Classnotes | LDAP01 | RecentChanges | Preferences Showing revision 1 While you could now go out and modify your LDAP directory with any number of clients, OpenLDAP comes with a rich set of command line LDAP clients which you can use to diagnose, search, and update your LDAP directory.
Each of the following commands take the options specified on pages 70-72, so we will not reproduce them here. Instead, we will give very specific examples.
ldapsearch
ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 2254. If not provided, the default filter, (objectClass=*), is used.
If ldapsearch finds one or more entries, the attributes specified by attrs are returned. If * is listed, all user attributes are returned. If + is listed, all operational attributes are returned. If no attrs are listed, all user attributes are returned. If only 1.1 is listed, no attributes will be returned.
Let's start with a simple "Show me everything" search:
Instructs ldapsearch to perform a simple bind (i.e., do not use SASL for authentication).
-b
Defines the DN search base suffix. This DN specifies the point at which the search begins. All entries located higher in the tree will be ignored.
(objectclass=*)
This is the search filter.
So what is a search filter? In its commonly used form, an LDAP search filter has the following syntax:
( attribute filterOperator value )
The attribute is the actual name of the attribute type. The filterOperator is one of:
'=' for equality matches
'~=' for approximate matches
'<=' for less than comparisons
'>=' for greater than comparisons
If you deal only with string comparisons, you may only need the equality operator.
The value portion can be either an absolute value such as "carter" or "555-1234", or a pattern using the asterisk (*) as a wildcard. Here are som valid wildcard searches:
(cn=*carter)
Finds all entries whose cn attribute ends in "carter".
(telephoneNumber=555*)
Finds all entries whose telephoneNumber starts with "555".
You can also combine single filters like these using boolean operators:
'&' Logical AND
'|' Logical OR
'!' Logical NOT
So, if I wanted to search for persons with a surname (sn) of "smith" or "jones" I would use:
(|(sn=smith)(sn=jones))
Here, it is important to point out that for searches such as these you should know how searches are defined (by looking in the schema files). For example, sn does a case-insenstive search. This means that the following search would be redundant:
(|(sn=Smith)(sn=smith))
You can also get fancy by embedding conditionals:
(&(|(sn=smith)(cn=jones))(cn=john*))
PROJECT QUICKIE: Do a search in your directory for people who's room numbers are on the first floor. Who do you get? Which department(s) are they in?
