Linux.com

OpenLDAP command-line tools

The OpenLDAP tools are the no-brainer tools for LDAP administrators, partly due to the fact that they come with the OpenLDAP software distribution, and partly because you could probably administer an OpenLDAP directory without the aid of much else.

Let's start by looking at how to search your directory using the OpenLDAP ldapsearch utility. Consider the simple command

ldapsearch -x -b'dc=linuxlaboratory,dc=org' '(objectclass=*)'

The -x flag indicates that I wish to use simple authentication, as opposed to SASL-based authentication, which is the default. The -b flag tells the server where to start looking -- in other words, the search base. In this case, by feeding it the top level of the directory, I specify searching the entire directory (though there are other flags that control the depth of the search). The last quoted argument, '(objectclass=*)', is the search parameter, which says I want to see all attributes of anything that contains an objectclass attribute. Since every object stored in a directory has to be defined using an objectclass attribute, I'm saying I want to see everything in the directory.

The data returned from this query is standard LDIF, and will look identical to the LDIF we used to enter the data into the directory in the first place.

The ldapsearch utility can be a flexible, powerful tool, allowing you to search any LDAP host for any object or group of objects, using almost any filter both for matching and output. Here's a slightly more advanced search:

ldapsearch -x -b'dc=linuxlaboratory,dc=org' '(&(sn=Jones)(givenname=Brian))' -S cn

Note the ampersand, which is a logical AND operator. In order to match a directory entry, both of the search terms must match. The -S cn argument at the end says to sort results by the cn attribute in the returned entries. If I added a + operator at the end of the line the command would return only the operational attributes stored internally by the server, such as the creation date, creator's dn, and modification dates and names for the entry. This can be a valuable troubleshooting technique.

My favorite tool from the OpenLDAP suite is ldapmodify. To me, this is the consummate Swiss Army knife for OpenLDAP. It takes a little getting used to the flags and files involved, but once you've mastered ldapmodify, you can perform additions, changes, deletes, and modifications with pinpoint accuracy in seconds. For example, suppose I demote user "cartman" to janitor and take away his right to have a homepage in the process. I create a quick file, which I name modlab, containing my changes:

dn: cn=cartman,ou=People,dc=linuxlaboratory,dc=org
changetype: modify
replace: loginShell
loginShell: /bin/bash
-
replace: title
title: janitor
-
delete: labeledURI
-

I then run ldapmodify:

ldapmodify -x -W -D'cn=Manager,dc=linuxlaboratory,dc=org' -c -S modlab.err -f modlab

Upon the command's completion, cartman's entry will have an altered loginShell, reflect his new title, and completely remove the labeledURI attribute from his entry. If there are any errors with the modifications, they will be written to the file modlab.err, as indicated by the -S modlab.err argument. In cases where many modifications will affect many entries, coupling -S with the -c flag, which tells the utility to continue even if an error occurs, allows ldapmodify to complete the changes that can be made now and log those that can't to a file, with the error included as a comment.

I strongly suggest you read the man pages for the OpenLDAP command-line tools. They can be a lifesaver when you're working from some remote location that doesn't support the bandwidth necessary for a GUI display, or when you're forced to work from an SSH client running on a Windows box with no X server.

Share    Print    Comments