Главная » Linux

Ldap search on linux

На чтение 12 мин Просмотров 1 Опубликовано
Содержание
  1. How to Find LDAP Using LDAP Search Examples
  2. Ldapsearch
  3. Ldapsearch Command-Line Tool
  4. LDAP Search with Ldapsearch
  5. Running LDAP Searches with Filters
  6. Ldapsearch Advanced Options
  7. Conclusion
  8. About the author
  9. Prateek Jangid
  10. Search Active Directory with Ldapsearch
  11. Quick Example
  12. Using TLS
  13. Without TLS
  14. Configure ldap.conf
  15. Search Active Directory with Ldapsearch

How to Find LDAP Using LDAP Search Examples

Usually, an individual or an employee working in a large company will know how LDAP is on a Linux OpenLDAP server or Windows domain controller. For centralizing authentication, LDAP is beneficial. As your LDAP directory grows, you can find all the entries you may need to manage when the time comes. Ldapsearch is a command that helps you find entries in the LDAP directory tree.

This tutorial will explain how you can easily find LDAP using LDAP search examples.

Ldapsearch

Ldpsearch is used to find entries on the LDAP database backend. In this, ldapsearch binds to an LDAP server, opens a connection, and simultaneously searches using filters. According to RFC 1558, an LDAP filter must conform to the string representation. Suppose ldapsearch retrieves the attributes specified by attrs when one or more entries are found. In that case, the exact value is standardized, and print the entries are on the output. If no attributes are specified, it returns all attributes.

Here the -x option is used to specify simple authentication, the -u option to output user-friendly information, -b option to the initial search point (search base).

Ldapsearch Command-Line Tool

The search request specifies the file to contain the filter via command-line arguments, providing all arguments except the filter, providing all details directly, etc. A file that includes LDAP URLs and several attributes of interest, such as scope, DN, and filter, is specified using the same syntax.

Its simple syntax is something like this:

LDAP Search with Ldapsearch

Using ldapsearch with the “-x” option allows for simple authentication. Specifying the search base with the “-b” option allows for simple LDAP discovery. If the search does not run directly on the LDAP server, you must specify the host with the “-H” option.

If you have any OpenLDAP server installed, it runs on your network host. In this condition, if your server accepts anonymous authentication, you will perform LDAP search queries without being bound to an administrator account.

The LDAP client assumes you want to search the entire directory tree if no filter is specified. It displays the information in its entirety.

Search LDAP with the Admin Account
Sometimes LDAP queries can be run as the administrator account to present additional information. To achieve this, you must make a force request using the administrator’s account of the LDAP tree. It is necessary to execute the “ldapsearch” query with “-D” for the bind DN and “-W” for the password to locate LDAP for the administrative account.

When you perform an LDAP search as your administrator, run the above query. You can be exposed as an administrator account when running an LDAP search with an encrypted password as a user. You should also make sure that your query is run privately.

Читайте также:  Установка linux без windows

Running LDAP Searches with Filters

Running a simple LDAP search query with no filters is a waste of resources and time. You can run an LDAP search query to find specific objects in the LDAP directory tree to avoid this.

Add your filter to the end of the ldapsearch command to search with the LDAP entry filter. For this, ‌specify the object value on the right and the object type on the left. You can optionally specify attributes such as user password, username, etc., to be returned from the object.

ldapsearch «(object_type)=(object_value)»

Searching for All Objects in the Directory Tree
To retrieve all objects in the LDAP tree, specify the wildcard character “*” with the “ObjectClass” filter.

It presents all the attributes and all the objects available in the tree at the time of executing the query.

Finding User Accounts with Ldapsearch
All user accounts on an LDAP directory tree will have the “Account” structural object class by default. This allows you to narrow it down to all user accounts.

By default, queries return all attributes available to the ‌object class. You can add optional attributes to your query by narrowing the search as you have already done. You will need to run the following LDAP search if you are only interested in your home directory and the UID, CN user.

Run the above command to perform an LDAP search for specific selectors and filters successfully.

AND Operator Using Ldapsearch
To separate all filters through “AND” operators, you must enclose an “&” character at the beginning of the query and all the conditions between parentheses.

The following query finds all entries that have “ben” that equals “Y” and “X” that equals “banks.”

ldapsearch

«(&(objectclass=banks)(Y=ben))»

Where X is equal to object class and Y is similarl to uid .

OR Operator Using Ldapsearch
If you need to separate multiple filters, you can use the “OR” Operator. First, include a “|” character at the beginning of the query, along with the conditions.

It would be best to run the below query to find all entries with two different object classes of type “X” or type “Y.”

ldapsearch «(|(X=banks)(Y=jobrole))»

Where X and Y are two different ‌object class .

A Negation Filter Using LdapSearch
When you have an LDAP directory tree and want to match some entries within it, you need to enclose parentheses for separating conditions and also enclose all your condition(s) with a “!” character.

For example, if you want to match all entries NOT having a “cn” attribute of value “john,” you would write the following query.

You run the following query when you need to match all the entries NOT having an “X” attribute of the value “Ben.”

Using LDAPsearch to Find LDAP Server Configurations
Using the ldapsearch command, you can retrieve the configuration of the LDAP tree. You also know that a global configuration object is at the top of the LDAP hierarchy if you know about OpenLDAP.

Sometimes, such as modifying the root administrator password or changing access control, look at the features of your LDAP configuration.

Читайте также:  How to install certificate on linux

To locate LDAP configurations, specify “cn=config” as the search base in the “ldapsearch” command. Note that you must specify the “-Y” option, besides specifying “external” as the authentication mechanism for this discovery to run.

Note: You must run the above command on the server, not on your LDAP client.

The default behavior of this command is to return lots of results, including backends, schemas, and modules.

If you want to limit your search to database configuration, you can specify the “olcDatabaseConfig” object class with ldapsearch.

LDAP Searches with Wildcards
Besides wildcards, you can also use asterisks (“*”) to search through LDAP entries.

The wildcard character works the same way as it uses an asterisk in a regex. It matches any attribute that ends with or begins with a ‌substring.

ldapsearch «(object_type)=*(object_value)»
ldapsearch «(object_type)=(object_value)*»

Whenever you find an entry with the attribute “q” beginning with the letter “d,” run the following command.

Ldapsearch Advanced Options

So far, you have seen some essential aspects of ldapsearch options, but apart from this, there are some advanced options ‌you can use:

LDAP Extensible Match Filters
You can use extensible LDAP matching filters to supercharge some of the existing operators you want to represent, such as equality operators.

A Supercharged Default Operator
To supercharge an LDAP operator, use the “:=” syntax.

If you want to find all the entries where “X” equals “ben,” you must run the following command.

The above command is like the following one.

Where “X” is equal to conditions.

Running a search on “BEN” and “ben” will give you the same result. As a result, you can be sensitive to your search results by limiting them to the exact match “ben.”

You can separate filters with “:” characters using ldapsearch.

You can perform case sensitive search by running the following command.

ldapsearch «X:caseExactMatch:=ben»

Conclusion

This is how to search the LDAP directory tree using the ldapsearch command. You can supercharge existing operators by specifying a custom operator or using extensible matching options. We have provided you with complete information through one-by-one ldapsearch command examples from our side. We hope ‌you will ‌solve your questions completely through this article and will ‌solve the problem.

About the author

Prateek Jangid

A passionate Linux user for personal and professional reasons, always exploring what is new in the world of Linux and sharing with my readers.

Источник

Search Active Directory with Ldapsearch

It is fairly common to have Linux or UNIX machines on a network with a Microsoft Active Directory (AD) domain. There may be times when you want or need to search Active Directory with ldapsearch.

Quick Example

Using TLS

ldapsearch -H ldaps://dc.example.com -x -W -D "user@example.com" \ -b "dc=example,dc=com" "(sAMAccountName=user)"

Without TLS

ldapsearch -H ldap://dc.example.com -x -W -D "user@example.com" \ -b "dc=example,dc=com" "(sAMAccountName=user)"

If you want or need a more in depth guide, keep reading.

Configure ldap.conf

If you are ok with an unencrypted connection, skip to the next section. If possible, you must obtain the certificate authority (CA) certificate used to sign the AD server certificate. Ask your AD administrator to provide this for you in PEM format. If this isn’t possible and if you are reasonably sure your network connection isn’t compromised, you can use openssl to retrieve the server certificate from the server. The following example demonstrates how to do this.

tyler@desktop:~$ openssl s_client -connect ldap.tylersguides.com:636 -showcerts < /dev/null

Copy and paste the certificate text from the bottom certificate into a file. I use /pki/cacerts.pem. The certificate text will look something like this:

-----BEGIN CERTIFICATE----- MIIFdDCCBFygAwIBAgIQJ2buVutJ846r13Ci/ITeIjANBgkqhkiG9w0BAQwFADBv MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF pu/xO28QOG8= -----END CERTIFICATE-----

Open ldap.conf with a text editor. Here is where to find it on various operating systems:

Читайте также:  Cmd lines for linux
OS PATH
CentOS /etc/openldap/ldap.conf
Debian /etc/ldap/ldap.conf
OpenSUSE /etc/openldap/ldap.conf

to your file. Replace /pki/cacerts.pem with the location you put the AD CA cert if you decided to put it somewhere else. Add the line

to your file as well. In the event your network is compromised, this will prevent the attacker from stealing your credentials with a man in the middle attack.

Search Active Directory with Ldapsearch

Use the following example, replacing the highlighted values to perform the search. If you opted to not use an encrypted connection, use ldap:// instead of ldaps://

ldapsearch -H ldaps://dc.example.com -x -W -D "user@example.com" \ -b "dc=example,dc=com" "(filter)" "attr1" "attr2"
Option Explanation
-H The URI of the directory server you are querying.
-x Use simple authentication instead of SASL.
-W Prompt you for your password.
-D The DN of the user you are authenticating with. When querying AD, this will be your AD user name @ your domain.
-b Where in the directory to start your search. If you know what OU the entries you are searching for are in, you can add it to your base. For example, if you know you want to look in an OU called stuff, your base will look like this: "ou=stuff,dc=example,dc=com". If you don't know what OU it is in, it is ok to just use your domain. E.g. "dc=tylersguides,dc=com"
filter The LDAP search filter used to find entries. The simplest filter is looking for an attribute with a particular value. For example, if you are looking for an AD user with the user name bob, you would use the filter "(sAMAccountName=bob)". If you want to find everyone that is a member of the group cn=storage,ou=groups,dc=example,dc=com, you would use "(memberOf=cn=storage,ou=groups,dc=example,dc=com)"
attr The attributes you wish to display. Each attribute should be separated with a space. Some common ones are mail and memberOf.

If you are interested, I wrote a guide on LDAP search filters.

By using the information on this site, you agree to hold Tyler’s Guides harmless for any damages or loss resulting from its usage.

If you find an error in any of the guides on this site, please report it using the contact page.

As an Amazon Associate I earn from qualifying purchases.

amzn_assoc_placement = "adunit0"; amzn_assoc_tracking_id = "tylersguide0f-20"; amzn_assoc_ad_mode = "manual"; amzn_assoc_ad_type = "smart"; amzn_assoc_marketplace = "amazon"; amzn_assoc_region = "US"; amzn_assoc_linkid = "bfbedad3ad50cd62a162eab1e8eebc93"; amzn_assoc_asins = "B06W55K9N6,B078SWJ3CF,B07K1WRY8H,B01DBGVB7K"; amzn_assoc_title = ""; amzn_assoc_search_bar = "true";

Источник

Оцените статью
© 2023 Posetke
Adblock
detector