2 l=  16 prim: PRINTABLESTRING   :Internal Systems
  267:d=3  hl=2 l=  34 cons: SET
  269:d=4  hl=2 l=  32 cons: SEQUENCE
  271:d=5  hl=2 l=   3 prim: OBJECT        :commonName
  276:d=5  hl=2 l=  25 prim: PRINTABLESTRING   :ovd.internal.Example.com
  303:d=2  hl=3 l= 159 cons: SEQUENCE
  306:d=3  hl=2 l=  13 cons: SEQUENCE
  308:d=4  hl=2 l=   9 prim: OBJECT        :rsaEncryption
  319:d=4  hl=2 l=   0 prim: NULL
  321:d=3  hl=3 l= 141 prim: BIT STRING
  465:d=2  hl=4 l= 816 cons: cont [ 3 ]
  469:d=3  hl=4 l= 812 cons: SEQUENCE
  473:d=4  hl=2 l=  29 cons: SEQUENCE
  475:d=5  hl=2 l=   3 prim: OBJECT        :X509v3 Subject Key Identifier
  480:d=5  hl=2 l=  22 prim: OCTET STRING      [HEX DUMP]:0414D5FBEBB564FC0855035A02C36F05D3BE6AB6D990
  504:d=4  hl=2 l=  31 cons: SEQUENCE
  506:d=5  hl=2 l=   3 prim: OBJECT        :X509v3 Authority Key Identifier
  511:d=5  hl=2 l=  24 prim: OCTET STRING      [HEX DUMP]:30168014688A27CD6281B170FAC4A241E1F84927278B3A00
  537:d=4  hl=4 l= 305 cons: SEQUENCE
  541:d=5  hl=2 l=   3 prim: OBJECT        :X509v3 CRL Distribution Points
  546:d=5  hl=4 l= 296 prim: OCTET STRING      [HEX DUMP]:  
  846:d=4  hl=4 l= 294 cons: SEQUENCE
  850:d=5  hl=2 l=   8 prim: OBJECT        :Authority Information Access
  860:d=5  hl=4 l= 280 prim: OCTET STRING      [HEX DUMP]:
 1144:d=4  hl=2 l=  12 cons: SEQUENCE
 1146:d=5  hl=2 l=   3 prim: OBJECT        :X509v3 Basic Constraints
 1151:d=5  hl=2 l=   1 prim: BOOLEAN       :255
 1154:d=5  hl=2 l=   2 prim: OCTET STRING      [HEX DUMP]:3000
 1158:d=4  hl=2 l=  11 cons: SEQUENCE
 1160:d=5  hl=2 l=   3 prim: OBJECT        :X509v3 Key Usage
 1165:d=5  hl=2 l=   4 prim: OCTET STRING      [HEX DUMP]:030205A0
 1171:d=4  hl=2 l=  62 cons: SEQUENCE
 1173:d=5  hl=2 l=   9 prim: OBJECT        :
 1184:d=5  hl=2 l=  49 prim: OCTET STRING      [HEX DUMP]:302F06272B0601040182371508AFAB1B85DD9D4F82E999398785C52C83F1EE
 1235:d=4  hl=2 l=  19 cons: SEQUENCE
 1237:d=5  hl=2 l=   3 prim: OBJECT        :X509v3 Extended Key Usage
 1242:d=5  hl=2 l=  12 prim: OCTET STRING      [HEX DUMP]:300A06082B06010505070301
 1256:d=4  hl=2 l=  27 cons: SEQUENCE
 1258:d=5  hl=2 l=   9 prim: OBJECT        :
 1269:d=5  hl=2 l=  14 prim: OCTET STRING      [HEX DUMP]:300C300A06082B06010505070301
 1285:d=1  hl=2 l=  13 cons: SEQUENCE
 1287:d=2  hl=2 l=   9 prim: OBJECT        :sha1WithRSAEncryption
 1298:d=2  hl=2 l=   0 prim: NULL
 1300:d=1  hl=4 l= 257 prim: BIT STRING

I can get 98% of what I need in one command, with my new tool

>getrootdse myORG.org 636 ssl

Performing a RootDSE search ...
supportedSASLMechanisms   is GSSAPI
supportedSASLMechanisms   is GSS-SPNEGO
supportedSASLMechanisms   is EXTERNAL
supportedSASLMechanisms   is DIGEST-MD5
defaultNamingContext   is DC=myORG,DC=org
domainControllerFunctionality   is 3
ldapServiceName   is myORG.org:myDomcontr01$@myORG.ORG
supportedLDAPVersion   is 3
supportedLDAPVersion   is 2
dsServiceName   is CN=NTDS Settings,CN=myDomcontr01,CN=Servers,CN=myORG-West,CN=Sites,CN=Configurati
subschemaSubentry   is CN=Aggregate,CN=Schema,CN=Configuration,DC=myORG,DC=org
supportedLDAPPolicies   is MaxPoolThreads
supportedLDAPPolicies   is MaxDatagramRecv
supportedLDAPPolicies   is MaxReceiveBuffer
supportedLDAPPolicies   is InitRecvTimeout
supportedLDAPPolicies   is MaxConnections
supportedLDAPPolicies   is MaxConnIdleTime
supportedLDAPPolicies   is MaxPageSize
supportedLDAPPolicies   is MaxQueryDuration
supportedLDAPPolicies   is MaxTempTableSize
supportedLDAPPolicies   is MaxResultSetSize
supportedLDAPPolicies   is MaxNotificationPerConn
supportedLDAPPolicies   is MaxValRange
isSynchronized   is TRUE
dnsHostName   is myDomcontr01.myORG.org
supportedControl   is 1.2.840.113556.1.4.319
supportedControl   is 1.2.840.113556.1.4.801
supportedControl   is 1.2.840.113556.1.4.473
supportedControl   is 1.2.840.113556.1.4.528
supportedControl   is 1.2.840.113556.1.4.417
supportedControl   is 1.2.840.113556.1.4.619
supportedControl   is 1.2.840.113556.1.4.841
supportedControl   is 1.2.840.113556.1.4.529
supportedControl   is 1.2.840.113556.1.4.805
supportedControl   is 1.2.840.113556.1.4.521
supportedControl   is 1.2.840.113556.1.4.970
supportedControl   is 1.2.840.113556.1.4.1338
supportedControl   is 1.2.840.113556.1.4.474
supportedControl   is 1.2.840.113556.1.4.1339
supportedControl   is 1.2.840.113556.1.4.1340
supportedControl   is 1.2.840.113556.1.4.1413
supportedControl   is 2.16.840.1.113730.3.4.9
supportedControl   is 2.16.840.1.113730.3.4.10
supportedControl   is 1.2.840.113556.1.4.1504
supportedControl   is 1.2.840.113556.1.4.1852
supportedControl   is 1.2.840.113556.1.4.802
supportedControl   is 1.2.840.113556.1.4.1907
supportedControl   is 1.2.840.113556.1.4.1948
supportedControl   is 1.2.840.113556.1.4.1974
supportedControl   is 1.2.840.113556.1.4.1341
supportedControl   is 1.2.840.113556.1.4.2026
isGlobalCatalogReady   is TRUE
forestFunctionality   is 2
supportedCapabilities   is 1.2.840.113556.1.4.800
supportedCapabilities   is 1.2.840.113556.1.4.1670
supportedCapabilities   is 1.2.840.113556.1.4.1791
supportedCapabilities   is 1.2.840.113556.1.4.1935
highestCommittedUSN   is 376377966
rootDomainNamingContext   is DC=myORG,DC=org
schemaNamingContext   is CN=Schema,CN=Configuration,DC=myORG,DC=org
namingContexts   is DC=myORG,DC=org
namingContexts   is CN=Configuration,DC=myORG,DC=org
namingContexts   is CN=Schema,CN=Configuration,DC=myORG,DC=org
configurationNamingContext   is CN=Configuration,DC=myORG,DC=org
serverName   is CN=myDomcontr01,CN=Servers,CN=myORG-West,CN=Sites,CN=Configuration,DC=myORG,DC=org

currentTime   is 20111123004547.0Z
domainFunctionality   is 2

RootDSE search completed.

SSL for encryption is enabled
SSL information:
    cipher strength: 128
    exchange strength: 1024
    protocol: Tls1Client
    hash strength: 160
    algorithm: Aes128
    KeyExAlgo: 41984

The certificate did NOT validate correctly
The cert information is:
  Subject: CN=myDomcontr01.myORG.org
 Issuer: CN=myORG USA Issuer CA 06 v1, DC=myORG, DC=org
 Expires: 8/21/2012 6:46:46 AM
 Hash: 6D8F0501B7881A0DCCC84E1DCF4E1DF0646A4479
 Public Key: 30818902818100C9D8ADE08D8CC893934C95AFF45DCFAB317B83CD0A93D659B181B8AB476D49954F94E2EE148C9A095C86592DCA458
 Serial: 1BC1C68D000000005EC9

Here's the c# code

the .NET 2.0 assembly.


No comments:

Inputting falsified referrals to this site violates the terms of service of this site and is considered unauthorized access (hacking).