Group Searching
$ ldapsearch -W -D uid=pam,ou=ldapusers,dc=example,dc=com -b 'dc=example,dc=com' -H ldapi:/// '(&(objectClass=posixGroup)(cn=mygroupname))' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=example,dc=com> with scope subtree # filter: (&(objectClass=posixGroup)(cn=mygroupname)) # requesting: ALL # # mygroupname, groups, example.com dn: cn=mygroupname,ou=groups,dc=example,dc=com cn: mygroupname gidNumber: 2001 objectClass: top objectClass: posixGroup memberUid: gbrown memberUid: dperez # search result search: 2 result: 0 Success
User Searching
$ ldapsearch -W -D uid=pam,ou=ldapusers,dc=example,dc=com -b 'ou=People,dc=example,dc=com' -H ldapi:/// '(&(objectClass=posixAccount)(uid=someuser))' Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=People,dc=example,dc=com> with scope subtree # filter: (&(objectClass=posixAccount)(uid=someuser)) # requesting: ALL # # someuser, people, example.com dn: uid=someuser,ou=people,dc=example,dc=com cn: Some User - Engineering description: Some User from Engineering sn: Some User - Engineering gidNumber: 100 homeDirectory: /home/someuser loginShell: /bin/bash uid: someuser uidNumber: 55599 pwdAttribute: 2.5.4.35 pwdLockout: FALSE objectClass: organizationalPerson objectClass: top objectClass: person objectClass: posixAccount objectClass: ldapPublicKey objectClass: pwdPolicy sshPublicKey: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCqx5xi4HZ1mhDsUv5XgpqZE2mu CL60aGqw4KFRuHm4ShV5OnVt/9e0t3fRNojrCSzirHu9WA6wElW+tHSSSJebPDGw7TkZHKZ/Zt4F9 P0LPQtdJLdzVxAtjCV3HUMZm5yQJC/+FtNwd2dYBW9JqbAIEogDck2qU7b9Q3MI1eMkMJMaCQWT2i tnJtdJyz someuser@example.com # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1
Configuration lookup
This will often need to be ran as root, it will prompt for the rootDN password. It will also output all of the schema definitions for all of the object classes
$ ldapsearch -v -W -b cn=config -H ldapi:/// # {2}bdb, config dn: olcDatabase={2}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcDbDirectory: /var/lib/ldap/dc=example,dc=com olcSuffix: dc=example,dc=com olcAccess: {0}to attrs=userPassword by self write by anonymous auth by d n.base="cn=root,dc=example,dc=com" write by * none olcAccess: {1}to * by self write by dn.children="ou=ldapusers,dc=example, dc=com" read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=root,dc=example,dc=com olcRootPW: {SSHA}/lksdajfkloia9254787q8921SQ!Adf olcSyncUseSubentry: FALSE olcSyncrepl: {0}rid=0 provider=ldap://anldap.server.com bindmethod=s imple binddn="cn=root,dc=example,dc=com" credentials=someuser searchbase="dc =example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWrite Object)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog olcUpdateRef: ldap://someref.server.com olcMonitoring: TRUE olcDbCacheSize: 1000 olcDbCheckpoint: 1024 15 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: entryUUID eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 # search result search: 3 result: 0 Success # numResponses: 22 # numEntries: 21
To search for a particular object (section) of the config
sudo ldapsearch -v -W -b "cn=config" "olcDatabase={2}bdb" -H ldapi:/// ldap_initialize( ldapi:///??base ) Enter LDAP Password: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 filter: olcDatabase={2}bdb requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: olcDatabase={2}bdb # requesting: ALL # # {2}bdb, config dn: olcDatabase={2}bdb,cn=config objectClass: olcDatabaseConfig objectClass: olcBdbConfig olcDatabase: {2}bdb olcDbDirectory: /var/lib/ldap/dc=example,dc=com olcSuffix: dc=example,dc=com olcAccess: {0}to attrs=userPassword by self write by anonymous auth by d n.base="cn=root,dc=example,dc=com" write by * none olcAccess: {1}to * by self write by dn.children="ou=ldapusers,dc=example, dc=com" read olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=root,dc=example,dc=com olcRootPW: {SSHA}daklfjoij43ef34s-034knadsfafd olcSyncUseSubentry: FALSE olcSyncrepl: {0}rid=0 provider=ldap://aprov.server.com bindmethod=s imple binddn="cn=root,dc=example,dc=com" credentials=username searchbase="dc =example,dc=com" logbase="cn=accesslog" logfilter="(&(objectClass=auditWrite Object)(reqResult=0))" schemachecking=on type=refreshAndPersist retry="60 +" syncdata=accesslog olcUpdateRef: ldap://aref.server.com olcMonitoring: TRUE olcDbCacheSize: 1000 olcDbCheckpoint: 1024 15 olcDbNoSync: FALSE olcDbDirtyRead: FALSE olcDbIDLcacheSize: 0 olcDbIndex: entryUUID eq olcDbLinearIndex: FALSE olcDbMode: 0600 olcDbSearchStack: 16 olcDbShmKey: 0 olcDbCacheFree: 1 olcDbDNcacheSize: 0 # search result search: 3 result: 0 Success # numResponses: 2 # numEntries: 1
Modifying Entries
create a file
Deleting
dn: uid=someuser,ou=people,dc=example,dc=com delete: pwdMaxAge
Replacing
dn: cn=config replace: olcLogLevel olcLogLevel: stats2 parse sync #olcLogLevel: any
Run the update
ldapmodify -v -f /path/to/createdfile -W -D <DN of user with write perms> -H ldapi:///
Aliasing
Making life simpler on the command line.
Set credentials:
$ export LCREDS="-D cn=root -w secret"
Set the LDAP server URL:
$ export LURL=ldaps://10.10.10.10
Then, alias the ldap commands as follow:
$ alias lsearch='LDAPTLS_REQCERT=allow ldapsearch -x -LLL $LCREDS -H $LURL'
$ alias ladd='LDAPTLS_REQCERT=allow ldapadd -x $LCREDS -H $LURL'
$ alias lmodify='LDAPTLS_REQCERT=allow ldapmodify -x $LCREDS -H $LURL'
$ alias ldelete='LDAPTLS_REQCERT=allow ldapdelete -x $LCREDS -H $LURL'