Example LDAP commands

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (22:17, 19 February 2008) (edit) (undo)
 
(18 intermediate revisions not shown.)
Line 1: Line 1:
-
To list the password policy on Sun Directory Server 5.2 and later:
+
* To list the password policy on Sun Directory Server 5.2 and later:
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"'''
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"'''
-
To list LDAP client profiles on LDAP server:
+
* To list LDAP client profiles on LDAP server:
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"'''
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"'''
-
Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com''
+
* To test the ''proxyagent'' password:
 +
$ '''ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w ''password'' -b dc=example,dc=com objectclass=\*'''
 +
 
 +
* To display the ''userPassword'' attribute with ''pam_ldap'' authentication for ''uid=hutchib'':
 +
$ '''ldapsearch -D "cn=Directory Manager" -w ''Directory_Manager_password'' -h ''LDAP_server'' -b ou=people,dc=example,dc=com uid=hutchib userPassword'''
 +
 
 +
* Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'':
$ '''/usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
-
Modifying the ''defaultServerList'' attribute in the ''simple'' LDAP client profile:
+
* Modifying the ''defaultServerList'' attribute in the ''simple'' LDAP client profile:
$ '''/usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
 +
* When does my ''proxyagent'' user password expire?
 +
 +
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime'''
 +
 +
* View the default root level ACIs.
 +
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci'''
 +
 +
* Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
 +
$ '''ldapsearch -h ''LDAP_server'' -s base -b "" "objectClass=*"'''
 +
 +
=== Changing an LDAP UID ===
 +
 +
Changing an LDAP UID entails changing ''uid'', ''cn'', and ''homeDirectory''. Because we are changing the ''cn'' RDN, we have to use ''ldapmodrdn'' instead of ''ldapmodify''.
 +
$ '''ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
'''dn: uid=old_uid,ou=people,dc=example,dc=com'''
 +
'''changetype: modify'''
 +
'''replace: uid'''
 +
'''uid: new_uid'''
 +
'''-'''
 +
'''replace: cn'''
 +
'''cn: new_uid'''
 +
'''-'''
 +
'''replace: homeDirectory'''
 +
'''homeDirectory: /home/new_uid'''
 +
'''<Ctrl-D>'''
 +
ldap_modify_s: Operation not allowed on RDN
 +
 +
''ldapmodrdn'' takes as its arguments the DN of the entry to rename and the new RDN. The ''-r'' flag removes the old RDN, which would have been kept by default.
 +
$ '''ldapmodrdn -r -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
'''uid=old_uid,ou=people,dc=example,dc=com'''
 +
'''uid=new_uid'''
 +
'''<Ctrl-D>'''
 +
 +
Next, change the ''cn'' and ''homeDirectory'' using ''ldapmodify''.
 +
$ '''ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
'''dn: uid=new_uid,ou=people,dc=example,dc=com'''
 +
'''changetype: modify'''
 +
'''replace: cn'''
 +
'''cn: new_uid'''
 +
'''-'''
 +
'''replace: homeDirectory'''
 +
'''homeDirectory: /home/new_uid'''
 +
'''<Ctrl-D>'''

Current revision

  • To list the password policy on Sun Directory Server 5.2 and later:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"
  • To list LDAP client profiles on LDAP server:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"
  • To test the proxyagent password:
$ ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w password -b dc=example,dc=com objectclass=\*
  • To display the userPassword attribute with pam_ldap authentication for uid=hutchib:
$ ldapsearch -D "cn=Directory Manager" -w Directory_Manager_password -h LDAP_server -b ou=people,dc=example,dc=com uid=hutchib userPassword
  • Two ways to delete an LDAP client profile named cn=default,ou=profile,dc=example,dc=com:
$ /usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h LDAP_server -D "cn=Directory Manager"
$ /usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
  • Modifying the defaultServerList attribute in the simple LDAP client profile:
$ /usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
  • When does my proxyagent user password expire?
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime
  • View the default root level ACIs.
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci
  • Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
$ ldapsearch -h LDAP_server -s base -b "" "objectClass=*"

Changing an LDAP UID

Changing an LDAP UID entails changing uid, cn, and homeDirectory. Because we are changing the cn RDN, we have to use ldapmodrdn instead of ldapmodify.

$ ldapmodify -h LDAP_server -D "cn=Directory Manager"
dn: uid=old_uid,ou=people,dc=example,dc=com
changetype: modify
replace: uid
uid: new_uid
-
replace: cn
cn: new_uid
-
replace: homeDirectory
homeDirectory: /home/new_uid
<Ctrl-D>
ldap_modify_s: Operation not allowed on RDN

ldapmodrdn takes as its arguments the DN of the entry to rename and the new RDN. The -r flag removes the old RDN, which would have been kept by default.

$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager"
uid=old_uid,ou=people,dc=example,dc=com
uid=new_uid
<Ctrl-D>

Next, change the cn and homeDirectory using ldapmodify.

$ ldapmodify -h LDAP_server -D "cn=Directory Manager"
dn: uid=new_uid,ou=people,dc=example,dc=com
changetype: modify
replace: cn
cn: new_uid
-
replace: homeDirectory
homeDirectory: /home/new_uid
<Ctrl-D>
Personal tools