LDAP Searches From Darn Near Anywhere - Page 2

 By Hallett German | Posted Mar 8, 2004
Page 2 of 2   |  Back to Page 1
Print ArticleEmail Article


Beyond the Deadline: How GDPR Will Impact Your Company's Risk and Security Profile

Continued From Page 1

LDAP Command Line
For the hardcore types, LDAP can be accessed from the command line using a function called ldapsearch. This handy utility is included in all Unix and Windows LDAP server packages. Part of the original University of Michigan LDAP distributions, it can connect either anonymously or with a bind id. The basic syntax follows the standard Unix flag and switch format:

Ldapsearch flags search_filters returned_attributes

The list below covers some of the more popular flags:

Debugging flags:
-d value   Changes the debug level to the supplied value

-n   Simulates the search and tells you what would happen if run

-v   Runs the search in verbose mode providing additional information

Binding/Authenticating flags: There are not needed for anonymous searches.

-D value    Distinguished name used to bind

-w value   Bind id password (This is in clear text, so be careful who sees this!)

-h value   Host name of the LDAP search where the search is run

-k      Uses Kerberos instead of simple authentication

-p value   LDAP TCP port - default is 389.

Search specific switches:
-b value   Search base from where the search starts

-s value   Search scope (base, one, sub - default)

-l value   Maximum time in seconds for search to run

-z value   Maximum number of records to return

Output specific switches:
-A   Returns the attributes but not the values. Useful to determine if an attribute exists.

-B   Shows non-ASCII characters - useful for international directory entries.

-L   Returns the output in an LDIF (RFC 2849 format). Useful for exporting records to
      another application such as e-mail address book or directory.

-S value   Sorts results based on the attribute included as an argument or sorts by the records
       distinguished name if no arguments are given. This is not done by default.

Again, to help make this less confusing, here is a sample ldapsearch command string.

ldapsearch -b "o=fakename.com" -h myhost.fakename.com -p 2233 -D "cn=adminacct" -w cantdraw -s sub "(sn=luther)" cn mail

The searchbase is "organization equals fakename.com". The LDAP server is named myhost.fakename.com. The port used is 2233. The bind id is a distinguished name of adminacct. The distinguished name is usually a longer string. A short string denotes that this is likely an admin account. The account password is cantdraw. The search scope is sub. The search filter is surname that exactly equals luther. The returned attributes are common name, and mail.

A few notes to help with your mastery of the LDAP command line interface. There may be differences in command lines options across versions. Because the command line strings can be complex, consider saving your working ldapsearch as a Unix shell script or DOS batch file. The next time you need to use the command, you can easily edit/copy this existing script instead of starting from scratch. Your directory will likely have system imposed maximum time and size limits that you cannot surpass, which will prevent you from exceeding the server capacity by mistake.

The Search Continues
Now that we have covered the LDAP search syntax and its many uses in detail, you should be starting to feel comfortable with the syntax and LDAP's capability to deliver the information that you need. For the last article in the series, we will discuss doing searches using popular LDAP browsers. For now, happy searching!

Additional Resources

http://perl-ldap.sourceforge.net/rfc.html - One location (of many) to find LDAP RFCs.
http://www.ietf.org/ids.by.wg/ldapbis - One of the IETF standard groups that are revising the LDAP v3 protocol. Also has an active mailing list you can join.

LDAP Public Directories
http://www.emailman.com/ldap/public.html - List of public directories that you can use for testing queries.

Overview/LDAP Search and Man Pages
www.hawaii.edu/brownbags/ldap/ldap2.pdf - Good presentation on LDAP and LDAP search
http://www.hawaii.edu/ldap/details.html - Good overview of LDAP URL syntax with examples
http://www.openldap.org/software/man.cgi?query=ldapsearch&apropos=0&sektion=0&manpath=UofMich+3.3&format=html - University Michigan 3.3 Distribution version

Beth Cohen is president of Luth Computer Specialists Inc., a consulting practice specializing in IT infrastructure for smaller companies. She has been in the trenches supporting company IT infrastructure for over 20 years in a number of different fields including architecture, construction, engineering, software, telecommunications, and research. She is currently consulting, teaching college IT courses, and writing a book about IT for the small enterprise.

Hallett German is launching Alessea Consulting -- focusing on network identity, electronic directories/messaging consulting. He has twenty years experience in a variety of IT positions and in implementing stable infrastructures. He is the founder of the Northeast SAS Users Group and former President of the REXX Language Association. Hal is the author of three books on scripting languages. He would welcome the opportunity to solve your directory, messaging, and network identity challenges.

» See all articles by CrossNodes contributor Beth Cohen

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter

By submitting your information, you agree that enterprisenetworkingplanet.com may send you ENTERPRISENetworkingPLANET offers via email, phone and text message, as well as email offers about other products and services that ENTERPRISENetworkingPLANET believes may be of interest to you. ENTERPRISENetworkingPLANET will process your information in accordance with the Quinstreet Privacy Policy.