Bootstrap FreeKB - LDAP - List LDAP Users Groups Organizational Unit using the ldapsearch command
LDAP - List LDAP Users Groups Organizational Unit using the ldapsearch command

Updated:   |  LDAP articles

The ldapsearch command can be used to search for Organizational Units (OUs), People, and Groups in LDAP. In this example, entries in the example.com domain will be returned.

  • The -H option is the LDAP URI
  • The -x option means to use basic authentication instead of SASL (Kerberos)
  • The -b option is the base LDAP distinguished name (DN)

The dc style is often used in a DNS based LDAP tree. This is the style Active Directory (AD) uses.

ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com

 

Novell's eDirectory is an O based tree

ldapsearch -x -H ldaps://ldap.example.com -b o=acme

 

Sometimes, the -D option is included if the LDAP system requires authentication and the upper case -W option will prompt you for your password.

ldapsearch -x -H ldaps://ldap.example.com -b o=acme -D john.doe@example.com -W

 

Or the lower case -w option can be used to include your password on the command line.

ldapsearch -x -H ldaps://ldap.example.com -b o=acme -D john.doe@example.com -w itsasecret

 

The uid (user ID) option can be used to return results that match a UID.

ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com uid=JohnDoe

 

Likewise, the cn (common name) option can be used to return results that match a cn.

ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com cn=JohnDoe

 

Even better, filter with both objectClass and cn.

ldapsearch -x -H ldaps://ldap.example.com -b dc=example,dc=com "(&(objectClass=person)(cn=JohnDoe)"

 

Following is an example of what could be returned by the ldapsearch command.

# extended LDIF
#
# LDAPv3
# base <DC=example,DC=com> with scope subtree
# filter: cn=JohnDoe
# requesting: ALL
#
dn: cn=JohnDoe,ou=People,dc=example,dc=com
uid: JohnDoe
cn: JohnDoe
sn: JohnDoe
mail: JohnDoe@example.com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypx}asldfjalkfjaslkfavkjalkalkvjalkvjalfjadofiasoifjelemlaemlakemla
shadowLastChange: 17483
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1001
gidNumber: 1001
homeDirectory: /home/JohnDoe
gecos: JohnDoe

dn: cn=admins,ou=Group,dc=example,dc=com
objectClass: PosixGroup
objectClass: top
cn: admins
userPassword: {crypt}x
gidNumber: 1003
memberUid: JohnDoe

 

Notice that by default, the top of the output includes a few commented out lines. The -LLL flag can be used to NOT include commented out lines.

ldapsearch -x -LLL -H ldaps://ldap.example.com -b dc=example,dc=com cn=JohnDoe

 

dn can be included to only return the dn (distinguished name). Notice in this example that the dn output is wrapped (at 79 characters).

~]$ ldapsearch -x -H ldaps://ldap.example.com -b DC=example,DC=com -D johndoe@example.com -W "(&(cn=jane.doe)(objectClass=person))" dn
dn: CN=jane.doe,OU=Marketing Department,OU=Person,DC=examp
le,DC=com

 

-o ldif-wrap=no can be used to NOT wrap lines at 79 characters.

~]$ ldapsearch -x -o ldif-wrap=no -H ldaps://ldap.example.com -b DC=example,DC=com -D johndoe@example.com -W "(&(cn=jane.doe)(objectClass=person))" dn
dn: CN=jane.doe,OU=Marketing Department,OU=Person,DC=example,DC=com

 

 




Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee



Comments


Add a Comment


Please enter 8cc794 in the box below so that we can be sure you are a human.