LDAP v3 Searches

Some basic searches:



• Reading ROOTDSE

  ldapsearch -b '' -s base objectclass="*" + \*

• Reading Schema & SubSchema
  • ldapsearch -b'cn=SubSchema' -s base objectclass='*' + \*

  • ldapsearch -x -b cn=subschema -s base objectClass=subschema matchingRules ldapSyntaxes objectClasses attributeTypes

• The next search uses a ldapurl to specify host/port

  ldapsearch -H ldap://bd.dir:4343 -b'cn=SubSchema' -s base objectclass='*' + \*
  

• Monitor Data

  • Displaying Monitor data:
    

  • ldapsearch -LLL -x -b'cn=monitor' -s sub objectclass='*' + \*

    dn: cn=Monitor
    objectClass: top
    objectClass: monitor
    objectClass: extensibleObject
    structuralObjectClass: monitor
    cn: Monitor
    description: @(#) $OpenLDAP: slapd 2.1.23 (Jan  9 2004 19:26:20) $
    subschemaSubentry: cn=Subschema
    hasSubordinates: TRUE
    

  • Displaying version and build date:

    ldapsearch -LLL -x -b 'cn=Monitor' -s base objectclass="*" description
    dn: cn=Monitor
    description: @(#) $OpenLDAP: slapd 2.1.23 (Jan  9 2004 19:26:20) $
    

  • To see Operations counts

  • ldapsearch -b "cn=Operations,cn=Monitor" "*" \+
    

  • To see what events are being traced/logged:

    ldapsearch -b'cn=Log,cn=monitor' -x -LLL -s sub objectclass='*' description 
    dn: cn=Log,cn=Monitor
    description: Stats
    

    You can change what events are being traced on the fly, by adding and removing description values. Note you must authenticate as cn=manager,ou=security,dc=umich,dc=edu to modify these values.
    
    Some of the values are:

    Attribute Value	Description	Decimal value	Hex value
    Trace	Trace Function calls	1	1
    Packets	Debug packet handling	2	2
    Args	Heavy trace debugging	4	4
    Conns	Log Connection management	8	8
    BER	Print out packets sent and received	16	10
    Filter	Search filter processing	32	20
    Config	Configuration file processing	64	40
    ACL	Access Control List processing	128	80
    Stats	stats log connections/operations/results	256	100
    Stats2	stats log entries sent	512	200
    Shell	Print communications with shell backends	1024	400
    Parse	Print entry parsing debugging	2048	800
    Cache		4096	1000
    Index		8192	2000
    Sync		16384	4000

    
    
    

    To get the current time from the server:

  • ldapsearch -b'cn=Current,cn=Time,cn=Monitor' -s base objectclass='*' + \*
  
  

  The following searches are using OpenLDAP's 2.1 ldapsearch.
  OpenLDAP 2.1 ldapsearch by default uses Version 3 LDAP Protocol

  
  

  To do an anonymous bind using version 2 protocol:

• ldapsearch -P 2 -x uid=xpaul
  

  To do an anonymous bind (assume V3 protocol):

• ldapsearch -x uid=xpaul
  

  To do our default K5/GSSAPI bind

• ldapsearch uid=pturgyan
  
  To get rid of SASL noise use -Q
  To get rid of OpenLDAP noise use -LLL
  
  

  Simple bind w/ start-tls and kerberos password

  These examples were generated assuming slapd was monitoring ports: 4343 & 4444

  Make sure you have this in your client's ldap.conf
  
  • TLS_CACERT /big/openldap-2.1/openldap/umwebCA.pem
    

  • From looking at the code, ldap_init, you can specify these options using environment variables.
    SSL misc
    • Verify the Server certificate:
      openssl s_client -connect ldap-dev.itd.umich.edu:4444 -showcerts
      
    • To show expiration date:
      openssl x509 -dates < /etc/openldap/ldap-dev_itd_umich_edu.crt

      openssl x509 -dates -noout -in hostname.pem

    • To show the entire cert in text form:
      openssl x509 -text < ./simta.crt

    We have to use the fully qualified domain name and -Z or -ZZ
    

    ldapsearch -h ldap-dev.itd.umich.edu -p 4343 -x -W -Z -D"uid=xpaul,ou=People,dc=umich,dc=edu" -LLL uid=xpaul mailforwardingaddress
    Enter LDAP Password:
    dn: uid=xpaul,ou=People,dc=umich,dc=edu
    mailForwardingAddress: pturgyan@quince.ifs.umich.edu
    mailForwardingAddress: xpaul@med.umich.edu
    
    

    Simple Bind w/ ldaps -

    See start-tls above for certificate stuff.
    

    ldapsearch -H ldaps://ldap-dev.itd.umich.edu:4444 -D"uid=xpaul,ou=people,dc=umich,dc=edu" -W -x -LLL uid=xpaul mailforwardingaddress
    Enter LDAP Password:
    dn: uid=xpaul,ou=People,dc=umich,dc=edu
    mailForwardingAddress: pturgyan@quince.ifs.umich.edu
    mailForwardingAddress: xpaul@med.umich.edu
    

    ldapsearch -H ldaps://ldap-dev.itd.umich.edu:4567 -x -W -LLL -D"uid=xpaul,ou=People,dc=umich,dc=edu" uid=xpaul mailforwardingaddress
    Enter LDAP Password:
    dn: uid=xpaul,ou=People,dc=umich,dc=edu
    mailForwardingAddress: xpaul@da.dir.3456
    

    Binding using ssl certificates

    ./ldapwhoami -Z -Y external
    -Z says: Start_TLS -Y says use "external" sasl mechanism
    

    Set TLS_CERT in ~/.ldaprc (or environment variable LDAPTLS_CERT) to be your cert
    Set TLS_KEY in ~/.ldaprc (or environment variable LDAPTLS_KEY) to be your private key
    

    To K5/GSSAPI bind as Manager - Proxy Binding

  • ldapsearch -X "dn:cn=manager,ou=security,dc=umich,dc=edu" uid=pturgyan
    

    ActiveDirectory searches -- This uses K5/GSSAPI

    • ldapsearch -h adsroot.itcs.umich.edu -b ou=people,ou=umich,dc=adsroot,dc=itcs,dc=umich,dc=edu -Q -LLL samaccountname=xpaul
      

    • Searching for ActiveDirectory schema

    • /usr/bin/ldapsearch -h adsroot.itcs.umich.edu -Q -LLL -b CN=Aggregate,CN=Schema,CN=Configuration,DC=adsroot,DC=itcs,dc=umich,dc=edu attributetypes objectclasses

    Novell EDirectory searches -- This uses Plaintext passwords

  • ldapsearch -x -h medusa.lngs.itd.umich.edu -p 389 -b '' -s base -D"cn=slurpduser,o=services" -W objectclass="*"
    Enter LDAP Password:
    

    Note: you can only query the EDirectory from equilibrium or scarface

  • ldapsearch -x -h medusa.lngs.itd.umich.edu -p 389 -b '' -s sub -D"cn=slurpduser,o=services" -W uid=pturgyan
    Enter LDAP Password:
    
    

    Weird searches

  • Note, this will also exclude the branches: ou=xx,o=zz,c=yy ou=yy,o=xx,c=zz ou=yy,o=zz,c=xx ou=zz,o=xx,c=yy ou=zz,o=yy,c=xx >>> Vincent Ryan 2/11/03 5:20:02 AM >>> To omit a branch named ou=xx,o=yy,c=zz try performing a subtree search using a filter such as: (!(&(ou:dn:=xx)(o:dn:=yy)(c:dn:=zz)))

    Weird SASL junk

  • This fixed the linux ldapsearch clients cn=prehealth00-02: " -O maxssf=0"
    ldapsearch -O maxssf=0 -h ldap.itd.umich.edu cn=prehealth00-02 "*" \+

    Running individual OpenLDAP Installation Tests

  • cd tests
    sh run -w test014-whoami
    and then hit return.

    see: http://www.openldap.org/lists/openldap-software/200401/msg00596.html

  • OpenLDAP 2.2 Supported Controls or Extensions

    OID	Control/Extension	defined in rfc
    2.16.840.1.113730.3.4.18	Authz
    2.16.840.1.113730.3.4.2	ManageDsaIT	rfc3296
    1.3.6.1.4.1.4203.1.10.1	Subentries Control	rfc3672
    1.2.840.113556.1.4.1413	PERMISSIVE_MODIFY
    1.2.840.113556.1.4.1339	DOMAIN_SCOPE
    1.2.840.113556.1.4.319	Paged results	rfc2696
    1.2.826.0.1.334810.2.3	VALUESRETURNFILTER
    1.3.6.1.4.1.1466.20037	start-tls	rfc2830
    1.3.6.1.4.1.4203.1.11.1	modify passwd	rfc3062
    1.3.6.1.4.1.4203.1.11.3	whoami
    1.3.6.1.4.1.4203.1.5.1	supportedFeatures	rfc3673
    1.3.6.1.4.1.4203.1.5.2	objectclass attrs
    1.3.6.1.4.1.4203.1.5.3	absolute filters
    1.3.6.1.4.1.4203.1.5.4	LANGUAGE_TAG_OPTIONS
    1.3.6.1.4.1.4203.1.5.5

  • Proxy Authentication

    
    Note: Both of these rely on SASL authentication.
    • Proxy Authentication using SASL authorization identity

      ldapsearch -X"dn: cn=manager,ou=security,dc=umich,dc=edu" uid=xpaul

    • Proxy Authentication using Client Controls/extensions

      ./ldapsearch -e'!authzid=dn: cn=manager,ou=security,dc=umich,dc=edu' uid=xpaul

  • Paged results: the next asked for 20 entries at a time

    ./ldapsearch -h da.dir:8686 -Epr=20