devconnected.com
Open in
urlscan Pro
2606:4700:20::681a:f3e
Public Scan
URL:
https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
Submission: On June 24 via manual from US — Scanned from DE
Submission: On June 24 via manual from US — Scanned from DE
Form analysis 2 forms found in the DOM
GET https://devconnected.com/
<form role="search" method="get" class="pc-searchform penci-hbg-search-form" action="https://devconnected.com/">
<div class="inner-hbg-search-form">
<input type="text" class="search-input" placeholder="Type and hit enter..." name="s">
<i class="penciicon-magnifiying-glass"></i>
</div>
</form>POST https://devconnected.com/wp-comments-post.php
<form action="https://devconnected.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-form-comment"><textarea id="comment" name="comment" cols="45" rows="8" placeholder="Your Comment" aria-required="true"></textarea></p>
<p class="comment-form-author"><input id="author" name="author" type="text" value="" placeholder="Name*" size="30" aria-required="true"></p>
<p class="comment-form-email"><input id="email" name="email" type="text" value="" placeholder="Email*" size="30" aria-required="true"></p>
<p class="comment-form-url"><input id="url" name="url" type="text" value="" placeholder="Website" size="30"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"><span class="comment-form-cookies-text" for="wp-comment-cookies-consent">Save my name, email, and website
in this browser for the next time I comment.</span></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Submit"> <input type="hidden" name="comment_post_ID" value="6557" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="9629933603"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1719247792800">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>Text Content
* Home
* Linux System Administration
* Basics
* Bash
* Logging
* Security
* Tips
* Monitoring
* Grafana
* InfluxDB
* Kibana
* Prometheus
* Software Engineering
* Guide
* CentOS
* Debian
* Ubuntu
* DevOps
* ELK stack
* Docker
* Productivity
* About
POPULAR POSTS
* 1
4 BEST TIME SERIES DATABASES TO WATCH IN 2019
April 11, 2019
* 2
UNDERSTANDING HARD AND SOFT LINKS ON LINUX
August 14, 2019
* 3
HOW TO INSTALL NGINX ON CENTOS 8
October 6, 2019
* 4
HOW TO CLEAN UP GIT BRANCHES
November 21, 2019
* 5
HOW TO SEARCH LDAP USING LDAPSEARCH (WITH EXAMPLES)
February 2, 2020
Copyright © 2021 - devconnected. All rights reserved.
Any material cannot be used without our explicit consent (for online and offline
purposes).
Trending
How To Flush DNS Cache on Linux
How To Find Last Login on Linux
How To Encrypt Root Filesystem on Linux
How To Undo Git Add Command
How To Encrypt File on Linux
How To List Services on Linux
Monitoring Disk I/O on Linux with the Node...
Monitoring Linux Processes using Prometheus and Grafana
How To List Disks on Linux
How To Add Route on Linux
How To Git Add All Files
How To Encrypt Partition on Linux
How To Flush DNS Cache on Linux
How To Find Last Login on Linux
How To Encrypt Root Filesystem on Linux
How To Undo Git Add Command
How To Encrypt File on Linux
How To List Services on Linux
Monitoring Disk I/O on Linux with the Node...
Monitoring Linux Processes using Prometheus and Grafana
How To List Disks on Linux
How To Add Route on Linux
How To Git Add All Files
How To Encrypt Partition on Linux
Home Linux System AdministrationAdvanced How To Search LDAP using ldapsearch
(With Examples)
AdvancedLinux System Administration
HOW TO SEARCH LDAP USING LDAPSEARCH (WITH EXAMPLES)
by schkn February 2, 2020
written by schkn
75.7K
If you are working in a medium to large company, you are probably interacting on
a daily basis with LDAP.
Whether this is on a Windows domain controller, or on a Linux OpenLDAP server,
the LDAP protocol is very useful to centralize authentication.
However, as your LDAP directory grows, you might get lost in all the entries
that you may have to manage.
Luckily, there is a command that will help you search for entries in a LDAP
directory tree : ldapsearch.
In this tutorial, we are going to see how you can easily search LDAP using
ldapsearch.
We are also going to review the options provided by the command in order to
perform advanced LDAP searches.
Table of Contents
* Search LDAP using ldapsearch
* Search LDAP with admin account
* Running LDAP Searches with Filters
* Finding all objects in the directory tree
* Finding user accounts using ldapsearch
* AND Operator using ldapsearch
* OR Operator using ldapsearch
* Negation Filters using ldapsearch
* Finding LDAP server configuration using ldapsearch
* Using Wildcards in LDAP searches
* Ldapsearch Advanced Options
* LDAP Extensible Match Filters
* Supercharging default operators
* Conclusion
SEARCH LDAP USING LDAPSEARCH
The easiest way to search LDAP is to use ldapsearch with the “-x” option for
simple authentication and specify the search base with “-b”.
If you are not running the search directly on the LDAP server, you will have to
specify the host with the “-H” option.
$ ldapsearch -x -b <search_base> -H <ldap_host>
As an example, let’s say that you have an OpenLDAP server installed and running
on the 192.168.178.29 host of your network.
If your server is accepting anonymous authentication, you will be able to
perform a LDAP search query without binding to the admin account.
$ ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://192.168.178.29
As you can see, if you don’t specify any filters, the LDAP client will assume
that you want to run a search on all object classes of your directory tree.
As a consequence, you will be presented with a lot of information. If you want
to restrict the information presented, we are going to explain LDAP filters in
the next chapter.
SEARCH LDAP WITH ADMIN ACCOUNT
In some cases, you may want to run LDAP queries as the admin account in order to
have additionnal information presented to you.
To achieve that, you will need to make a bind request using the administrator
account of the LDAP tree.
To search LDAP using the admin account, you have to execute the “ldapsearch”
query with the “-D” option for the bind DN and the “-W” in order to be prompted
for the password.
$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W
As an example, let’s say that your administrator account has the following
distinguished name : “cn=admin,dc=devconnected,dc=com“.
In order to perform a LDAP search as this account, you would have to run the
following query
$ ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://192.168.178.29 -D "cn=admin,dc=devconnected,dc=com" -W
When running a LDAP search as the administrator account, you may be exposed to
user encrypted passwords, so make sure that you run your query privately.
RUNNING LDAP SEARCHES WITH FILTERS
Running a plain LDAP search query without any filters is likely to be a waste of
time and resource.
Most of the time, you want to run a LDAP search query in order to find specific
objects in your LDAP directory tree.
In order to search for a LDAP entry with filters, you can append your filter at
the end of the ldapsearch command : on the left you specify the object type and
on the right the object value.
Optionally, you can specify the attributes to be returned from the object (the
username, the user password etc.)
$ ldapsearch <previous_options> "(object_type)=(object_value)" <optional_attributes>
FINDING ALL OBJECTS IN THE DIRECTORY TREE
In order to return all objects available in your LDAP tree, you can append the
“objectclass” filter and a wildcard character “*” to specify that you want to
return all objects.
$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=*"
When executing this query, you will be presented with all objects and all
attributes available in the tree.
FINDING USER ACCOUNTS USING LDAPSEARCH
For example, let’s say that you want to find all user accounts on the LDAP
directory tree.
By default, user accounts will most likely have the “account” structural object
class, which can be used to narrow down all user accounts.
$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account"
By default, the query will return all attributes available for the given object
class.
As specified in the previous section, you can append optional attributes to your
query if you want to narrow down your search.
For example, if you are interested only in the user CN, UID, and home directory,
you would run the following LDAP search
$ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account" cn uid homeDirectory
Awesome, you have successfully performed a LDAP search using filters and
attribute selectors!
AND OPERATOR USING LDAPSEARCH
In order to have multiple filters separated by “AND” operators, you have to
enclose all the conditions between brackets and have a “&” character written at
the beginning of the query.
$ ldapsearch <previous_options> "(&(<condition_1>)(<condition_2>)...)"
For example, let’s say that you want to find all entries have a “objectclass”
that is equal to “account” and a “uid” that is equal to “john”, you would run
the following query
$ ldapsearch <previous_options> "(&(objectclass=account)(uid=john))"
OR OPERATOR USING LDAPSEARCH
In order to have multiple filters separated by “OR” operators, you have to
enclose all the conditions between brackets and have a “|” character written at
the beginning of the query.
$ ldapsearch <previous_options> "(|(<condition_1>)(<condition_2>)...)"
For example, if you want to find all entries having a object class of type
“account” or or type “organizationalRole”, you would run the following query
$ ldapsearch <previous_options> "(|(objectclass=account)(objectclass=organizationalRole))"
NEGATION FILTERS USING LDAPSEARCH
In some cases, you want to negatively match some of the entries in your LDAP
directory tree.
In order to have a negative match filter, you have to enclose your condition(s)
with a “!” character and have conditions separated by enclosing parenthesis.
$ ldapsearch <previous_options> "(!(<condition_1>)(<condition_2>)...)"
For example, if you want to match all entries NOT having a “cn” attribute of
value “john”, you would write the following query
$ ldapsearch <previous_options> "(!(cn=john))"
FINDING LDAP SERVER CONFIGURATION USING LDAPSEARCH
One advanced usage of the ldapsearch command is to retrieve the configuration of
your LDAP tree.
If you are familiar with OpenLDAP, you know that there is a global configuration
object sitting at the top of your LDAP hierarchy.
In some cases, you may want to see attributes of your LDAP configuration, in
order to modify access control or to modify the root admin password for example.
To search for the LDAP configuration, use the “ldapsearch” command and specify
“cn=config” as the search base for your LDAP tree.
To run this search, you have to use the “-Y” option and specify “EXTERNAL” as
the authentication mechanism.
$ ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config
> Note : this command has to be run on the server directly, not from one of your
> LDAP clients.
By default, this command will return a lot of results as it returns backends,
schemas and modules.
If you want to restrict your search to database configurations, you can specify
the “olcDatabaseConfig” object class with ldapsearch.
$ ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectclass=olcDatabaseConfig)"
USING WILDCARDS IN LDAP SEARCHES
Another powerful way of searching through a list of LDAP entries is to use
wildcards characters such as the asterisk (“*”).
The wildcard character has the same function as the asterisk you use in regex :
it will be used to match any attribute starting or ending with a given
substring.
$ ldapsearch <previous_options> "(object_type)=*(object_value)"
$ ldapsearch <previous_options> "(object_type)=(object_value)*"
As an example, let’s say that you want to find all entries having an attribute
“uid” starting with the letter “j”.
$ ldapsearch <previous_options> "uid=jo*"
LDAPSEARCH ADVANCED OPTIONS
In this tutorial, you learnt about basic ldapsearch options but there are many
others that may be interested to you.
LDAP EXTENSIBLE MATCH FILTERS
Extensible LDAP match filters are used to supercharge existing operators (for
example the equality operator) by specifying the type of comparison that you
want to perform.
SUPERCHARGING DEFAULT OPERATORS
To supercharge a LDAP operator, you have to use the “:=” syntax.
$ ldapsearch <previous_options> "<object_type>:=<object_value>"
For example, if you want to search for all entries have a “cn” that is equal to
“john,” you would run the following command
$ ldapsearch <previous_options> "cn:=john"
# Which is equivalent to
$ ldapsearch <previous_options> "cn=john"
As you probably noticed, running the search on “john” or on “JOHN” returns the
same exact result.
As a consequence, you may want to constraint the results to the “john” exact
match, making the search case sensitive.
Using ldapsearch, you can add additional filters separated by “:” characters.
$ ldapsearch <previous_options> "<object_type>:<op1>:<op2>:=<object_value>"
For example, in order to have a search which is case sensitive, you would run
the following command
$ ldapsearch <previous_options> "cn:caseExactMatch:=john"
If you are not familiar with LDAP match filters, here is a list of all the
operators available to you.
CONCLUSION
In this tutorial, you learnt how you can search a LDAP directory tree using the
ldapsearch command.
You have seen the basics of searching basic entries and attributes as well as
building complex matching filters with operators (and, or and negative
operators).
You also learnt that it is possible to supercharge existing operators by using
extensible match options and specifying the custom operator to be used.
If you are interested in Advanced Linux System Administration, we have a
complete section dedicated to it on the website, so make sure to check it out!
ldap
1 comment 3 FacebookTwitterRedditEmail
SCHKN
previous post
HOW TO SWITCH BRANCH ON GIT
next post
LVM SNAPSHOTS BACKUP AND RESTORE ON LINUX
YOU MAY ALSO LIKE
HOW TO LIST DISKS ON LINUX
HOW TO ADD ROUTE ON LINUX
HOW TO ENCRYPT PARTITION ON LINUX
1 COMMENT
Links 3/2/2020: Wine 5.1 Released, GNU/Linux Benchmarks Against Vista 10
(Windows Loses), KDevelop 5.5 | Techrights February 3, 2020 - 1:01 pm
[…] How To Search LDAP using ldapsearch (With Examples) […]
Reply
LEAVE A COMMENT CANCEL REPLY
Save my name, email, and website in this browser for the next time I comment.
Δ
This site uses Akismet to reduce spam. Learn how your comment data is processed.
RECENT COMMENTS
* San
Very good
* Thanks a lot for this helpful information.
* dropintosayhello
My favorite is " ls -1 /dev/sd? ", run it twice, before…
* Zain Ul Basit
Informative....
* Deekshitha
Very Useful, Thank you so much.
* March 2021
* February 2021
* January 2021
* December 2020
* November 2020
* October 2020
* September 2020
* August 2020
* July 2020
* April 2020
* March 2020
* February 2020
* January 2020
* December 2019
* November 2019
* October 2019
* September 2019
* August 2019
* July 2019
* June 2019
* May 2019
* April 2019
* Twitter
* About
* Privacy Policy
Copyright © 2021 - devconnected. All rights reserved.
Any material cannot be used without our explicit consent (for online and offline
purposes).
READ ALSOX
HOW TO INSTALL SAMBA ON DEBIAN 10 BUSTER
February 22, 2020
HOW TO CREATE DISK PARTITIONS ON LINUX
October 21, 2019
HOW TO ENCRYPT PARTITION ON LINUX
January 11, 2021