PREREQUISITES
ip address or hostname of AD/LDAP Server = 192.168.1.250 Active Directory = ad.domain.com (search) Base = dc=ad,dc=domain,dc=com Binding User = testuser Binding Password = thepassword (cannot contain ^, this is an illegal symbol) Binding User Distinguished Name = cn=testuser,ou=users,ou=it,dc=ad,dc=domain,dc=com
Group to Search For = Authorized
(query) Filter = (&(sAMAccountname=%u)(memberof=CN=Authorized,OU=Groups,OU=it,DC=ad,DC=domain,DC=com)) result is a user AND member of the ADGroup Authorized (located at ad.domain.com/it/Groups/Authorized)
sAMAccountname=%u
ldap://192.168.1.250/
Search using CN, Login, or sAMAccountName can return the DN
Search using the Distinguished Name will return the security group memberships (except the Primary Group!) as memberof=) /usr/bin/ldapsearch -H ldap://10.10.10.235:389 -x -D "cn=serviceuser,ou=service,dc=mycompany,dc=com" -W -b "dc=mycompany,dc=com" "distinguishedName=CN=serviceuser,OU=service,DC=mycompany,DC=com"
/usr/bin/ldapwhoami -h 172.16.3.132 -v -x -D "cn=username,ou=users,ou=is,dc=ad,dc=domain,dc=com" -w thepassword
ODDLY, the -n option seems to work better... ldapwhoami -H ldap://10.10.10.235:389 -x -D "cn=Administrator,cn=Users,dc=domain,dc=com" -w thepassword -n -v
/usr/bin/ldapsearch -l 30 -H $ldapserver -x -b $searchbase -D $binduserdn -w $bindpassword $filter
(-l = 30 second max, =H hostname, could be in the form ldap://hostname, -x = simple authentication,
ldapsearch -h 10.10.10.235 -x -D "CN=another_admin,CN=Users,DC=domain,DC=com" -w Password -b "dc=domain,dc=com" "objectclass=user"
ldapsearch -h 172.16.3.132 -x -b "dc=ad,dc=domain,dc=com" -D "cn=username,ou=users,ou=it,dc=ad,dc=domain,dc=com" -w thepassword
ldapsearch -h 172.16.3.132 -x -b "dc=ad,dc=domain,dc=com" -D "cn=username,ou=users,ou=is,dc=ad,dc=domain,dc=com" -w thepassword "(&(objectClass=user)(cn=jcalmes))"
ldapsearch -h 172.16.3.132 -x -b "dc=ad,dc=domain,dc=com" -D "cn=username,ou=users,ou=is,dc=ad,dc=domain,dc=com" -w thepassword "(&(objectClass=group)(cn=Leap*))"
/usr/sbin/ldaptest.pl
sudo apt-get install ldap-utils (optionally libnss-ldap)
/usr/bin/ldapsearch --help
usage: ldapsearch [options] [filter [attributes...]]
where:
filter RFC 4515 compliant LDAP search filter
attributes whitespace-separated list of attribute descriptions
which may include:
1.1 no attributes
* all user attributes
+ all operational attributes
Search options:
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-E [!]attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /tmp)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-c continuous operation mode (do not stop on errors)
-d level set LDAP debugging level to
level'
-D binddn bind DN
-e [!]
-f file read operations from `file'
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-M enable Manage DSA IT control (-MM to make critical)
-n show what would be done but don't actually do it
-O props SASL security properties
-o
perl ldaptest.pl
Params: Search Base: ad.domain.com Bind User : domain\testuser Bind Pass : Filter : SSH On? : true LDAP : ldap://192.168.1.250/
extended LDIF
LDAPv3
ldapsearch: ldap_search_ext: Bad search filter (-7)
$searchbase = $props->getProperty("cas.ldap.searchBase"); $binduser = $props->getProperty("cas.ldap.username"); $bindpassword = $props->getProperty("cas.ldap.password"); $filter = $props->getProperty("cas.ldap.filter"); $sshenabled = $props->getProperty("cas.ldap.ssh"); $ldapserver = $props->getProperty("cas.ldap.server");
/usr/bin/ldapsearch -l 30 -H $ldapserver -x -b $searchbase -D $binduser -w $bindpassword $filter