Skip to content

Ldap

← Back to all decks

16 cards — 🟢 3 easy | 🟡 4 medium | 🔴 3 hard

🟢 Easy (3)

1. What is a Distinguished Name (DN) in LDAP, and what is an example?

Show answer A DN is the full path to an entry in the LDAP directory tree, read from the entry up to the root. Example: uid=alice,ou=People,dc=example,dc=com. It uniquely identifies every entry in the directory.

Remember: LDAP = Lightweight Directory Access Protocol. Ports: 389(plain), 636(TLS).

Fun fact: Simplified from X.500 — hence "Lightweight."

2. What are the two most common LDAP operations, and what does each do?

Show answer BIND authenticates a client to the directory (verifies credentials). SEARCH queries entries based on filters and scope (the most common operation). Other operations include ADD, MODIFY, DELETE, and COMPARE.

Remember: LDAP = Lightweight Directory Access Protocol. Ports: 389(plain), 636(TLS).

Fun fact: Simplified from X.500 — hence "Lightweight."

3. What does /etc/nsswitch.conf control, and what does "passwd: files sss" mean?

Show answer NSS (Name Service Switch) controls the order in which the system looks up users, groups, and hosts. "passwd: files sss" means look up users first in /etc/passwd (local files), then ask SSSD (which queries LDAP/AD). The order determines fallback behavior.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.

🟡 Medium (4)

1. What are the four PAM control flags, and why does their order matter?

Show answer required (must pass, continues checking), requisite (must pass, stops immediately on failure), sufficient (if passes, skip remaining modules), optional (only matters if it is the only module). Order matters because a misplaced "sufficient" can bypass all subsequent security checks.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.

2. What is SSSD, and what key problem does its caching feature solve?

Show answer SSSD (System Security Services Daemon) connects Linux to LDAP/AD/FreeIPA for authentication and identity. Its caching feature allows users to log in even when the LDAP server is unreachable — if the cache is warm with previously authenticated credentials, offline login succeeds.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.

3. How does LDAP filter syntax work, and how do you combine conditions with AND, OR, and NOT?

Show answer LDAP filters use prefix notation with parentheses. Simple: (uid=alice). AND: (&(objectClass=posixAccount)(uidNumber>=1000)). OR: (|(uid=alice)(uid=bob)). NOT: (!(loginShell=/bin/false)). Filters can be nested and combined for complex queries.

Example: `ldapsearch -x -b 'dc=example,dc=com' '(uid=jdoe)'` — `-x`=simple auth.

4. How does Kerberos provide single sign-on without sending passwords to services?

Show answer The user authenticates once to the KDC (Key Distribution Center) and receives a TGT (Ticket Granting Ticket). When accessing a service, the TGT is presented to the KDC to get a Service Ticket. The Service Ticket is presented to the service for access. The user's password is never sent to the service.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.

🔴 Hard (3)

1. Describe the full Linux authentication chain from user password entry to LDAP verification.

Show answer User types password, which goes to PAM (Pluggable Authentication Modules, configured in /etc/pam.d/). PAM consults NSS (/etc/nsswitch.conf) for name resolution. NSS routes to SSSD (configured in /etc/sssd/sssd.conf, must be mode 0600). SSSD queries the backend LDAP/AD/FreeIPA server. Each layer can fail independently, and knowing the chain is key to debugging login failures.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.

2. What does FreeIPA bundle together, and how does it compare to Active Directory?

Show answer FreeIPA bundles LDAP (389 Directory Server), Kerberos, DNS, and a web UI into a single identity management platform. It is the open-source answer to Active Directory, providing centralized authentication, authorization, host enrollment, sudo rule management, and SSH key distribution — all managed through a single CLI (ipa commands) or web interface.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.

3. How do you join a Linux machine directly to Active Directory using realmd, and what does the process configure?

Show answer Run "realm discover ad.example.com" then "realm join ad.example.com -U admin". This auto-configures SSSD for AD identity and authentication, Kerberos (/etc/krb5.conf), PAM, and NSS. Verify with "realm list" and test with "id aduser@ad.example.com". Configure "use_fully_qualified_names = false" in sssd.conf if you want short usernames.

Remember: LDAP = directory service for user/group management. Used by AD, OpenLDAP, FreeIPA.