Using OpenLDAP ldapsearch to Query eDirectory
Novell Cool Solutions: Feature
By Darko Delinac
Digg This -
Slashdot This
Posted: 11 Jan 2006 |
Ldapsearch utilities have one big advantage compared to LDAP browsers - they can be used in scripts.
This document is for those who are new to LDAP Search and the OpenLDAP ldapsearch tool in particular. The purpose is to show (through examples) how to create an LDAP search filter and the basic syntax of the ldapsearch utility.
For more detailed information on the utilities used in this document, read the product man pages. For more detailed information on LDAP search filters, see:
http://www.faqs.org/rfcs/rfc2254.html.
For the purpose of this document we will use the basic authentication. If you have configured your LDAP servers for LDAPS only, the examples below will not work.
Note: This solution was tested in a Novell eDirectory Linux environment, using OpenLDAP utilities.
Basic Search Examples
Suppose your LDAP server is at IP 10.2.250.100 and you have an organizational unit of o=spm. Try this:
$ ldapsearch -x -h 10.1.200.100 $ ldapsearch -x -h 10.1.200.100 -b o=spm
Search base (-b) is used to specify the start point of the search. In most cases it can be omitted, if you want to search from the top.
Let's run a new search, but this time we only want to show mail attributes:
$ ldapsearch -x -h 10.2.250.100 -b o=spm mail
Now let's show only the dn, with no comments or version information (-LLL):
$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL dn
And now let's search for users whose surnames start with 'd' - we'll display: surname, given name and mail attributes:
$ ldapsearch -x -h 10.2.250.100 -b o=spm "(sn=d*)" sn givenname mail
Of course, you can always redirect the output to a file or pipe it to another command:
$ ldapsearch -x -h 10.2.250.100 -b o=spm "(objectClass=inetOrgPerson)" sn givenname mail > spm-users
or
$ ldapsearch -x -h 10.2.250.100 -b o=spm "(sn=d*)" sn givenname mail | more
Using a Search Filter
The basic syntax for a search filter is “()” or '()'. So what do we put in the parentheses?
Search for users:
"(objectClass=inetOrgPerson)"
Search for objects with surname svensson:
"(sn=svensson)"
Search for objects whose mail domain is example.com:
“(mail=*@example.com)”
Search for objects whose objectClass is inetOrgPerson or person:
“(|(objectClass=inetOrgPerson)(objectClass=person))”
Search for objects whos objectClass is inetOrgPerson and cn starts with 'p' and (anything):
“(&(objectClass=inetOrgPerson)(cn=p*))”
Search for objects whose mail attribute is not empty and the objectClass is inetOrgPerson or person:
“(&(mail=*)(|(objectclass=person)(objectclass=inetorgperson)))”
Search for objects whose objectClass is inetOrgPerson and mail is empty:
"(&(objectclass=inetorgperson)(!(mail=*)))"
Search for objects who's objectClass is inetOrgPerson and description is empty:
"(&(objectclass=inetorgperson)(!(description=*)))"
Search Scope
The search scope is specified with -s. It can be: sub, one or base. The default is sub.
sub
Start the search at o=spm and search the sub tree:
$ ldapsearch -x -h 10.2.250.100 -b o=spm -s sub dn
one
Start the search at o=spm but do not enter sub contexts:
$ ldapsearch -x -h 10.2.250.100 -b o=spm -s one dn
base
Search for DN cn=darko,o=spm:
$ ldapsearch -x -h 10.2.250.100 -b cn=darko,o=spm -s base
Bind (Login) Parameters
Here are the bind parameters to use:
- -x simple bind
- -h LDAP server
- -p port number
- -H LDAP server and port number
- -D bind DN
- -w bind password
- -W prompt for bind password
For example:
Bind with DN cn=admin,o=spm and enter password at prompt:
$ ldapsearch -x -H ldap://10.1.200.100 -b o=spm -s one -D cn=admin,o=spm -W
Bind with DN cn=admin,o=spm and password 'secret':
$ ldapsearch -x -H ldap://10.1.200.100 -b o=spm -s one -D cn=admin,o=spm -w secret
Controlling the Output
In real life, ldapsearch is combined with other tools to get the desired output. In the example below, we send the output of ldapsearch to grep to filter on 'mail: ', and then we use sed to remove 'mail: ' The output is e-mail addresses:
Step 1, – basic search:
$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail
Step 2, – pipe to grep 'mail: '
$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail | grep 'mail: '
Step 3, – pipe to sed 's/mail: //'
$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail | grep 'mail: ' | sed 's/mail: //'
If you'd like to see more examples, have a look at the bash script for making sorted CSV files that I have published on:
http://www.delinac.net/notes/openldap.html#top-ldif2csv

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com