devconnected.com
Open in
urlscan Pro
2606:4700:20::681a:f3e
Public Scan
URL:
https://devconnected.com/how-to-search-ldap-using-ldapsearch-examples/
Submission: On June 24 via manual from US — Scanned from DE
Submission: On June 24 via manual from US — Scanned from DE
Form analysis
2 forms found in the DOMGET https://devconnected.com/
<form role="search" method="get" class="pc-searchform penci-hbg-search-form" action="https://devconnected.com/">
<div class="inner-hbg-search-form">
<input type="text" class="search-input" placeholder="Type and hit enter..." name="s">
<i class="penciicon-magnifiying-glass"></i>
</div>
</form>
POST https://devconnected.com/wp-comments-post.php
<form action="https://devconnected.com/wp-comments-post.php" method="post" id="commentform" class="comment-form">
<p class="comment-form-comment"><textarea id="comment" name="comment" cols="45" rows="8" placeholder="Your Comment" aria-required="true"></textarea></p>
<p class="comment-form-author"><input id="author" name="author" type="text" value="" placeholder="Name*" size="30" aria-required="true"></p>
<p class="comment-form-email"><input id="email" name="email" type="text" value="" placeholder="Email*" size="30" aria-required="true"></p>
<p class="comment-form-url"><input id="url" name="url" type="text" value="" placeholder="Website" size="30"></p>
<p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"><span class="comment-form-cookies-text" for="wp-comment-cookies-consent">Save my name, email, and website
in this browser for the next time I comment.</span></p>
<p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Submit"> <input type="hidden" name="comment_post_ID" value="6557" id="comment_post_ID">
<input type="hidden" name="comment_parent" id="comment_parent" value="0">
</p>
<p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="9629933603"></p>
<p style="display: none !important;"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js" value="1719247792800">
<script>
document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
</script>
</p>
</form>
Text Content
* Home * Linux System Administration * Basics * Bash * Logging * Security * Tips * Monitoring * Grafana * InfluxDB * Kibana * Prometheus * Software Engineering * Guide * CentOS * Debian * Ubuntu * DevOps * ELK stack * Docker * Productivity * About POPULAR POSTS * 1 4 BEST TIME SERIES DATABASES TO WATCH IN 2019 April 11, 2019 * 2 UNDERSTANDING HARD AND SOFT LINKS ON LINUX August 14, 2019 * 3 HOW TO INSTALL NGINX ON CENTOS 8 October 6, 2019 * 4 HOW TO CLEAN UP GIT BRANCHES November 21, 2019 * 5 HOW TO SEARCH LDAP USING LDAPSEARCH (WITH EXAMPLES) February 2, 2020 Copyright © 2021 - devconnected. All rights reserved. Any material cannot be used without our explicit consent (for online and offline purposes). Trending How To Flush DNS Cache on Linux How To Find Last Login on Linux How To Encrypt Root Filesystem on Linux How To Undo Git Add Command How To Encrypt File on Linux How To List Services on Linux Monitoring Disk I/O on Linux with the Node... Monitoring Linux Processes using Prometheus and Grafana How To List Disks on Linux How To Add Route on Linux How To Git Add All Files How To Encrypt Partition on Linux How To Flush DNS Cache on Linux How To Find Last Login on Linux How To Encrypt Root Filesystem on Linux How To Undo Git Add Command How To Encrypt File on Linux How To List Services on Linux Monitoring Disk I/O on Linux with the Node... Monitoring Linux Processes using Prometheus and Grafana How To List Disks on Linux How To Add Route on Linux How To Git Add All Files How To Encrypt Partition on Linux Home Linux System AdministrationAdvanced How To Search LDAP using ldapsearch (With Examples) AdvancedLinux System Administration HOW TO SEARCH LDAP USING LDAPSEARCH (WITH EXAMPLES) by schkn February 2, 2020 written by schkn 75.7K If you are working in a medium to large company, you are probably interacting on a daily basis with LDAP. Whether this is on a Windows domain controller, or on a Linux OpenLDAP server, the LDAP protocol is very useful to centralize authentication. However, as your LDAP directory grows, you might get lost in all the entries that you may have to manage. Luckily, there is a command that will help you search for entries in a LDAP directory tree : ldapsearch. In this tutorial, we are going to see how you can easily search LDAP using ldapsearch. We are also going to review the options provided by the command in order to perform advanced LDAP searches. Table of Contents * Search LDAP using ldapsearch * Search LDAP with admin account * Running LDAP Searches with Filters * Finding all objects in the directory tree * Finding user accounts using ldapsearch * AND Operator using ldapsearch * OR Operator using ldapsearch * Negation Filters using ldapsearch * Finding LDAP server configuration using ldapsearch * Using Wildcards in LDAP searches * Ldapsearch Advanced Options * LDAP Extensible Match Filters * Supercharging default operators * Conclusion SEARCH LDAP USING LDAPSEARCH The easiest way to search LDAP is to use ldapsearch with the “-x” option for simple authentication and specify the search base with “-b”. If you are not running the search directly on the LDAP server, you will have to specify the host with the “-H” option. $ ldapsearch -x -b <search_base> -H <ldap_host> As an example, let’s say that you have an OpenLDAP server installed and running on the 192.168.178.29 host of your network. If your server is accepting anonymous authentication, you will be able to perform a LDAP search query without binding to the admin account. $ ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://192.168.178.29 As you can see, if you don’t specify any filters, the LDAP client will assume that you want to run a search on all object classes of your directory tree. As a consequence, you will be presented with a lot of information. If you want to restrict the information presented, we are going to explain LDAP filters in the next chapter. SEARCH LDAP WITH ADMIN ACCOUNT In some cases, you may want to run LDAP queries as the admin account in order to have additionnal information presented to you. To achieve that, you will need to make a bind request using the administrator account of the LDAP tree. To search LDAP using the admin account, you have to execute the “ldapsearch” query with the “-D” option for the bind DN and the “-W” in order to be prompted for the password. $ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W As an example, let’s say that your administrator account has the following distinguished name : “cn=admin,dc=devconnected,dc=com“. In order to perform a LDAP search as this account, you would have to run the following query $ ldapsearch -x -b "dc=devconnected,dc=com" -H ldap://192.168.178.29 -D "cn=admin,dc=devconnected,dc=com" -W When running a LDAP search as the administrator account, you may be exposed to user encrypted passwords, so make sure that you run your query privately. RUNNING LDAP SEARCHES WITH FILTERS Running a plain LDAP search query without any filters is likely to be a waste of time and resource. Most of the time, you want to run a LDAP search query in order to find specific objects in your LDAP directory tree. In order to search for a LDAP entry with filters, you can append your filter at the end of the ldapsearch command : on the left you specify the object type and on the right the object value. Optionally, you can specify the attributes to be returned from the object (the username, the user password etc.) $ ldapsearch <previous_options> "(object_type)=(object_value)" <optional_attributes> FINDING ALL OBJECTS IN THE DIRECTORY TREE In order to return all objects available in your LDAP tree, you can append the “objectclass” filter and a wildcard character “*” to specify that you want to return all objects. $ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=*" When executing this query, you will be presented with all objects and all attributes available in the tree. FINDING USER ACCOUNTS USING LDAPSEARCH For example, let’s say that you want to find all user accounts on the LDAP directory tree. By default, user accounts will most likely have the “account” structural object class, which can be used to narrow down all user accounts. $ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account" By default, the query will return all attributes available for the given object class. As specified in the previous section, you can append optional attributes to your query if you want to narrow down your search. For example, if you are interested only in the user CN, UID, and home directory, you would run the following LDAP search $ ldapsearch -x -b <search_base> -H <ldap_host> -D <bind_dn> -W "objectclass=account" cn uid homeDirectory Awesome, you have successfully performed a LDAP search using filters and attribute selectors! AND OPERATOR USING LDAPSEARCH In order to have multiple filters separated by “AND” operators, you have to enclose all the conditions between brackets and have a “&” character written at the beginning of the query. $ ldapsearch <previous_options> "(&(<condition_1>)(<condition_2>)...)" For example, let’s say that you want to find all entries have a “objectclass” that is equal to “account” and a “uid” that is equal to “john”, you would run the following query $ ldapsearch <previous_options> "(&(objectclass=account)(uid=john))" OR OPERATOR USING LDAPSEARCH In order to have multiple filters separated by “OR” operators, you have to enclose all the conditions between brackets and have a “|” character written at the beginning of the query. $ ldapsearch <previous_options> "(|(<condition_1>)(<condition_2>)...)" For example, if you want to find all entries having a object class of type “account” or or type “organizationalRole”, you would run the following query $ ldapsearch <previous_options> "(|(objectclass=account)(objectclass=organizationalRole))" NEGATION FILTERS USING LDAPSEARCH In some cases, you want to negatively match some of the entries in your LDAP directory tree. In order to have a negative match filter, you have to enclose your condition(s) with a “!” character and have conditions separated by enclosing parenthesis. $ ldapsearch <previous_options> "(!(<condition_1>)(<condition_2>)...)" For example, if you want to match all entries NOT having a “cn” attribute of value “john”, you would write the following query $ ldapsearch <previous_options> "(!(cn=john))" FINDING LDAP SERVER CONFIGURATION USING LDAPSEARCH One advanced usage of the ldapsearch command is to retrieve the configuration of your LDAP tree. If you are familiar with OpenLDAP, you know that there is a global configuration object sitting at the top of your LDAP hierarchy. In some cases, you may want to see attributes of your LDAP configuration, in order to modify access control or to modify the root admin password for example. To search for the LDAP configuration, use the “ldapsearch” command and specify “cn=config” as the search base for your LDAP tree. To run this search, you have to use the “-Y” option and specify “EXTERNAL” as the authentication mechanism. $ ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config > Note : this command has to be run on the server directly, not from one of your > LDAP clients. By default, this command will return a lot of results as it returns backends, schemas and modules. If you want to restrict your search to database configurations, you can specify the “olcDatabaseConfig” object class with ldapsearch. $ ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config "(objectclass=olcDatabaseConfig)" USING WILDCARDS IN LDAP SEARCHES Another powerful way of searching through a list of LDAP entries is to use wildcards characters such as the asterisk (“*”). The wildcard character has the same function as the asterisk you use in regex : it will be used to match any attribute starting or ending with a given substring. $ ldapsearch <previous_options> "(object_type)=*(object_value)" $ ldapsearch <previous_options> "(object_type)=(object_value)*" As an example, let’s say that you want to find all entries having an attribute “uid” starting with the letter “j”. $ ldapsearch <previous_options> "uid=jo*" LDAPSEARCH ADVANCED OPTIONS In this tutorial, you learnt about basic ldapsearch options but there are many others that may be interested to you. LDAP EXTENSIBLE MATCH FILTERS Extensible LDAP match filters are used to supercharge existing operators (for example the equality operator) by specifying the type of comparison that you want to perform. SUPERCHARGING DEFAULT OPERATORS To supercharge a LDAP operator, you have to use the “:=” syntax. $ ldapsearch <previous_options> "<object_type>:=<object_value>" For example, if you want to search for all entries have a “cn” that is equal to “john,” you would run the following command $ ldapsearch <previous_options> "cn:=john" # Which is equivalent to $ ldapsearch <previous_options> "cn=john" As you probably noticed, running the search on “john” or on “JOHN” returns the same exact result. As a consequence, you may want to constraint the results to the “john” exact match, making the search case sensitive. Using ldapsearch, you can add additional filters separated by “:” characters. $ ldapsearch <previous_options> "<object_type>:<op1>:<op2>:=<object_value>" For example, in order to have a search which is case sensitive, you would run the following command $ ldapsearch <previous_options> "cn:caseExactMatch:=john" If you are not familiar with LDAP match filters, here is a list of all the operators available to you. CONCLUSION In this tutorial, you learnt how you can search a LDAP directory tree using the ldapsearch command. You have seen the basics of searching basic entries and attributes as well as building complex matching filters with operators (and, or and negative operators). You also learnt that it is possible to supercharge existing operators by using extensible match options and specifying the custom operator to be used. If you are interested in Advanced Linux System Administration, we have a complete section dedicated to it on the website, so make sure to check it out! ldap 1 comment 3 FacebookTwitterRedditEmail SCHKN previous post HOW TO SWITCH BRANCH ON GIT next post LVM SNAPSHOTS BACKUP AND RESTORE ON LINUX YOU MAY ALSO LIKE HOW TO LIST DISKS ON LINUX HOW TO ADD ROUTE ON LINUX HOW TO ENCRYPT PARTITION ON LINUX 1 COMMENT Links 3/2/2020: Wine 5.1 Released, GNU/Linux Benchmarks Against Vista 10 (Windows Loses), KDevelop 5.5 | Techrights February 3, 2020 - 1:01 pm […] How To Search LDAP using ldapsearch (With Examples) […] Reply LEAVE A COMMENT CANCEL REPLY Save my name, email, and website in this browser for the next time I comment. Δ This site uses Akismet to reduce spam. Learn how your comment data is processed. RECENT COMMENTS * San Very good * Thanks a lot for this helpful information. * dropintosayhello My favorite is " ls -1 /dev/sd? ", run it twice, before… * Zain Ul Basit Informative.... * Deekshitha Very Useful, Thank you so much. * March 2021 * February 2021 * January 2021 * December 2020 * November 2020 * October 2020 * September 2020 * August 2020 * July 2020 * April 2020 * March 2020 * February 2020 * January 2020 * December 2019 * November 2019 * October 2019 * September 2019 * August 2019 * July 2019 * June 2019 * May 2019 * April 2019 * Twitter * About * Privacy Policy Copyright © 2021 - devconnected. All rights reserved. Any material cannot be used without our explicit consent (for online and offline purposes). READ ALSOX HOW TO INSTALL SAMBA ON DEBIAN 10 BUSTER February 22, 2020 HOW TO CREATE DISK PARTITIONS ON LINUX October 21, 2019 HOW TO ENCRYPT PARTITION ON LINUX January 11, 2021