Using command line ldap tools
If you are using the command line ldap search utility the most basic format of the command line is as follows
ldapsearch -h ldapserver -D userFQDN -w password -b base filter
For ldapserver you can use the DNS name or the IP address of the ldap server you want to use. The userFQDN will be the fully qualified domain name of your user account (like cn=myname,ou=people,o=myorg). For the password if you do a -W instead of a -w most implementations will query you for the password after you hit enter on the command. For -w you need to put the password on the command line. The base is ideally the point farthest down in the tree to get you the closest to the objects you want to find. And the filter is the ldap search filter to ask specifically for what you want. The closer the base is to the objects you want to find the faster the search will return results, the less load you will put on the LDAP server, and the less extra objects you will return if your filter is not specific enough.
We will go over filters a lot more in a minute. There are two other switches that we should cover right away before talking about filters. The first, the -x switch, is sometimes needed if you are doing a clear text connection to the server. Sometimes the ldapsearch implementation will not do the clear text bind without the -x switch. The other is -LLL and will give you a much cleaner output without all sorts of comments and extra line items in the results return.So let’s talk about search filters. The search filter is the way you can select exactly the record or records you want to find. The basic format of an LDAP search filter is the name of the attribute you are searching and the value you want to find in that attribute. So if you are looking for a last name of Grossman then you would search for sn which stands for surname and is the attribute for last name. You would use sn=grossman to find the person. Note here that I did not use a capital letter for the first letter. That was to show that LDAP filters are case insensitive. LDAP does not understand case. But the return will be whatever case it was stored in. So the return will probably be Grossman and not grossman.
The search string that we gave above will return all the attributes for that user. If you only wanted to return some attributes then you can list them at the end of the command line. So let’s say you wanted first, last, and full name. You would then do the following.
We will go over filters a lot more in a minute. There are two other switches that we should cover right away before talking about filters. The first, the -x switch, is sometimes needed if you are doing a clear text connection to the server. Sometimes the ldapsearch implementation will not do the clear text bind without the -x switch. The other is -LLL and will give you a much cleaner output without all sorts of comments and extra line items in the results return.So let’s talk about search filters. The search filter is the way you can select exactly the record or records you want to find. The basic format of an LDAP search filter is the name of the attribute you are searching and the value you want to find in that attribute. So if you are looking for a last name of Grossman then you would search for sn which stands for surname and is the attribute for last name. You would use sn=grossman to find the person. Note here that I did not use a capital letter for the first letter. That was to show that LDAP filters are case insensitive. LDAP does not understand case. But the return will be whatever case it was stored in. So the return will probably be Grossman and not grossman.
The search string that we gave above will return all the attributes for that user. If you only wanted to return some attributes then you can list them at the end of the command line. So let’s say you wanted first, last, and full name. You would then do the following.
ldapsearch -h server -D userFQDN -w pass -b base sn=grossman sn fullname givenname
Home |
About |
Services |
Copyright © 2016