REBA - OpenLDAP tools

Owned by Alex Barth
Last updated: Dec 16, 2024
2 min read
[ 1 Prerequisites ] [ 2 Authenticate to Active Directory ] [ 3 Review requests ] [ 4 Review results ] [ 5 Create a request ] [ 6 Submit a request ] [ 7 Notes ] [ 7.1 Simple bind authentication ]

The OpenLDAP tools are the supported method to manage requests via REBA on non-Windows systems. The ldapsearch tool can be used to review pending requests and results. The ldapmodify tool can be used to submit requests or cancel pending requests. The ldapmodify tool accepts information from either standard input or via an LDIF file but only the LDIF file method is supported by the Active Directory team. The ldapsearch and ldapmodify tools support authentication either using a simple bind or using Kerberos via SASL. The latter is the preferred method and utilized throughout the documentation below. See the notes section at the end for details about authentication via simple bind.

Prerequisites

  1. The system must be on UT Net or connected to the UT VPN service.

    • This is required to support Kerberos authentication

  2. The system must have the OpenLDAP tools and Kerberos client tools installed.

    • The OpenLDAP tools and Kerberos client tools are pre-installed on macOS systems

    • The OpenLDAP tools and Kerberos client tools can be installed on RedHat systems by running the following command: 

      yum install openldap-clients krb5-workstation

    • The OpenLDAP tools and Kerberos client tools can be installed on Ubuntu systems by running the following command: 

      apt-get install ldap-util krb5-user

Authenticate to Active Directory

  1. Start a command line shell

  2. Modify then run the following command to retrieve a Kerberos ticket:

    # replace 'example-abc123' with your department administrator account kinit example-abc123@AUSTIN.UTEXAS.EDU

Review requests

  1. Complete the steps in the authenticate to Active Directory section above.

  2. Modify then run the following command to review the pending request: 

Review results

  1. Complete the steps in the authenticate to Active Directory section above.

  2. Modify then run the following command to review the results: 

Create a request

  1. Determine the required properties for the request from one of the following pages:

  2. Modify the contents of the following code block to define the request: 

  3. Save the results of the previous step to a local LDIF file.

Submit a request

  1. Complete the steps in the authenticate to Active Directory section above.

  2. Modify then run the following command to submit the delegation request: 

     

  3. Verify the pending request by completing the steps in the review requests section above.

  4. Wait until five minutes after the next hour.

  5. Review the results of the request by completing the steps in the review results section above.

Notes

Simple bind authentication

Both ldapsearch and ldapmodify support authentication using a simple bind. To perform the commands in the steps above and authenticate with a simple bind, modify the commands as follows:

  1. Replace ldap://austin.utexas.edu with ldaps://directory.austin.utexas.edu

  2. Replace -Q with -D "example-abc123@AUSTIN.UTEXAS.EDU" -W where example-abc123 is your department administrator username

Confluence Documentation | Web Privacy Policy | Web Accessibility