In this article, we will consider one of the main LDAP utilities - ldapsearch. It's a shell-accessible interface that opens a connection to the specified LDAP server using the specified distinguished name and password and locates entries base on a specific search filter, parameters and options.
Before you start, please make sure you have installed and successfully configured LDAP server. If you do not have LDAP installed, please refer to simple installation guide (please skip Mirror-mode configuration part).
1) Query Ldap server and extract information
Below three commands will query and extract all entries from LDAP server
ldapsearch -x -h master.example.com -p 389
-x stands for simple authentication (without SASL) -h specifies hostname -p used for port (that can be 636 in case of LDAP over SSL)
ldapsearch -x -h master.example.com -D "cn=manager,dc=example,dc=com" -W
-D defines bind Distinguish name. In other words, your authentication user from slapd.conf file -W will prompt for bind password (the one you've typed after slappasswd command)
ldapsearch -x -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd"
-w will use the password provided in the command line
So, all three commands will give the same output:
# example.com dn: dc=example,dc=com dc: corp o: corp objectclass: dcObject objectclass: organization # department, example.com dn: ou=department,dc=example,dc=com objectclass: organizationalUnit objectclass: top ou: hadoop # groups, department, example.com dn: ou=groups,ou=department,dc=example,dc=com objectclass: organizationalUnit objectclass: top ou: groups # system_admin, groups, department, example.com dn: cn=system_admin,ou=groups,ou=department,dc=example,dc=com cn: system_admin gidnumber: 502 memberuid: admin1 memberuid: admin2 objectclass: posixGroup objectclass: top # users, department, example.com dn: ou=users,ou=department,dc=example,dc=com objectclass: organizationalUnit objectclass: top ou: users # admin1, users, department, example.com dn: uid=admin1,ou=users,ou=department,dc=example,dc=com cn: admin1 gidnumber: 502 givenname: Admin1 homedirectory: /home/users/admin1 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin1 uid: admin1 uidnumber: 5001 userpassword: password # admin2, users, department, example.com dn: uid=admin2,ou=users,ou=department,dc=example,dc=com cn: admin2 gidnumber: 502 givenname: Admin2 homedirectory: /home/users/admin2 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin2 uid: admin2 uidnumber: 5002 userpassword: password
2) Query SSL / TLS
In order to use LDAP Uniform Resource Identifier (URI), you need to user -H
flag that specifies a URI to use to connect to the server and port in the following format: ldap[s]://hostname[:port]
ldapsearch -x -H ldap://master.example.com
ldapsearch -x -H ldaps://master.example.com
The port is optional, it will use default LDAP of 389 or LDAPS port of 636 if the port is not given. The output will be all your LDAP database.
3) Search Specific Base DN and Scope
Now, we will try to search for specific base distinguish name and scope.
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -s base
-b defines base distinguish name for search. In other words, it defines starting point for the search -s scope of your search. That can be base object (base), one-level (one), subtree (sub) or children search (children)
The output of the command above will be the base distinguish name of ou=users,ou=department,dc=example,dc=com scope.
# users, department, example.com dn: ou=users,ou=department,dc=example,dc=com objectclass: organizationalUnit objectclass: top ou: users
In case of the same base dn and subtree scope search you will get everything (all subtrees) that goes under the ou=users,ou=department,dc=example,dc=com tree. In our case, you will get both entries for admins:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -s sub
# admin1, users, department, example.com dn: uid=admin1,ou=users,ou=department,dc=example,dc=com cn: admin1 gidnumber: 502 givenname: Admin1 homedirectory: /home/users/admin1 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin1 uid: admin1 uidnumber: 5001 userpassword: password # admin2, users, department, example.com dn: uid=admin2,ou=users,ou=department,dc=example,dc=com cn: admin2 gidnumber: 502 givenname: Admin2 homedirectory: /home/users/admin2 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin2 uid: admin2 uidnumber: 5002 userpassword: password
4) Read operation using file
Moving forward, we will use ldapsearch utility together with a file. Please create a file with following content:
vi file
admin1
Now, you need to run the command:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -s sub -f file.txt "(uid=%s)"
-f read operations from 'file'. This is usually used for multiple filters. If the file contains multiple filters, the file should be structured with one filter per line
Please note, that it will give the same output as:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "uid=admin1,ou=users,ou=department,dc=example,dc=com"
# admin1, users, department, example.com dn: uid=admin1,ou=users,ou=department,dc=example,dc=com cn: admin1 gidnumber: 502 givenname: Admin1 homedirectory: /home/users/admin1 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin1 uid: admin1 uidnumber: 5001 userpassword: password
5) Sort Result of Query
In this topic, we will consider main input and output options. To start with, we will sort the results of our query by attribute 'uidnumber'
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -S uidnumber
# admin1, users, department, example.com dn: uid=admin1,ou=users,ou=department,dc=example,dc=com cn: admin1 gidnumber: 502 givenname: Admin1 homedirectory: /home/users/admin1 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin1 uid: admin1 uidnumber: 5001 userpassword: password # admin2, users, department, example.com dn: uid=admin2,ou=users,ou=department,dc=example,dc=com cn: admin2 gidnumber: 502 givenname: Admin2 homedirectory: /home/users/admin2 objectclass: inetOrgPerson objectclass: posixAccount objectclass: top sn: Admin2 uid: admin2 uidnumber: 5002 userpassword: password
As we see, -S flag sorts the result by defined attribute. Since in our case we have only 2 entries, the output was sorted by uidnumber = 5001 and 5002.
6) Limits, user-friendly and Non-character output
In the next example, we will specify the maximum number of entries to return in response to a search request (-z flag), then we will include User-Friendly name form of the Distinguish Name in the output (-u flag) and the jpegPhoto and audio values will be retrieved and written to temporary files (-t "()" jpegPhoto audio). Unfortunately, in our example, we don't have such attributes, but If you had those, you would get the following output:
ldapsearch -h master.example.com -D "cn=manager,dc=example,dc=com" -w "slappasswd" -b "ou=users,ou=department,dc=example,dc=com" -z 2 -u -t "(uid=admin*)" jpegPhoto audio
# admin1, users, department, example.com dn: uid=admin1,ou=users,ou=department,dc=example,dc=com ufn: admin1, users, department, example.com audio:< file:///tmp/ldapsearch-audio-a1 jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a1 # admin2, users, department, example.com dn: uid=admin2,ou=users,ou=department,dc=example,dc=com ufn: admin2, users, department, example.com audio:< file:///tmp/ldapsearch-audio-a2 jpegPhoto:< file:///tmp/ldapsearch-jpegPhoto-a2
-t flag is useful for dealing with values containing non-character data such as photo or audio. It will generate a temporary file output, each attribute of each entry will be written to a separate file in the system's temporary directory, usually it is /tmp/.
7) Persistent search
A persistent search leave the search operation open after the command outputs are returned. This allows the entries returned in the search to remain in cache and updates to be transmitted and included as they occur. This remains open until the client closes the connection with ctrl-c key.
ldapsearch -x -C ps:changeType[:changesOnly[:entryChangeControls]]
# example.com dn: dc=example,dc=com # department, example.com dn: ou=department,dc=example,dc=com # groups, department, example.com dn: ou=groups,ou=department,dc=example,dc=com # system_admin, groups, department, example.com dn: cn=system_admin,ou=groups,ou=department,dc=example,dc=com # users, department, example.com dn: ou=users,ou=department,dc=example,dc=com # admin1, users, department, example.com dn: uid=admin1,ou=users,ou=department,dc=example,dc=com # admin2, users, department, example.com dn: uid=admin2,ou=users,ou=department,dc=example,dc=com
-C flag will run the search as a persistent search. ps:changeType specifies which type of changes to entries allow the entry to be returned (add/delete/modify/moddn/all). changesOnly sets whether to return all existing entries which match the search filter or return modified entries. By default, it will return modified entries. entryChangeControls sets whether to send entry change controls, additional information about the modification made to the entry. If the value set to 0, then only the entry is returned, if set to 1, then a line is added to the entry as it is returned to the search that lists the changeType performed on the entry. Default value is 1.
8) Virtual List View
In next example, we will try to extract only a portion of results with -G flag. So-called, virtual list view always requires -S and -x flags to specify sorting order. entriesBefore:entriesAfter:value - specify the search target as the first entry in the results for which the sort attribute is > or = to the given value. Since we do not have much entries in our LDAP, we will consider an example. For instance,
ldapsearch -x -S uidnumber -G 2:3:admin1
Would give us 6 entries in uidnumber order. 2 entries before admin1, the entry equal to or following admin1, and the 3 subsequent entries.
Test an LDAP connection
You can bind to your LDAP directory server by running this ldapsearch command from the client/server. I run this command from my client machine to my LDAP server and save the details in a text file.
root@ldapclient:~# ldapsearch -x -b " dc=ldap01,dc=linoxide,dc=com" >> all.txt root@ldapclient:~# cat all.txt # extended LDIF # # LDAPv3 # base < dc=ldap01,dc=linoxide,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL # # ldap01.linoxide.com dn: dc=ldap01,dc=linoxide,dc=com objectClass: top objectClass: dcObject objectClass: organization o: VIP dc: ldap01 # admin, ldap01.linoxide.com dn: cn=admin,dc=ldap01,dc=linoxide,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
We can even use this command to return all entries in our preferred directory service using filters as below.
root@ldapclient:~# ldapsearch -x -b " dc=ldap01,dc=linoxide,dc=com" -s sub "objectclass=*" # extended LDIF # # LDAPv3 # base < dc=ldap01,dc=linoxide,dc=com> with scope subtree # filter: objectclass=* # requesting: ALL # # ldap01.linoxide.com dn: dc=ldap01,dc=linoxide,dc=com objectClass: top objectClass: dcObject objectClass: organization o: VIP dc: ldap01 # admin, ldap01.linoxide.com dn: cn=admin,dc=ldap01,dc=linoxide,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2
Conclusion
In this article, we have used ldapsearch utility options for querying LDAP database. This tool tends to be very foreign to users when they first encounter them. However, with the mentioned command you can completely direct your search to return the exact data that you require.
re TLS, any idea how to specify the key store ? there is a -O switch that says SASL security properties. I can't find anywhere how to specify this properly, because I get "unable to get local issuer certificate"