In this article, we will consider one of the main LDAP utilities - ldapsearch. It's a shell-accessible interface that opens a connection to the specified LDAP server using the specified distinguished name and password and locates entries base on a specific search filter, parameters and options.
Before you start, please make sure you have installed and successfully configured LDAP server. If you do not have LDAP installed, please refer to simple installation guide (please skip Mirror-mode configuration part).
1) Query Ldap server and extract information
Below three commands will query and extract all entries from LDAP server
ldapsearch -x -h master.example.com -p 389-x stands for simple authentication (without SASL)
-h specifies hostname
-p used for port (that can be 636 in case of LDAP over SSL)ldapsearch -x -h master.example.com -D "cn=manager,dc=example,dc=com" -W-D defines bind Distinguish name. In other words, your authentication user from slapd.conf file
-W will prompt for bind password (the one you've typed after slappasswd command)ldapsearch -x -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd"-w will use the password provided in the command lineSo, all three commands will give the same output:
# example.com
dn: dc=example,dc=com
dc: corp
o: corp
objectclass: dcObject
objectclass: organization
# department, example.com
dn: ou=department,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: hadoop
# groups, department, example.com
dn: ou=groups,ou=department,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: groups
# system_admin, groups, department, example.com
dn: cn=system_admin,ou=groups,ou=department,dc=example,dc=com
cn: system_admin
gidnumber: 502
memberuid: admin1
memberuid: admin2
objectclass: posixGroup
objectclass: top
# users, department, example.com
dn: ou=users,ou=department,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# admin1, users, department, example.com
dn: uid=admin1,ou=users,ou=department,dc=example,dc=com
cn: admin1
gidnumber: 502
givenname: Admin1
homedirectory: /home/users/admin1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin1
uid: admin1
uidnumber: 5001
userpassword: password
# admin2, users, department, example.com
dn: uid=admin2,ou=users,ou=department,dc=example,dc=com
cn: admin2
gidnumber: 502
givenname: Admin2
homedirectory: /home/users/admin2
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin2
uid: admin2
uidnumber: 5002
userpassword: password2) Query SSL / TLS
In order to use LDAP Uniform Resource Identifier (URI), you need to user -H flag that specifies a URI to use to connect to the server and port in the following format: ldap[s]://hostname[:port]
ldapsearch -x -H ldap://master.example.com
ldapsearch -x -H ldaps://master.example.com
The port is optional, it will use default LDAP of 389 or LDAPS port of 636 if the port is not given. The output will be all your LDAP database.
3) Search Specific Base DN and Scope
Now, we will try to search for specific base distinguish name and scope.
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -s base-b defines base distinguish name for search. In other words, it defines starting point for the search
-s scope of your search. That can be base object (base), one-level (one), subtree (sub) or children search (children)The output of the command above will be the base distinguish name of ou=users,ou=department,dc=example,dc=com scope.
# users, department, example.com
dn: ou=users,ou=department,dc=example,dc=com
objectclass: organizationalUnit
objectclass: top
ou: usersIn case of the same base dn and subtree scope search you will get everything (all subtrees) that goes under the ou=users,ou=department,dc=example,dc=com tree. In our case, you will get both entries for admins:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -s sub# admin1, users, department, example.com
dn: uid=admin1,ou=users,ou=department,dc=example,dc=com
cn: admin1
gidnumber: 502
givenname: Admin1
homedirectory: /home/users/admin1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin1
uid: admin1
uidnumber: 5001
userpassword: password
# admin2, users, department, example.com
dn: uid=admin2,ou=users,ou=department,dc=example,dc=com
cn: admin2
gidnumber: 502
givenname: Admin2
homedirectory: /home/users/admin2
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin2
uid: admin2
uidnumber: 5002
userpassword: password4) Read operation using file
Moving forward, we will use ldapsearch utility together with a file. Please create a file with following content:
vi fileadmin1Now, you need to run the command:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -s sub -f file.txt "(uid=%s)"-f read operations from 'file'. This is usually used for multiple filters. If the file contains multiple filters, the file should be structured with one filter per linePlease note, that it will give the same output as:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "uid=admin1,ou=users,ou=department,dc=example,dc=com"# admin1, users, department, example.com
dn: uid=admin1,ou=users,ou=department,dc=example,dc=com
cn: admin1
gidnumber: 502
givenname: Admin1
homedirectory: /home/users/admin1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin1
uid: admin1
uidnumber: 5001
userpassword: password5) Sort Result of Query
In this topic, we will consider main input and output options. To start with, we will sort the results of our query by attribute 'uidnumber'
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -S uidnumber# admin1, users, department, example.com
dn: uid=admin1,ou=users,ou=department,dc=example,dc=com
cn: admin1
gidnumber: 502
givenname: Admin1
homedirectory: /home/users/admin1
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin1
uid: admin1
uidnumber: 5001
userpassword: password
# admin2, users, department, example.com
dn: uid=admin2,ou=users,ou=department,dc=example,dc=com
cn: admin2
gidnumber: 502
givenname: Admin2
homedirectory: /home/users/admin2
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Admin2
uid: admin2
uidnumber: 5002
userpassword: passwordAs we see, -S flag sorts the result by defined attribute. Since in our case we have only 2 entries, the output was sorted by uidnumber = 5001 and 5002.
6) Limits, user-friendly and Non-character output
In the next example, we will specify the maximum number of entries to return in response to a search request (-z flag), then we will include User-Friendly name form of the Distinguish Name in the output (-u flag) and the jpegPhoto and audio values will be retrieved and written to temporary files (-t "()" jpegPhoto audio). Unfortunately, in our example, we don't have such attributes, but If you had those, you would get the following output:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -z 2 -u -t "(uid=admin*)" jpegPhoto audio# admin1, users, department, example.com
dn: uid=admin1,ou=users,ou=department,dc=example,dc=com
ufn: admin1, users, department, example.com
audio:< file:///tmp/ldapsearch-audio-a1
jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a1
# admin2, users, department, example.com
dn: uid=admin2,ou=users,ou=department,dc=example,dc=com
ufn: admin2, users, department, example.com
audio:< file:///tmp/ldapsearch-audio-a2
jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a2-t flag is useful for dealing with values containing non-character data such as photo or audio. It will generate a temporary file output, each attribute of each entry will be written to a separate file in the system's temporary directory, usually it is /tmp/.
7) Persistent search
A persistent search leave the search operation open after the command outputs are returned. This allows the entries returned in the search to remain in cache and updates to be transmitted and included as they occur. This remains open until the client closes the connection with ctrl-c key.
ldapsearch -x -C ps:changeType[:changesOnly[:entryChangeControls]]# example.com
dn: dc=example,dc=com
# department, example.com
dn: ou=department,dc=example,dc=com
# groups, department, example.com
dn: ou=groups,ou=department,dc=example,dc=com
# system_admin, groups, department, example.com
dn: cn=system_admin,ou=groups,ou=department,dc=example,dc=com
# users, department, example.com
dn: ou=users,ou=department,dc=example,dc=com
# admin1, users, department, example.com
dn: uid=admin1,ou=users,ou=department,dc=example,dc=com
# admin2, users, department, example.com
dn: uid=admin2,ou=users,ou=department,dc=example,dc=com-C flag will run the search as a persistent search. ps:changeType specifies which type of changes to entries allow the entry to be returned (add/delete/modify/moddn/all). changesOnly sets whether to return all existing entries which match the search filter or return modified entries. By default, it will return modified entries. entryChangeControls sets whether to send entry change controls, additional information about the modification made to the entry. If the value set to 0, then only the entry is returned, if set to 1, then a line is added to the entry as it is returned to the search that lists the changeType performed on the entry. Default value is 1.
8) Virtual List View
In next example, we will try to extract only a portion of results with -G flag. So-called, virtual list view always requires -S and -x flags to specify sorting order. entriesBefore:entriesAfter:value - specify the search target as the first entry in the results for which the sort attribute is > or = to the given value. Since we do not have much entries in our LDAP, we will consider an example. For instance,
ldapsearch -x -S uidnumber -G 2:3:admin1Would give us 6 entries in uidnumber order. 2 entries before admin1, the entry equal to or following admin1, and the 3 subsequent entries.
Test an LDAP connection
You can bind to your LDAP directory server by running this ldapsearch command from the client/server. I run this command from my client machine to my LDAP server and save the details in a text file.
root@ldapclient:~# ldapsearch -x -b " dc=ldap01,dc=linoxide,dc=com" >> all.txt
root@ldapclient:~# cat all.txt
# extended LDIF
#
# LDAPv3
# base < dc=ldap01,dc=linoxide,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# ldap01.linoxide.com
dn: dc=ldap01,dc=linoxide,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: VIP
dc: ldap01
# admin, ldap01.linoxide.com
dn: cn=admin,dc=ldap01,dc=linoxide,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2We can even use this command to return all entries in our preferred directory service using filters as below.
root@ldapclient:~# ldapsearch -x -b " dc=ldap01,dc=linoxide,dc=com" -s sub "objectclass=*"
# extended LDIF
#
# LDAPv3
# base < dc=ldap01,dc=linoxide,dc=com> with scope subtree
# filter: objectclass=*
# requesting: ALL
#
# ldap01.linoxide.com
dn: dc=ldap01,dc=linoxide,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: VIP
dc: ldap01
# admin, ldap01.linoxide.com
dn: cn=admin,dc=ldap01,dc=linoxide,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2Conclusion
In this article, we have used ldapsearch utility options for querying LDAP database. This tool tends to be very foreign to users when they first encounter them. However, with the mentioned command you can completely direct your search to return the exact data that you require.
re TLS, any idea how to specify the key store ? there is a -O switch that says SASL security properties. I can't find anywhere how to specify this properly, because I get "unable to get local issuer certificate"