LDAP(S) Search

Note

For the commands using ldapsearch with ldaps, you must set the LDAPTLS_CACERT parameter before your command with

LDAPTLS_CACERT="${CCME_CONF}/${CCME_AD_URI}.crt"

Note

For more ldapsearch and filters documentation, please refer to:

• https://www.openldap.org/software/man.cgi?query=ldapsearch

• https://docs.oracle.com/cd/E19693-01/819-0997/gdxpo/index.html

About LDAP search filtering

For the LDAP search filters, boolean operators can be combined and nested together to form complex expressions, such as: (Boolean-operator(filter)(Boolean-operator(filter)(filter)))

List of LDAP search filter operators

• AND &: All specified filters must be true for the statement to be true. Example: (&(filter)(filter)(filter)...)

• OR |: At least one specified filter must be true for the statement to be true. Example: (|(filter)(filter)(filter)...)

• NOT !: The specified statement must not be true for the statement to be true. Only one filter is affected by the NOT operator. Example: (!(filter))

Extract commands

Extract config in a config.ad file

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w "${CCME_AD_ADMIN_PASSWORD}" -D "${CCME_AD_ADMIN_CN}" -b "cn=Configuration,dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" > config.ad

Extract every information in the AD in a all.ad file

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" > all.ad

Extract all information about users and groups in a users.ad file

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "cn=Users,dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" > users.ad

• Only users:

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "cn=Users,dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" "(&(objectClass=user))"

• Only groups:

#### Search information about a group: > You can specify a filter per attribute(s) > example: attribute=“uidNumber sshPublicKey”
ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "cn=Users,dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" "(&(objectClass=group))"

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" "(&(objectClass=user)(cn=${USER_NAME}))" "${attribute}"

List user’s attributes in the ActiveDirectory

Search information about a user

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" "(&(objectClass=user)(cn=${USER_NAME}))" "${attribute}"

You can specify an optional filter per attribute(s) example: attribute="uidNumber sshPublicKey"

Get the sshPublicKey of a user:

ldapsearch -H "${CCME_AD_PROTOCOL}://${CCME_AD_URI}" -w ${CCME_AD_ADMIN_PASSWORD} -D "${CCME_AD_ADMIN_CN}" -b "dc=${CCME_AD_DIR_NAME_DC1},dc=${CCME_AD_DIR_NAME_DC2}" "(&(objectClass=user)(cn=${USER_NAME}))" | grep sshPublicKey