Loading...

Querying LDAP with ldapsearch

Used:   ldapsearch v2.4.44 

To make queries with LDAP or Microsoft Active Directory you need a LDAP client. You can also use it for testing connectivity and authentication. ldapsearch is a LDAP client from OpenLDAP.

Installation

  • RPM based distributitons: RHEL, Fedora, CentOS
  • DEB based distributions: Debian, Ubuntu, etc.

RPM

With root permissions

$ yum install openldap-clients

Check contents

atlas@rhel7-server:~> yum info openldap-clients.x86_64
Loaded plugins: aliases, enabled_repos_upload, langpacks, package_upload, product-id, ps, search-disabled-repos, subscription-manager
Installed Packages
Name        : openldap-clients
Arch        : x86_64
Version     : 2.4.44
Release     : 23.el7_9
Size        : 570 k
Repo        : installed
From repo   : rhel-7-server-rpms
Summary     : LDAP client utilities
URL         : http://www.openldap.org/
License     : OpenLDAP
Description : OpenLDAP is an open-source suite of LDAP (Lightweight Directory Access
            : Protocol) applications and development tools. LDAP is a set of
            : protocols for accessing directory services (usually phone book style
            : information, but other information is possible) over the Internet,
            : similar to the way DNS (Domain Name System) information is propagated
            : over the Internet. The openldap-clients package contains the client
            : programs needed for accessing and modifying OpenLDAP directories.

Uploading Enabled Repositories Report
Cannot upload enabled repos report, is this client registered?

DEB

The ldap-utils package includes a number of utilities that can be used to perform queries on a LDAP server.

$ apt install ldap-utils

Queries

The configuration file /etc/ldap/ldap.conf for utilities like like ldapsearch should be correctly set for the server by default.

Use environment variables as default.

export BASE="DC=IT,DC=SWISS"
export LDAP_URI="base.dom:389"

For the ldap url consider following information. The server uses port number 389. Since this is the default port, the port number does not have to be sent in the search request. TLS is enabled for the server on port 636 (the default LDAPS port number).

So it is either in completeness:

# plain
ldap://localhost:389
# tls secured
ldaps://localhost:636

Template

A search in its basic structure:

ldapsearch -x \
  -h $LDAP_URI \
  -D "your-bind-dn"\
  -W \
  -b $BASE \
  -s sub "(sAMAccountName=vinh)" cn mail sn
  • -x Use simple authentication instead of SASL. This command is ignored and all authentications will be GSS wrapped.
  • -h ldaphost = Specify an alternate host on which the ldap server is running.
  • -D binddn
  • -W use password (stdin input)
  • -b searchbase = Use searchbase as the starting point for the search instead of the default.
  • -s -s base one sub = Specify the scope of the search to be one of base, one, sub to specify a base object, one-level, or subtree search. The default is sub.

The search filter (sAMAccountName=vinh) is for Active Directory. The SAM-Account-Name attribute is the unique logon name under Windows. The search is retrieving the LDAP entry for the user logon vinh.

For LDAP cn (Common Name) is the default attribute instead of sAMAccountName.

Example

Taken in my corporate environment and replaced.

ldapsearch -x \
  -h $LDAP_URI \
  -D "CN=Nguyen Vinh (lemapper),OU=Users,OU=engineers,OU=developers,DC=IT,DC=SWISS"\
  -W \
  -b $BASE \
  -s sub "(SAMAccountName=lemapper)" cn mail sn

Example Output

# extended LDIF
#
# LDAPv3
# base <DC=IT,DC=SWISS> with scope subtree
# filter: (SAMAccountName=lemapper)
# requesting: cn mail sn
#

# Nguyen Vinh (lemapper), Users, engineers, developers, it.swiss
dn: CN=Nguyen Vinh (lemapper),OU=Users,OU=engineers,OU=developers,DC=IT,DC=SWISS
cn: Nguyen Vinh (lemapper)
sn: Nguyen
mail: firstname.lastname@company.com

# search reference
ref: ldap://localhost/CN=Configuration,DC=IT,DC=SWISS

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 1
# numReferences: 1

An encyrpted connection requires a trust certificate for the LDAP/Active Directory endpoint.

To verify the connection use openssl.

$ openssl s_client -connect my-ldap-server:636 -CAfile ldap.crt

Example Output

CONNECTED(00000003)
depth=1 DC = SWISS, DC = IT, CN = LEMAPPER
verify return:1
depth=0 CN = ldap-dc1.it.swiss
verify return:1
---
Certificate chain
 0 s:/CN=ldap-dc1.it.swiss
   i:/DC=SWISS/DC=IT/CN=LEMAPPER
---
Server certificate
-----BEGIN CERTIFICATE-----
... truncated
-----END CERTIFICATE-----
subject=/CN=mpzhwad03.base.dom
issuer=/DC=dom/DC=base/CN=SIXCA256
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 2169 bytes and written 459 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: LE_MAPPER-REPLACED_IT
    Session-ID-ctx:
    Master-Key: ...8BBFDC12040D7FCB...
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1652947321
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

To query over ldaps, you need the certificate as base64, either pem, crt, or as cert file and used in the environment variable LDAPTLS_CACERT.

export LDAPTLS_CACERT=/etc/mydir/ldap.crt

ldapsearch can be initiated with ldaps or start_tls, but not both. Use either ldaps://fqdn.of.server or -ZZ as start_tls.

As ldaps. If you are using the default port 636, you don’t need to add the port number. If you are using a different port, you have to add it to the fqdn (fully qualified domain name).

$ ldapsearch -x -H ldaps://fqdn -b "dc=example,dc=com"

Pay attention that the option is -H ldapuri and not -h ldaphost :wink:.

Usage with start_tls

$ ldapsearch -x -ZZ -h fqdn -b "dc=example,dc=com"

Example, use start_tls:

env LDAPTLS_CACERT=/home/lemapper/ldap.crt ldapsearch -x \
  -h $LDAP_URI \
  -D "CN=Nguyen Vinh (lemapper),OU=Users,OU=engineers,OU=developers,DC=IT,DC=SWISS"\
  -W \
  -b $BASE \
  -s sub "(SAMAccountName=lemapper)" cn mail sn
  -ZZ

Summary

ldapsearch is a useful Linux client to test and query LDAP or AD (Active Directory) integrations in corporate environments.

For Windows Servers, the dsquery client find any objects in the directory according to criteria using a Lightweight Directory Access Protocol (LDAP) query. dsquery is a command-line tool that is built into Windows Server 2008. It is available if you have the Active Directory Domain Services (AD DS) server role installed.

Links

Please remember the terms for blog comments.