These classnotes are depreciated. As of 2005, I no longer teach the classes. Notes will remain online for legacy purposes

LDAP01/Searching And Modifying

Classnotes | LDAP01 | RecentChanges | Preferences

While you could now go out and modify your LDAP directory with any number of clients, OpenLDAP comes with a rich set of command line LDAP clients which you can use to diagnose, search, and update your LDAP directory.

Each of the following commands take the options specified on pages 70-72, so we will not reproduce them here. Instead, we will give very specific examples.

ldapsearch

ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 2254. If not provided, the default filter, (objectClass=*), is used.

If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes will be returned.

Let's start with a simple "Show me everything" search:

 $ ldapsearch -x -b "dc=odyssey,dc=com" "(objectclass=*)"

The ldapsearch options used here are:

-x
Instructs ldapsearch to perform a simple bind (i.e., do not use SASL for authentication).
-b
Defines the DN search base suffix. This DN specifies the point at which the search begins. All entries located higher in the tree will be ignored.
(objectclass=*)
This is the search filter.

So what is a search filter? In its commonly used form, an LDAP search filter has the following syntax:

 ( attribute filterOperator value )

The attribute is the actual name of the attribute type. The filterOperator is one of:

  • '=' for equality matches
  • '~=' for approximate matches
  • '<=' for less than comparisons
  • '>=' for greater than comparisons

If you deal only with string comparisons, you may only need the equality operator.

The value portion can be either an absolute value such as "carter" or "555-1234", or a pattern using the asterisk (*) as a wildcard. Here are som valid wildcard searches:

 (cn=*carter)
Finds all entries whose cn attribute ends in "carter".
 (telephoneNumber=555*)
Finds all entries whose telephoneNumber starts with "555".

You can also combine single filters like these using boolean operators:

  • '&' Logical AND
  • '|' Logical OR
  • '!' Logical NOT

So, if I wanted to search for persons with a surname (sn) of "smith" or "jones" I would use:

 (|(sn=smith)(sn=jones))

Here, it is important to point out that for searches such as these you should know how searches are defined (by looking in the schema files). For example, sn does a case-insenstive search. This means that the following search would be redundant:

 (|(sn=Smith)(sn=smith))

You can also get fancy by embedding conditionals:

 (&(|(sn=smith)(cn=jones))(cn=john*))

PROJECT QUICKIE: Do a search in your directory for people who's room numbers are on the first floor. Who do you get? Which department(s) are they in?

ldapadd, ldapmodify

ldapmodify is a shell-accessible interface to the ldap_modify(3) and ldap_add(3) library calls. ldapadd is implemented as a hard link to the ldapmodify tool. When invoked as ldapadd the -a (add new entry) flag is turned on automatically.

ldapmodify opens a connection to an LDAP server, binds, and modifies or adds entries. The entry information is read from standard input or from file through the use of the -f option.

These tools are useful when adding new entries or modifying existing entries in our directory.

For example, let's assume that we have an LDIF file called added.ldif which contains a new entry (or more) to be merged into our directory. We could add this entry (or entries) using:

 $  ldapmodif - D "cn=admin,dc=odyssey,dc=com" -w password \
 > -x -a -f added.ldif

The -D option specifies the user to authenticate with (admin), -w is where we place the password, and -x says to use a simple bind (again).

The -a option says that this should be added to the directory. Had we ran with ldap_add, the command line would have been the same sans -a.

The -f option gives the ldif filename. As usual, this could be an absolute or relative path.

The astute security consciense minded person will probably have bells going off when looking at this example. The password option will be stored in .bash_history in plain text, which is probably not what you want. If you do not feel comfortable typing the password in plain text, then you can substitute -w password with -W (note, this is an uppercase "W") which will instead prompt you for a password.

ldappasswd

This command changes the password for a given entry. It takes the same parameters as the previous functions, with the notable addition of the following:
-s password
This specifies the new password for the entry. Again, you will note this is clear text on the command line and in the history file.

-S
This prompts you for the new password. Very similar to '-W' for user authentication.

ldapcompare, ldapmodrdn, ldapdelete, ldapwhoami

Will not be covered in this class. You can probably guess at what these do, but if you need them, please refer to their man pages.

Classnotes | LDAP01 | RecentChanges | Preferences
This page is read-only | View other revisions
Last edited September 24, 2003 7:27 pm (diff)
Search:
(C) Copyright 2003 Samuel Hart
Creative Commons License
This work is licensed under a Creative Commons License.