Using OpenLDAP ldapsearch to Query eDirectory

Novell Cool Solutions: Feature
By Darko Delinac

Digg This - Slashdot This

Posted: 11 Jan 2006

Ldapsearch utilities have one big advantage compared to LDAP browsers - they can be used in scripts.

This document is for those who are new to LDAP Search and the OpenLDAP ldapsearch tool in particular. The purpose is to show (through examples) how to create an LDAP search filter and the basic syntax of the ldapsearch utility.

For more detailed information on the utilities used in this document, read the product man pages. For more detailed information on LDAP search filters, see:
http://www.faqs.org/rfcs/rfc2254.html.

For the purpose of this document we will use the basic authentication. If you have configured your LDAP servers for LDAPS only, the examples below will not work.

Note: This solution was tested in a Novell eDirectory Linux environment, using OpenLDAP utilities.

Basic Search Examples

Suppose your LDAP server is at IP 10.2.250.100 and you have an organizational unit of o=spm. Try this:

$ ldapsearch -x -h 10.1.200.100
$ ldapsearch -x -h 10.1.200.100 -b o=spm

Search base (-b) is used to specify the start point of the search. In most cases it can be omitted, if you want to search from the top.

Let's run a new search, but this time we only want to show mail attributes:

$ ldapsearch -x -h 10.2.250.100 -b o=spm mail

Now let's show only the dn, with no comments or version information (-LLL):

$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL dn

And now let's search for users whose surnames start with 'd' - we'll display: surname, given name and mail attributes:

$ ldapsearch -x -h 10.2.250.100 -b o=spm "(sn=d*)" sn givenname mail

Of course, you can always redirect the output to a file or pipe it to another command:

$ ldapsearch -x -h 10.2.250.100 -b o=spm "(objectClass=inetOrgPerson)" sn givenname mail > spm-users

$ ldapsearch -x -h 10.2.250.100 -b o=spm "(sn=d*)" sn givenname mail | more

Using a Search Filter

The basic syntax for a search filter is () or '()'. So what do we put in the parentheses?

Search for users:
"(objectClass=inetOrgPerson)"

Search for objects with surname svensson:
"(sn=svensson)"

Search for objects whose mail domain is example.com:

&#147;(mail=*@example.com)&#148;

Search for objects whose objectClass is inetOrgPerson or person:

&#147;(|(objectClass=inetOrgPerson)(objectClass=person))&#148;

Search for objects whos objectClass is inetOrgPerson and cn starts with 'p' and (anything):

&#147;(&(objectClass=inetOrgPerson)(cn=p*))&#148;

Search for objects whose mail attribute is not empty and the objectClass is inetOrgPerson or person:

&#147;(&(mail=*)(|(objectclass=person)(objectclass=inetorgperson)))&#148;

Search for objects whose objectClass is inetOrgPerson and mail is empty:

"(&(objectclass=inetorgperson)(!(mail=*)))"

Search for objects who's objectClass is inetOrgPerson and description is empty:

 "(&(objectclass=inetorgperson)(!(description=*)))"

Search Scope

The search scope is specified with -s. It can be: sub, one or base. The default is sub.

sub

Start the search at o=spm and search the sub tree:

$ ldapsearch -x -h 10.2.250.100 -b o=spm -s sub dn

one

Start the search at o=spm but do not enter sub contexts:

$ ldapsearch -x -h 10.2.250.100 -b o=spm -s one dn

base

Search for DN cn=darko,o=spm:

$ ldapsearch -x -h 10.2.250.100 -b cn=darko,o=spm -s base

Bind (Login) Parameters

Here are the bind parameters to use:

-x simple bind
-h LDAP server
-p port number
-H LDAP server and port number
-D bind DN
-w bind password
-W prompt for bind password

For example:

Bind with DN cn=admin,o=spm and enter password at prompt:

$ ldapsearch -x -H ldap://10.1.200.100 -b o=spm -s one -D cn=admin,o=spm -W

Bind with DN cn=admin,o=spm and password 'secret':

$ ldapsearch -x -H ldap://10.1.200.100 -b o=spm -s one -D cn=admin,o=spm -w secret

Controlling the Output

In real life, ldapsearch is combined with other tools to get the desired output. In the example below, we send the output of ldapsearch to grep to filter on 'mail: ', and then we use sed to remove 'mail: ' The output is e-mail addresses:

Step 1,  basic search:

$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail

Step 2,  pipe to grep 'mail: '

$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail | grep 'mail: '

Step 3,  pipe to sed 's/mail: //'

$ ldapsearch -x -h 10.2.250.100 -b o=spm -LLL "(&(objectclass=inetorgperson)(mail=*))" mail | grep 'mail: ' | sed 's/mail: //'

If you'd like to see more examples, have a look at the bash script for making sorted CSV files that I have published on:
http://www.delinac.net/notes/openldap.html#top-ldif2csv

Like what you see?
Sign up for our weekly newsletter.

Want to contribute?
It could earn you a nano! Learn more.

Like Wikis?
Join the Cool Solutions Wiki.

Interested?
Request a sales call

Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com