OpenLDAP operations (ldapsearch).

Introduction

In this post we will learn how to search OpenLDAP directory using ldapsearch command.

Prerequisite

I assume that you have a working OpenLDAP server and OpenLDAP client. You might want to read this post which explains step by step how to install and run OpenLDAP server on Ubuntu 18.04. It also shows the basic configuration for OpenLDAP client which makes it possible to send requests to the server.

How to search the OpenLDAP directory.

To search LDAP directory for an entry we will be using ldapsearch utility. It can take several optional parameters.

The most basic search

The most basic form is ldapsearch -x. Option -x tells the command that you want to use simple authentication instead of SASL. This command returns contents of the whole directory.

orkhans@ubu1:~$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <dc=geekstuff,dc=org> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# geekstuff.org
dn: dc=geekstuff,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: geekstuff
dc: geekstuff

# admin, geekstuff.org
dn: cn=admin,dc=geekstuff,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

As you can see we do not provide any password and still can get the information from the server, because we have not configured access lists yet. By default, LDAP will respond to anonymous requests, but we can change this. Access Control List configuration is discussed in this post.

How to provide username and password?

If you disable anonymous access to the directory, you will have to provide the DN of the authorized user and the password. By the way, in LDAP world authorization DN is called Bind DN. The process of authentication itself is called binding. We will use -D option to provide the DN of our administrator user. To provide the password we can use -w :

orkhans@ubu1:~$ ldapsearch -x -D "cn=admin,dc=geekstuff,dc=org" -w 123456

Most probably you will not want to type in the password in the clear text. Another option is to use -W option. This will prompt you for the password and the password won’t be seen as you type it:

orkhans@ubu1:~$ ldapsearch -x -D "cn=admin,dc=geekstuff,dc=org" -W
Enter LDAP Password: 

How to start the search from a specific branch?

In the previous examples we used the ldapsearch command to search through the whole tree. It is possible to provide the start of the search using -b option. The start DN we provide for the search is called base DN. The following command will provide base DN dc=geekstuff,dc=org, which also happens to be my root DN:

orkhans@ubu1:~$ ldapsearch -x -D "cn=admin,dc=geekstuff,dc=org" -W -b dc=geekstuff,dc=org

How to search for entries by their attribute values?

The next common thing to do with ldapsearch command is search for entries using the attribute values. To do this we need to provide the attribute=value pair in our command. For example, let’s find the entry which has cn attribute set to admin:

How to remove comments from the output?

Another useful option is -LLL which allows to remove the comments and the LDIF version from the output, which makes the output more compact:

If you compare this output with the previous one you will notice that the comments are not displayed.

Conclusion

In this post we looked at how to search through the LDAP directory using ldapsearch utility.

Tags:,

Add a Comment

Your email address will not be published. Required fields are marked *