Openldap usage
Commandline Usage
NOTE:
ldap commands are extremely verbose, you might want to create your own shortcut commands and aliases to save you time and typing
NOTE:
By default, long ldap lines are cutoff at 78 characters, making it extremely difficult to read. You can work around this by piping to perl.
ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses \ | perl -p00e 's/\r?\n //g'Useful Aliases
I find myself using these constantly while creating entries in my ldap server.
ldaplocal-search
function ldaplocal-search() { # ldap-search on localhost, entries will each use only a single line ldapsearch -H ldap://localhost -x $* | perl -p00e 's/\r?\n //g' }ldaplocal-list
function ldaplocal-list() { case $1 in ""|-h|--help) echo echo " Connects to a ldap server running on the localhost, " echo " and lists structure information about your ldap server " echo " (formatted to be more user-readable)" echo echo " ldaplocal-list -h --help # show this help-menu" echo echo " ldaplocal-list attrs # list all attributes that can be used in objects" echo " attributes" echo " attributetypes" echo echo " ldaplocal-list cls # list all objectclasses that can be used in ldap-entries" echo " objs " echo " objectclasses" echo " objectClasses" echo echo echo " ( You may want to pipe it's results to less so you can )" echo " ( interactively search, scroll, and read results )" echo echo " ldaplocal-list attrs | less -Ri " echo ;; cls|objs|objectclasses|objectClasses) # ldap-search on localhost, will list all available object-classes # with a single line per-flag ldapsearch -H ldap://localhost -x \ -s base -b "cn=subschema" objectclasses \ | perl -p00e 's/\r?\n //g' `# one line per object` \ | sed -r "s/( [A-Z][ A-Z]* [^']| [A-Z][ A-Z]* '[^']+')/\n&/g" `# each object-flag printed on own line` \ | sed "s/objectClasses:/\n&/g" `# each object separated by a blank line` \ | grep --color=always -E "NAME .+'|$" `# colourize name` ;; attrs|attributes|attributetypes) # ldap-search on localhost, will list all available attributes # with a single line per-flag ldapsearch -H ldap://localhost -x \ -s base -b "cn=subschema" attributetypes \ | perl -p00e 's/\r?\n //g' `# one line per object` \ | sed -r "s/( [A-Z][ A-Z]* [^']| [A-Z][ A-Z]* '[^']+')/\n&/g" `# each object-flag printed on own line` \ | sed "s/attributeTypes:/\n&/g" `# each object separated by a blank line` \ | grep --color=always -E "NAME .+'|$" `# colourize name` ;; esac }slapcat
I'm still a little fuzzy on the differences between slapcat, and ldapsearch - except for slapcat seems to return EVERYTHING (objects, attributes, suffixes, ...). ldapsearch is designed to be used on a specific suffix.
suffix
# -b restricts results to a specific suffix sudo slapcat -b cn=configfilter
# -a allows you to apply a 'filter' (just like ldapsearch) sudo slapcat -b cn=config -a cn=config # -a displays only configuration in the file with # dn: cn=config ## pidfile, argsfile, ... # OR # dn: cn=olcDatabase={1}mdb ## admin-user, password, the root suffix sudo slapcat -b cn=config -a "(|(cn=config)(cn=olcDatabase={1}mdb))"example
# list all suffixes, administrator users, and the configurationfiles they # are configured under. slapcat -b 'cn=olcDatabase*,cn=config' \ | grep --color -E '(dn:|olc(Suffix:|Root.*:))'ldapsearch
ldapsearch is the next most important commandline tool for you to learn, because you will not be able to check if your command succeeded until you know how to search for the results.
ldapsearch [flags] [filter] [list of attrs]skip authentication
ldapsearch -x # ldapsearch on localhost, and do not authenticate as a userauthenticate as LDAP user
# !note! if you are looking for the suffix's administrator, # use 'slapcat -b cn=config | grep olcRootDN' ldapsearch -D 'cn=admin,cn=example,cn=com' -w mypassword # authenticates as 'admin', using pass: 'mypassword'search base
# -b allows you to specify a 'search base'. # this can be the 'dn' of any object # and simply defines the starting point of the search. ldapsearch -x -b 'cn=group,dc=example,dc=com'depth
# -s determines how deeply you would like # to search under your 'search base'. # # 'base' search the target object only # 'one' search one level beneath the target # 'sub' search everything under the item # 'children' ??? ldapsearch -x -s {base|one|sub|children}filters
# The first argument immediately following # the last flag is the 'filter'. # it uses a vaguely lisp-like language to # perform matches. ldapsearch -x '(|(objectclass=person)(objectclass=organization))' (objectclass=*) # any objectclass (|(objectclass=person)(objectclass=organization)) # if objectclass is 'person' or 'organization' (&(objectclass=person)(objectclass=organization)) # if objectclass is BOTH 'person' and 'organization' (!(objectclass=person)) # if objectclass is NOT 'person'list of attributes
ldapsearch -x (objectclass=*) sn cn # lists only the attributes 'sn' and 'cn' # (if they exist) on all of the returned objectsSee Also:
- https://technet.microsoft.com/en-us/library/cc978015.aspx (suprisingly helpful, and ldap-specific microsoft documentation for active-directory)
- https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ldapsearch.html
ldapmodify
ldapmodify can create, delete, rename, move, or change attributes of anything in your database.
The behaviour of ldapmodify is determined by the changetype: listed under the dn: of your target object.
add attributes
dn: cn=my,dc=object,dc=com changetype: modify add: my_attribute_type my_attribute_type: desired_valuechange attributes (ALL of type)
dn: cn=my,dc=object,dc=com changetype: modify replace: my_attr_type my_attr_type: desired_valuechange single target attribute
dn: cn=my,dc=object,dc=com changetype: modify delete: my_attr_type my_attr_type: current_value - add: my_attr_type my_attr_type: desired_valuedeleting attribute values
dn: cn=my,dc=object,dc=com changetype: modify delete: my_attr_type my_attr_type: value_to_delete # remember, some attributes can be assigned multiple times on an object!See Also:
LDAP over STARTTLS
ldaps://
is apparently deprecated. I need to learn how to do this securely.
Changing Records
#### changes.ldif dn: cn=userA,dc=example_1,dc=com # target of object we are modifying changetype: modrdn # operation: modify an RDN newrdn: uid=userB # the new RDN value newsuperior: dc=example_2,dc=com # the new parent of the item we are movingldapmodify \ -D 'cn=admin,dc=example,dc=com' `# user credentials to authenticate with` \ -f changes.ldif