LDAP Searches From Darn Near Anywhere - Page 2
LDAP Command Line
For the hardcore types, LDAP can be accessed from the command line using a function called ldapsearch. This handy utility is included in all Unix and Windows LDAP server packages. Part of the original University of Michigan LDAP distributions, it can connect either anonymously or with a bind id. The basic syntax follows the standard Unix flag and switch format:
Ldapsearch flags search_filters returned_attributes
The list below covers some of the more popular flags:
-d value Changes the debug level to the supplied value
-n Simulates the search and tells you what would happen if run
-v Runs the search in verbose mode providing additional information
Binding/Authenticating flags: There are not needed for anonymous searches.
-D value Distinguished name used to bind
-w value Bind id password (This is in clear text, so be careful who sees this!)
-h value Host name of the LDAP search where the search is run
-k Uses Kerberos instead of simple authentication
-p value LDAP TCP port - default is 389.
Search specific switches:
-b value Search base from where the search starts
-s value Search scope (base, one, sub - default)
-l value Maximum time in seconds for search to run
-z value Maximum number of records to return
Output specific switches:
-A Returns the attributes but not the values. Useful to determine if an attribute exists.
-B Shows non-ASCII characters - useful for international directory entries.
-L Returns the output in an LDIF (RFC 2849 format). Useful for exporting records to
another application such as e-mail address book or directory.
-S value Sorts results based on the attribute included as an argument or sorts by the records
distinguished name if no arguments are given. This is not done by default.
Again, to help make this less confusing, here is a sample ldapsearch command string.
ldapsearch -b "o=fakename.com" -h myhost.fakename.com -p 2233 -D "cn=adminacct" -w cantdraw -s sub "(sn=luther)" cn mail
The searchbase is "organization equals fakename.com". The LDAP server is named myhost.fakename.com. The port used is 2233. The bind id is a distinguished name of adminacct. The distinguished name is usually a longer string. A short string denotes that this is likely an admin account. The account password is cantdraw. The search scope is sub. The search filter is surname that exactly equals luther. The returned attributes are common name, and mail.
A few notes to help with your mastery of the LDAP command line interface. There may be differences in command lines options across versions. Because the command line strings can be complex, consider saving your working ldapsearch as a Unix shell script or DOS batch file. The next time you need to use the command, you can easily edit/copy this existing script instead of starting from scratch. Your directory will likely have system imposed maximum time and size limits that you cannot surpass, which will prevent you from exceeding the server capacity by mistake.
The Search Continues
Now that we have covered the LDAP search syntax and its many uses in detail, you should be starting to feel comfortable with the syntax and LDAP's capability to deliver the information that you need. For the last article in the series, we will discuss doing searches using popular LDAP browsers. For now, happy searching!
http://perl-ldap.sourceforge.net/rfc.html - One location (of many) to find LDAP RFCs.
http://www.ietf.org/ids.by.wg/ldapbis - One of the IETF standard groups that are revising the LDAP v3 protocol. Also has an active mailing list you can join.
LDAP Public Directories
http://www.emailman.com/ldap/public.html - List of public directories that you can use for testing queries.
Overview/LDAP Search and Man Pages
www.hawaii.edu/brownbags/ldap/ldap2.pdf - Good presentation on LDAP and LDAP search
http://www.hawaii.edu/ldap/details.html - Good overview of LDAP URL syntax with examples
http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=UofMich+3.3&format=html - University Michigan 3.3 Distribution version
Beth Cohen is president of Luth Computer Specialists Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.
Hallett German is launching Alessea Consulting -- focusing on network identity, electronic directories/messaging consulting. He has twenty years experience in a variety of IT positions and in implementing stable infrastructures. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. Hal is the author of three books on scripting languages. He would welcome the opportunity to solve your directory, messaging, and network identity challenges.