PREREQUISITES

ip address or hostname of AD/LDAP Server = 192.168.1.250 Active Directory = ad.domain.com (search) Base = dc=ad,dc=domain,dc=com Binding User = testuser Binding Password = thepassword (cannot contain ^, this is an illegal symbol) Binding User Distinguished Name = cn=testuser,ou=users,ou=it,dc=ad,dc=domain,dc=com

Group to Search For = Authorized

(query) Filter = (&(sAMAccountname=%u)(memberof=CN=Authorized,OU=Groups,OU=it,DC=ad,DC=domain,DC=com)) result is a user AND member of the ADGroup Authorized (located at ad.domain.com/it/Groups/Authorized)

sAMAccountname=%u

ldap://192.168.1.250/

Search using CN, Login, or sAMAccountName can return the DN

Search using the Distinguished Name will return the security group memberships (except the Primary Group!) as memberof=) /usr/bin/ldapsearch -H ldap://10.10.10.235:389 -x -D "cn=serviceuser,ou=service,dc=mycompany,dc=com" -W -b "dc=mycompany,dc=com" "distinguishedName=CN=serviceuser,OU=service,DC=mycompany,DC=com"

/usr/bin/ldapwhoami -h 172.16.3.132 -v -x -D "cn=username,ou=users,ou=is,dc=ad,dc=domain,dc=com" -w thepassword

ODDLY, the -n option seems to work better... ldapwhoami -H ldap://10.10.10.235:389 -x -D "cn=Administrator,cn=Users,dc=domain,dc=com" -w thepassword -n -v

/usr/bin/ldapsearch -l 30 -H $ldapserver -x -b $searchbase -D $binduserdn -w $bindpassword $filter

(-l = 30 second max, =H hostname, could be in the form ldap://hostname, -x = simple authentication,

ldapsearch -h 10.10.10.235 -x -D "CN=another_admin,CN=Users,DC=domain,DC=com" -w Password -b "dc=domain,dc=com" "objectclass=user"

ldapsearch -h 172.16.3.132 -x -b "dc=ad,dc=domain,dc=com" -D "cn=username,ou=users,ou=it,dc=ad,dc=domain,dc=com" -w thepassword

ldapsearch -h 172.16.3.132 -x -b "dc=ad,dc=domain,dc=com" -D "cn=username,ou=users,ou=is,dc=ad,dc=domain,dc=com" -w thepassword "(&(objectClass=user)(cn=jcalmes))"

ldapsearch -h 172.16.3.132 -x -b "dc=ad,dc=domain,dc=com" -D "cn=username,ou=users,ou=is,dc=ad,dc=domain,dc=com" -w thepassword "(&(objectClass=group)(cn=Leap*))"

/usr/sbin/ldaptest.pl

sudo apt-get install ldap-utils (optionally libnss-ldap)

/usr/bin/ldapsearch --help

usage: ldapsearch [options] [filter [attributes...]] where: filter RFC 4515 compliant LDAP search filter attributes whitespace-separated list of attribute descriptions which may include: 1.1 no attributes * all user attributes + all operational attributes Search options: -a deref one of never (default), always, search, or find -A retrieve attribute names only (no values) -b basedn base dn for search -E [!][=] search extensions (! indicates criticality) [!]domainScope (domain scope) !dontUseCopy (Don't Use Copy) [!]mv= (matched values filter) [!]pr=[/prompt|noprompt] (paged results/prompt) [!]subentries[=true|false] (subentries) [!]sync=ro[/] (LDAP Sync refreshOnly) rp[/][/] (LDAP Sync refreshAndPersist) [!]=: (generic control; no response handling) -F prefix URL prefix for files (default: file:///tmp/) -l limit time limit (in seconds, or "none" or "max") for search -L print responses in LDIFv1 format -LL print responses in LDIF format without comments -LLL print responses in LDIF format without comments and version -s scope one of base, one, sub or children (search scope) -S attr sort the results by attribute attr' -t write binary values to files in temporary directory -tt write all values to files in temporary directory -T path write files to directory specified by path (default: /tmp) -u include User Friendly entry names in the output -z limit size limit (in entries, or "none" or "max") for search Common options: -c continuous operation mode (do not stop on errors) -d level set LDAP debugging level tolevel' -D binddn bind DN -e [!][=] general extensions (! indicates criticality) [!]assert= (a RFC 4515 Filter string) [!]authzid= ("dn:" or "u:") [!]chaining[=[/]] one of "chainingPreferred", "chainingRequired", "referralsPreferred", "referralsRequired" [!]manageDSAit [!]noop ppolicy [!]postread[=] (a comma-separated attribute list) [!]preread[=] (a comma-separated attribute list) [!]relax abandon, cancel, ignore (SIGINT sends abandon/cancel, or ignores response; if critical, doesn't wait for SIGINT. not really controls)

-f file read operations from `file' -h host LDAP server -H URI LDAP Uniform Resource Identifier(s) -I use SASL Interactive mode -M enable Manage DSA IT control (-MM to make critical) -n show what would be done but don't actually do it -O props SASL security properties -o [= (in seconds, or "none" or "max") -p port port on LDAP server -P version protocol version (default: 3) -Q use SASL Quiet mode -R realm SASL realm -U authcid SASL authentication identity -v run in verbose mode (diagnostics to standard output) -V print version info (-VV only) -w passwd bind password (for simple authentication) -W prompt for bind password -x Simple authentication -X authzid SASL authorization identity ("dn:" or "u:") -y file Read password from file -Y mech SASL mechanism -Z Start TLS request (-ZZ to require successful response)

perl ldaptest.pl

Params: Search Base: ad.domain.com Bind User : domain\testuser Bind Pass : Filter : SSH On? : true LDAP : ldap://192.168.1.250/

extended LDIF

LDAPv3

ldapsearch: ldap_search_ext: Bad search filter (-7)

$searchbase = $props->getProperty("cas.ldap.searchBase"); $binduser = $props->getProperty("cas.ldap.username"); $bindpassword = $props->getProperty("cas.ldap.password"); $filter = $props->getProperty("cas.ldap.filter"); $sshenabled = $props->getProperty("cas.ldap.ssh"); $ldapserver = $props->getProperty("cas.ldap.server");

/usr/bin/ldapsearch -l 30 -H $ldapserver -x -b $searchbase -D $binduser -w $bindpassword $filter