Openldap usage: Difference between revisions
No edit summary |
|||
Line 1: | Line 1: | ||
= Commandline Usage = | = Commandline Usage = | ||
<blockquote> | <blockquote> | ||
Line 22: | Line 21: | ||
in my ldap server. | in my ldap server. | ||
{{ expand | |||
| ldaplocal-search | |||
| | |||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
function ldaplocal-search() { | function ldaplocal-search() { | ||
# ldap-search on localhost, entries will each use only a single line | # ldap-search on localhost, entries will each use only a single line | ||
ldapsearch -H ldap://localhost -x $* | perl -p00e 's/\r?\n //g' | ldapsearch -H ldap://localhost -x $* | perl -p00e 's/\r?\n //g' | ||
} | } | ||
</syntaxhighlight> | |||
}} | |||
{{ expand | |||
| ldaplocal-list | |||
| | |||
<syntaxhighlight lang="bash"> | |||
function ldaplocal-list() { | function ldaplocal-list() { | ||
case $1 in | |||
case $1 in | |||
""|-h|--help) | ""|-h|--help) | ||
echo | echo | ||
Line 84: | Line 86: | ||
esac | esac | ||
} | } | ||
</syntaxhighlight> | </syntaxhighlight> | ||
}} | |||
</blockquote><!-- recommended aliases --> | </blockquote><!-- recommended aliases --> | ||
== slapcat == | == slapcat == | ||
Line 96: | Line 95: | ||
for slapcat seems to return EVERYTHING (objects, attributes, suffixes, ...). ldapsearch | for slapcat seems to return EVERYTHING (objects, attributes, suffixes, ...). ldapsearch | ||
is designed to be used ''on a specific suffix''. | is designed to be used ''on a specific suffix''. | ||
suffix | suffix | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# -b restricts results to a specific suffix | |||
slapcat -b cn=config | sudo slapcat -b cn=config | ||
</syntaxhighlight> | </syntaxhighlight> | ||
filter | filter | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# -a allows you to apply a 'filter' (just like ldapsearch) | |||
sudo slapcat -b cn=config -a cn=config | |||
# -a displays only configuration in the file with | |||
# dn: cn=config ## pidfile, argsfile, ... | |||
# OR | |||
# dn: cn=olcDatabase={1}mdb ## admin-user, password, the root suffix | |||
sudo slapcat -b cn=config -a "(|(cn=config)(cn=olcDatabase={1}mdb))" | |||
</syntaxhighlight> | </syntaxhighlight> | ||
example | example | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# list all suffixes, administrator users, and the configurationfiles they | |||
# are configured under. | |||
slapcat -b 'cn=olcDatabase*,cn=config' \ | slapcat -b 'cn=olcDatabase*,cn=config' \ | ||
| grep --color -E '(dn:|olc(Suffix:|Root.*:))' | | grep --color -E '(dn:|olc(Suffix:|Root.*:))' | ||
</syntaxhighlight> | </syntaxhighlight> | ||
</blockquote><!-- slapcat --> | </blockquote><!-- slapcat --> | ||
== ldapsearch == | == ldapsearch == | ||
Line 135: | Line 132: | ||
ldapsearch [flags] [filter] [list of attrs] | ldapsearch [flags] [filter] [list of attrs] | ||
</syntaxhighlight> | </syntaxhighlight> | ||
skip authentication | skip authentication | ||
Line 154: | Line 148: | ||
search base | search base | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# -b allows you to specify a 'search base'. | |||
# this can be the 'dn' of any object | |||
# and simply defines the starting point of the search. | |||
ldapsearch -x -b 'cn=group,dc=example,dc=com' | |||
</syntaxhighlight> | </syntaxhighlight> | ||
depth | depth | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# -s determines how deeply you would like | |||
# to search under your 'search base'. | |||
# | |||
# 'base' search the target object only | |||
# 'one' search one level beneath the target | |||
# 'sub' search everything under the item | |||
# 'children' ??? | |||
ldapsearch -x -s {base|one|sub|children} | |||
</syntaxhighlight> | </syntaxhighlight> | ||
filters | filters | ||
<syntaxhighlight lang="bash"> | <syntaxhighlight lang="bash"> | ||
# The first argument immediately following | |||
# the last flag is the 'filter'. | |||
# it uses a vaguely lisp-like language to | |||
# perform matches. | |||
ldapsearch -x '(|(objectclass=person)(objectclass=organization))' | |||
(objectclass=*) # any objectclass | (objectclass=*) # any objectclass | ||
Line 192: | Line 190: | ||
* https://technet.microsoft.com/en-us/library/cc978015.aspx (suprisingly helpful, and ldap-specific microsoft documentation for active-directory) | * https://technet.microsoft.com/en-us/library/cc978015.aspx (suprisingly helpful, and ldap-specific microsoft documentation for active-directory) | ||
* https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ldapsearch.html | * https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ldapsearch.html | ||
</blockquote><!-- ldapsearch --> | </blockquote><!-- ldapsearch --> | ||
== ldapmodify == | == ldapmodify == | ||
<blockquote> | <blockquote> | ||
ldapmodify can create, delete, rename, move, or change attributes of | ldapmodify can create, delete, rename, move, or change attributes of | ||
Line 204: | Line 199: | ||
The behaviour of ldapmodify is determined by the '''changetype:''' | The behaviour of ldapmodify is determined by the '''changetype:''' | ||
listed under the ''dn:'' of your target object. | listed under the ''dn:'' of your target object. | ||
add attributes | add attributes | ||
Line 241: | Line 234: | ||
my_attr_type: value_to_delete # remember, some attributes can be assigned multiple times on an object! | my_attr_type: value_to_delete # remember, some attributes can be assigned multiple times on an object! | ||
</syntaxhighlight> | </syntaxhighlight> | ||
See Also: | See Also: | ||
* https://docs.oracle.com/cd/E19528-01/819-0995/6n3cq3apv/index.html | * https://docs.oracle.com/cd/E19528-01/819-0995/6n3cq3apv/index.html | ||
* https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system | * https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-make-changes-to-an-openldap-system | ||
</blockquote><!-- ldapmodify --> | </blockquote><!-- ldapmodify --> | ||
< | </blockquote><!-- Commandline Usage --> | ||
< | |||
= LDAP over STARTTLS = | = LDAP over STARTTLS = | ||
Line 255: | Line 245: | ||
<code>ldaps://</code> is apparently deprecated. I need to learn | <code>ldaps://</code> is apparently deprecated. I need to learn | ||
how to do this securely. | how to do this securely. | ||
</blockquote><!-- LDAP over STARTTLS --> | </blockquote><!-- LDAP over STARTTLS --> | ||
Line 276: | Line 265: | ||
</syntaxhighlight> | </syntaxhighlight> | ||
</blockquote><!-- Changing Records --> | </blockquote><!-- Changing Records --> | ||
</blockquote><!-- LDAP over STARTTLs --> |
Latest revision as of 15:54, 2 July 2022
Commandline Usage
NOTE:
ldap commands are extremely verbose, you might want to create your own shortcut commands and aliases to save you time and typing
NOTE:
By default, long ldap lines are cutoff at 78 characters, making it extremely difficult to read. You can work around this by piping to perl.
ldapsearch -H ldap://localhost -x -s base -b "cn=subschema" objectclasses \ | perl -p00e 's/\r?\n //g'Useful Aliases
I find myself using these constantly while creating entries in my ldap server.
ldaplocal-search
function ldaplocal-search() { # ldap-search on localhost, entries will each use only a single line ldapsearch -H ldap://localhost -x $* | perl -p00e 's/\r?\n //g' }ldaplocal-list
function ldaplocal-list() { case $1 in ""|-h|--help) echo echo " Connects to a ldap server running on the localhost, " echo " and lists structure information about your ldap server " echo " (formatted to be more user-readable)" echo echo " ldaplocal-list -h --help # show this help-menu" echo echo " ldaplocal-list attrs # list all attributes that can be used in objects" echo " attributes" echo " attributetypes" echo echo " ldaplocal-list cls # list all objectclasses that can be used in ldap-entries" echo " objs " echo " objectclasses" echo " objectClasses" echo echo echo " ( You may want to pipe it's results to less so you can )" echo " ( interactively search, scroll, and read results )" echo echo " ldaplocal-list attrs | less -Ri " echo ;; cls|objs|objectclasses|objectClasses) # ldap-search on localhost, will list all available object-classes # with a single line per-flag ldapsearch -H ldap://localhost -x \ -s base -b "cn=subschema" objectclasses \ | perl -p00e 's/\r?\n //g' `# one line per object` \ | sed -r "s/( [A-Z][ A-Z]* [^']| [A-Z][ A-Z]* '[^']+')/\n&/g" `# each object-flag printed on own line` \ | sed "s/objectClasses:/\n&/g" `# each object separated by a blank line` \ | grep --color=always -E "NAME .+'|$" `# colourize name` ;; attrs|attributes|attributetypes) # ldap-search on localhost, will list all available attributes # with a single line per-flag ldapsearch -H ldap://localhost -x \ -s base -b "cn=subschema" attributetypes \ | perl -p00e 's/\r?\n //g' `# one line per object` \ | sed -r "s/( [A-Z][ A-Z]* [^']| [A-Z][ A-Z]* '[^']+')/\n&/g" `# each object-flag printed on own line` \ | sed "s/attributeTypes:/\n&/g" `# each object separated by a blank line` \ | grep --color=always -E "NAME .+'|$" `# colourize name` ;; esac }slapcat
I'm still a little fuzzy on the differences between slapcat, and ldapsearch - except for slapcat seems to return EVERYTHING (objects, attributes, suffixes, ...). ldapsearch is designed to be used on a specific suffix.
suffix
# -b restricts results to a specific suffix sudo slapcat -b cn=configfilter
# -a allows you to apply a 'filter' (just like ldapsearch) sudo slapcat -b cn=config -a cn=config # -a displays only configuration in the file with # dn: cn=config ## pidfile, argsfile, ... # OR # dn: cn=olcDatabase={1}mdb ## admin-user, password, the root suffix sudo slapcat -b cn=config -a "(|(cn=config)(cn=olcDatabase={1}mdb))"example
# list all suffixes, administrator users, and the configurationfiles they # are configured under. slapcat -b 'cn=olcDatabase*,cn=config' \ | grep --color -E '(dn:|olc(Suffix:|Root.*:))'ldapsearch
ldapsearch is the next most important commandline tool for you to learn, because you will not be able to check if your command succeeded until you know how to search for the results.
ldapsearch [flags] [filter] [list of attrs]skip authentication
ldapsearch -x # ldapsearch on localhost, and do not authenticate as a userauthenticate as LDAP user
# !note! if you are looking for the suffix's administrator, # use 'slapcat -b cn=config | grep olcRootDN' ldapsearch -D 'cn=admin,cn=example,cn=com' -w mypassword # authenticates as 'admin', using pass: 'mypassword'search base
# -b allows you to specify a 'search base'. # this can be the 'dn' of any object # and simply defines the starting point of the search. ldapsearch -x -b 'cn=group,dc=example,dc=com'depth
# -s determines how deeply you would like # to search under your 'search base'. # # 'base' search the target object only # 'one' search one level beneath the target # 'sub' search everything under the item # 'children' ??? ldapsearch -x -s {base|one|sub|children}filters
# The first argument immediately following # the last flag is the 'filter'. # it uses a vaguely lisp-like language to # perform matches. ldapsearch -x '(|(objectclass=person)(objectclass=organization))' (objectclass=*) # any objectclass (|(objectclass=person)(objectclass=organization)) # if objectclass is 'person' or 'organization' (&(objectclass=person)(objectclass=organization)) # if objectclass is BOTH 'person' and 'organization' (!(objectclass=person)) # if objectclass is NOT 'person'list of attributes
ldapsearch -x (objectclass=*) sn cn # lists only the attributes 'sn' and 'cn' # (if they exist) on all of the returned objectsSee Also:
- https://technet.microsoft.com/en-us/library/cc978015.aspx (suprisingly helpful, and ldap-specific microsoft documentation for active-directory)
- https://www.centos.org/docs/5/html/CDS/ag/8.0/Finding_Directory_Entries-Using_ldapsearch.html
ldapmodify
ldapmodify can create, delete, rename, move, or change attributes of anything in your database.
The behaviour of ldapmodify is determined by the changetype: listed under the dn: of your target object.
add attributes
dn: cn=my,dc=object,dc=com changetype: modify add: my_attribute_type my_attribute_type: desired_valuechange attributes (ALL of type)
dn: cn=my,dc=object,dc=com changetype: modify replace: my_attr_type my_attr_type: desired_valuechange single target attribute
dn: cn=my,dc=object,dc=com changetype: modify delete: my_attr_type my_attr_type: current_value - add: my_attr_type my_attr_type: desired_valuedeleting attribute values
dn: cn=my,dc=object,dc=com changetype: modify delete: my_attr_type my_attr_type: value_to_delete # remember, some attributes can be assigned multiple times on an object!See Also:
LDAP over STARTTLS
ldaps://
is apparently deprecated. I need to learn how to do this securely.
Changing Records
#### changes.ldif dn: cn=userA,dc=example_1,dc=com # target of object we are modifying changetype: modrdn # operation: modify an RDN newrdn: uid=userB # the new RDN value newsuperior: dc=example_2,dc=com # the new parent of the item we are movingldapmodify \ -D 'cn=admin,dc=example,dc=com' `# user credentials to authenticate with` \ -f changes.ldif