ldapsearch -b '' -s base objectclass="*" + \*
ldapsearch -H ldap://bd.dir:4343 -b'cn=SubSchema' -s base objectclass='*' + \*
dn: cn=Monitor objectClass: top objectClass: monitor objectClass: extensibleObject structuralObjectClass: monitor cn: Monitor description: @(#) $OpenLDAP: slapd 2.1.23 (Jan 9 2004 19:26:20) $ subschemaSubentry: cn=Subschema hasSubordinates: TRUE
ldapsearch -LLL -x -b 'cn=Monitor' -s base objectclass="*" description dn: cn=Monitor description: @(#) $OpenLDAP: slapd 2.1.23 (Jan 9 2004 19:26:20) $
ldapsearch -b'cn=Log,cn=monitor' -x -LLL -s sub objectclass='*' description dn: cn=Log,cn=Monitor description: Stats
You can change what events are being traced on the fly,
by adding and removing description values. Note you must
authenticate as cn=manager,ou=security,dc=umich,dc=edu to modify these values.
Some of the values are:
Attribute Value | Description | Decimal value | Hex value |
---|---|---|---|
Trace | Trace Function calls | 1 | 1 |
Packets | Debug packet handling | 2 | 2 |
Args | Heavy trace debugging | 4 | 4 |
Conns | Log Connection management | 8 | 8 |
BER | Print out packets sent and received | 16 | 10 |
Filter | Search filter processing | 32 | 20 |
Config | Configuration file processing | 64 | 40 |
ACL | Access Control List processing | 128 | 80 |
Stats | stats log connections/operations/results | 256 | 100 |
Stats2 | stats log entries sent | 512 | 200 |
Shell | Print communications with shell backends | 1024 | 400 |
Parse | Print entry parsing debugging | 2048 | 800 |
Cache |   | 4096 | 1000 |
Index |   | 8192 | 2000 |
Sync |   | 16384 | 4000 |
These examples were generated assuming slapd was monitoring ports: 4343 & 4444
openssl x509 -dates -noout -in hostname.pem
We have to use the fully qualified domain name and -Z or -ZZ
ldapsearch -h ldap-dev.itd.umich.edu -p 4343 -x -W -Z
-D"uid=xpaul,ou=People,dc=umich,dc=edu" -LLL uid=xpaul mailforwardingaddress
Enter LDAP Password:
dn: uid=xpaul,ou=People,dc=umich,dc=edu
mailForwardingAddress: pturgyan@quince.ifs.umich.edu
mailForwardingAddress: xpaul@med.umich.edu
ldapsearch -H ldaps://ldap-dev.itd.umich.edu:4444 -D"uid=xpaul,ou=people,dc=umich,dc=edu" -W -x -LLL uid=xpaul mailforwardingaddress
Enter LDAP Password:
dn: uid=xpaul,ou=People,dc=umich,dc=edu
mailForwardingAddress: pturgyan@quince.ifs.umich.edu
mailForwardingAddress: xpaul@med.umich.edu
ldapsearch -H ldaps://ldap-dev.itd.umich.edu:4567 -x -W -LLL -D"uid=xpaul,ou=People,dc=umich,dc=edu" uid=xpaul mailforwardingaddress
Enter LDAP Password:
dn: uid=xpaul,ou=People,dc=umich,dc=edu
mailForwardingAddress: xpaul@da.dir.3456
Set TLS_CERT in ~/.ldaprc (or environment variable LDAPTLS_CERT) to be your cert
Set TLS_KEY in ~/.ldaprc (or environment variable LDAPTLS_KEY) to be your private key
Note: you can only query the EDirectory from equilibrium or scarface
see: http://www.openldap.org/lists/openldap-software/200401/msg00596.html
OID | Control/Extension | defined in rfc |
---|---|---|
2.16.840.1.113730.3.4.18 | Authz |   |
2.16.840.1.113730.3.4.2 | ManageDsaIT | rfc3296 |
1.3.6.1.4.1.4203.1.10.1 | Subentries Control | rfc3672 |
1.2.840.113556.1.4.1413 | PERMISSIVE_MODIFY |   |
1.2.840.113556.1.4.1339 | DOMAIN_SCOPE |   |
1.2.840.113556.1.4.319 | Paged results | rfc2696 |
1.2.826.0.1.334810.2.3 | VALUESRETURNFILTER |   |
1.3.6.1.4.1.1466.20037 | start-tls | rfc2830 |
1.3.6.1.4.1.4203.1.11.1 | modify passwd | rfc3062 |
1.3.6.1.4.1.4203.1.11.3 | whoami |   |
1.3.6.1.4.1.4203.1.5.1 | supportedFeatures | rfc3673 |
1.3.6.1.4.1.4203.1.5.2 | objectclass attrs |   |
1.3.6.1.4.1.4203.1.5.3 | absolute filters |   |
1.3.6.1.4.1.4203.1.5.4 | LANGUAGE_TAG_OPTIONS |   |
1.3.6.1.4.1.4203.1.5.5 |   |
ldapsearch -X"dn: cn=manager,ou=security,dc=umich,dc=edu" uid=xpaul
./ldapsearch -e'!authzid=dn: cn=manager,ou=security,dc=umich,dc=edu' uid=xpaul
./ldapsearch -h da.dir:8686 -Epr=20