LDAP

Group Searching

$ ldapsearch -W -D uid=pam,ou=ldapusers,dc=example,dc=com -b 'dc=example,dc=com' -H ldapi:/// '(&(objectClass=posixGroup)(cn=mygroupname))'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (&(objectClass=posixGroup)(cn=mygroupname))
# requesting: ALL
#

# mygroupname, groups, example.com
dn: cn=mygroupname,ou=groups,dc=example,dc=com
cn: mygroupname
gidNumber: 2001
objectClass: top
objectClass: posixGroup
memberUid: gbrown
memberUid: dperez


# search result
search: 2
result: 0 Success

 

 

User Searching

 

 

$ ldapsearch -W -D uid=pam,ou=ldapusers,dc=example,dc=com -b 'ou=People,dc=example,dc=com' -H ldapi:/// '(&(objectClass=posixAccount)(uid=someuser))'
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=People,dc=example,dc=com> with scope subtree
# filter: (&(objectClass=posixAccount)(uid=someuser))
# requesting: ALL
#

# someuser, people, example.com
dn: uid=someuser,ou=people,dc=example,dc=com
cn: Some User - Engineering
description: Some User from Engineering
sn: Some User - Engineering
gidNumber: 100
homeDirectory: /home/someuser
loginShell: /bin/bash
uid: someuser
uidNumber: 55599
pwdAttribute: 2.5.4.35
pwdLockout: FALSE
objectClass: organizationalPerson
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: ldapPublicKey
objectClass: pwdPolicy
sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqx5xi4HZ1mhDsUv5XgpqZE2mu
 CL60aGqw4KFRuHm4ShV5OnVt/9e0t3fRNojrCSzirHu9WA6wElW+tHSSSJebPDGw7TkZHKZ/Zt4F9
 P0LPQtdJLdzVxAtjCV3HUMZm5yQJC/+FtNwd2dYBW9JqbAIEogDck2qU7b9Q3MI1eMkMJMaCQWT2i
 tnJtdJyz someuser@example.com

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

 

 

Configuration lookup

This will often need to be ran as root, it will prompt for the rootDN password. It will also output all of the schema definitions for all of the object classes

 

 

 

$ ldapsearch -v -W -b cn=config -H ldapi:///
# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap/dc=example,dc=com
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword   by self write   by anonymous auth   by d
 n.base="cn=root,dc=example,dc=com" write   by * none
olcAccess: {1}to *   by self write   by dn.children="ou=ldapusers,dc=example,
 dc=com" read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=root,dc=example,dc=com
olcRootPW: {SSHA}/lksdajfkloia9254787q8921SQ!Adf
olcSyncUseSubentry: FALSE
olcSyncrepl: {0}rid=0 provider=ldap://anldap.server.com bindmethod=s
 imple binddn="cn=root,dc=example,dc=com" credentials=someuser searchbase="dc
 =example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWrite
 Object)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" 
 syncdata=accesslog
olcUpdateRef: ldap://someref.server.com
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: entryUUID eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0

# search result
search: 3
result: 0 Success

# numResponses: 22
# numEntries: 21

 

To search for a particular object (section) of the config

 

 

sudo ldapsearch -v -W -b "cn=config" "olcDatabase={2}bdb"  -H ldapi:/// ldap_initialize( ldapi:///??base )
Enter LDAP Password: 
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
filter: olcDatabase={2}bdb
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={2}bdb
# requesting: ALL
#

# {2}bdb, config
dn: olcDatabase={2}bdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcBdbConfig
olcDatabase: {2}bdb
olcDbDirectory: /var/lib/ldap/dc=example,dc=com
olcSuffix: dc=example,dc=com
olcAccess: {0}to attrs=userPassword   by self write   by anonymous auth   by d
 n.base="cn=root,dc=example,dc=com" write   by * none
olcAccess: {1}to *   by self write   by dn.children="ou=ldapusers,dc=example,
 dc=com" read
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=root,dc=example,dc=com
olcRootPW: {SSHA}daklfjoij43ef34s-034knadsfafd
olcSyncUseSubentry: FALSE
olcSyncrepl: {0}rid=0 provider=ldap://aprov.server.com bindmethod=s
 imple binddn="cn=root,dc=example,dc=com" credentials=username searchbase="dc
 =example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWrite
 Object)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" 
 syncdata=accesslog
olcUpdateRef: ldap://aref.server.com
olcMonitoring: TRUE
olcDbCacheSize: 1000
olcDbCheckpoint: 1024 15
olcDbNoSync: FALSE
olcDbDirtyRead: FALSE
olcDbIDLcacheSize: 0
olcDbIndex: entryUUID eq
olcDbLinearIndex: FALSE
olcDbMode: 0600
olcDbSearchStack: 16
olcDbShmKey: 0
olcDbCacheFree: 1
olcDbDNcacheSize: 0

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

 

 

 

Modifying Entries

 

 

create a file

Deleting

 

dn: uid=someuser,ou=people,dc=example,dc=com
delete: pwdMaxAge

Replacing

 

 

dn: cn=config
replace: olcLogLevel
olcLogLevel: stats2 parse sync
#olcLogLevel: any

 

 

Run the update

 

ldapmodify -v -f /path/to/createdfile -W -D <DN of user with write perms> -H ldapi:///

 

 

Aliasing

Making life simpler on the command line.

Set credentials:

$ export LCREDS="-D cn=root -w secret"

Set the LDAP server URL:

$ export LURL=ldaps://10.10.10.10

Then, alias the ldap commands as follow:

$ alias lsearch='LDAPTLS_REQCERT=allow ldapsearch -x -LLL $LCREDS -H $LURL'
$ alias ladd='LDAPTLS_REQCERT=allow ldapadd -x $LCREDS -H $LURL'
$ alias lmodify='LDAPTLS_REQCERT=allow ldapmodify -x $LCREDS -H $LURL'
$ alias ldelete='LDAPTLS_REQCERT=allow ldapdelete -x $LCREDS -H $LURL'