Commandline Usage

NOTE:

ldap commands are extremely verbose, you might want to create your own shortcut commands and aliases to save you time and typing

NOTE:

By default, long ldap lines are cutoff at 78 characters, making it extremely difficult to read. You can work around this by piping to perl.

ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses \
   | perl -p00e 's/\r?\n //g'

Useful Aliases

I find myself using these constantly while creating entries in my ldap server.

ldaplocal-search

function ldaplocal-search() {
    # ldap-search on localhost, entries will each use only a single line
    ldapsearch -H ldap://localhost -x $* | perl -p00e 's/\r?\n //g'
}

ldaplocal-list

function ldaplocal-list() {
    case $1 in
        ""|-h|--help)
            echo
            echo "    Connects to a ldap server running on the localhost, "
            echo "    and lists structure information about your ldap server "
            echo "    (formatted to be more user-readable)"
            echo
            echo "         ldaplocal-list   -h --help   # show this help-menu"
            echo
            echo "         ldaplocal-list   attrs       # list all attributes that can be used in objects"
            echo "                          attributes"
            echo "                          attributetypes"
            echo
            echo "         ldaplocal-list   cls         # list all objectclasses that can be used in ldap-entries"
            echo "                          objs "
            echo "                          objectclasses"
            echo "                          objectClasses"
            echo
            echo
            echo "   ( You may want to pipe it's results to less so you can )"
            echo "   ( interactively search, scroll, and read results       )"
            echo
            echo "         ldaplocal-list  attrs | less -Ri "
            echo
            ;;

        cls|objs|objectclasses|objectClasses)
            # ldap-search on localhost, will list all available object-classes
            # with a single line per-flag
            ldapsearch -H ldap://localhost -x           \
                -s base -b "cn=subschema" objectclasses \
                | perl -p00e 's/\r?\n //g'                                     `# one line per object`                   \
                | sed -r "s/( [A-Z][ A-Z]* [^']| [A-Z][ A-Z]* '[^']+')/\n&/g"  `# each object-flag printed on own line`  \
                | sed    "s/objectClasses:/\n&/g"                              `# each object separated by a blank line` \
                | grep --color=always -E "NAME .+'|$"                      `# colourize name`
            ;;

        attrs|attributes|attributetypes)
            # ldap-search on localhost, will list all available attributes
            # with a single line per-flag
            ldapsearch -H ldap://localhost -x               \
                -s base -b "cn=subschema" attributetypes    \
                | perl -p00e 's/\r?\n //g'                                     `# one line per object`                   \
                | sed -r "s/( [A-Z][ A-Z]* [^']| [A-Z][ A-Z]* '[^']+')/\n&/g"  `# each object-flag printed on own line`  \
                | sed    "s/attributeTypes:/\n&/g"                             `# each object separated by a blank line` \
                | grep --color=always -E "NAME .+'|$"                      `# colourize name`
            ;;
    esac
}

slapcat

I'm still a little fuzzy on the differences between slapcat, and ldapsearch - except for slapcat seems to return EVERYTHING (objects, attributes, suffixes, ...). ldapsearch is designed to be used on a specific suffix.

suffix

# -b restricts results to a specific suffix
sudo slapcat -b cn=config

filter

# -a  allows you to apply a 'filter' (just like ldapsearch)
sudo slapcat -b cn=config -a cn=config

# -a  displays only configuration in the file with
#     dn: cn=config              ## pidfile, argsfile, ...
#     OR
#     dn: cn=olcDatabase={1}mdb  ## admin-user, password, the root suffix
sudo slapcat -b cn=config -a "(|(cn=config)(cn=olcDatabase={1}mdb))"

example

# list all suffixes, administrator users, and the configurationfiles they
# are configured under.
slapcat -b 'cn=olcDatabase*,cn=config' \
    | grep --color -E '(dn:|olc(Suffix:|Root.*:))'

ldapsearch

ldapsearch is the next most important commandline tool for you to learn, because you will not be able to check if your command succeeded until you know how to search for the results.

ldapsearch   [flags]   [filter]   [list of attrs]

skip authentication

ldapsearch -x     # ldapsearch on localhost, and do not authenticate as a user

authenticate as LDAP user

# !note! if you are looking for the suffix's administrator,
# use    'slapcat -b cn=config | grep olcRootDN'

ldapsearch -D 'cn=admin,cn=example,cn=com' -w mypassword   # authenticates as 'admin', using pass: 'mypassword'

search base

# -b allows you to specify a 'search base'.
#    this can be the 'dn' of any object
#    and simply defines the starting point of the search.
ldapsearch -x  -b 'cn=group,dc=example,dc=com'

depth

# -s determines how deeply you would like
#    to search under your 'search base'.
#
#    'base' search the target object only
#    'one'  search one level beneath the target
#    'sub'  search everything under the item
#    'children'  ???
ldapsearch -x -s {base|one|sub|children}

filters

# The first argument immediately following
# the last flag is the 'filter'.
# it uses a vaguely lisp-like language to
# perform matches.
ldapsearch -x  '(|(objectclass=person)(objectclass=organization))'


(objectclass=*)                                       # any objectclass
(|(objectclass=person)(objectclass=organization))     # if objectclass is 'person' or 'organization'
(&(objectclass=person)(objectclass=organization))     # if objectclass is BOTH 'person' and 'organization'
(!(objectclass=person))                               # if objectclass is NOT 'person'

list of attributes

ldapsearch -x (objectclass=*)  sn cn                  # lists only the attributes 'sn' and 'cn'
                                                      # (if they exist) on all of the returned objects

See Also:

• https://technet.microsoft.com/en-us/library/cc978015.aspx (suprisingly helpful, and ldap-specific microsoft documentation for active-directory)
• https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ldapsearch.html

ldapmodify

ldapmodify can create, delete, rename, move, or change attributes of anything in your database.

The behaviour of ldapmodify is determined by the changetype: listed under the dn: of your target object.

add attributes

dn: cn=my,dc=object,dc=com
changetype: modify
add:  my_attribute_type
my_attribute_type: desired_value

change attributes (ALL of type)

dn: cn=my,dc=object,dc=com
changetype: modify
replace:  my_attr_type
my_attr_type: desired_value

change single target attribute

dn: cn=my,dc=object,dc=com
changetype: modify
delete: my_attr_type
my_attr_type:  current_value
-
add: my_attr_type
my_attr_type: desired_value

deleting attribute values

dn: cn=my,dc=object,dc=com
changetype: modify
delete: my_attr_type
my_attr_type:  value_to_delete     # remember, some attributes can be assigned multiple times on an object!

See Also:

• https://docs.oracle.com/cd/E19528-01/819-0995/6n3cq3apv/index.html
• https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system

LDAP over STARTTLS

ldaps:// is apparently deprecated. I need to learn how to do this securely.

Changing Records

#### changes.ldif
dn: cn=userA,dc=example_1,dc=com     # target of object we are modifying
changetype: modrdn                   # operation: modify an RDN

newrdn: uid=userB                    # the new RDN value
newsuperior: dc=example_2,dc=com     # the new parent of the item we are moving

ldapmodify \
    -D 'cn=admin,dc=example,dc=com'  `# user credentials to authenticate with` \
    -f  changes.ldif