Example LDAP commands
From Brandonhutchinson.com
(Difference between revisions)
| (15 intermediate revisions not shown.) | |||
| Line 1: | Line 1: | ||
| - | To list the password policy on Sun Directory Server 5.2 and later: | + | * To list the password policy on Sun Directory Server 5.2 and later: |
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"''' | $ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"''' | ||
| - | To list LDAP client profiles on LDAP server: | + | * To list LDAP client profiles on LDAP server: |
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"''' | $ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"''' | ||
| - | Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'': | + | * To test the ''proxyagent'' password: |
| + | $ '''ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w ''password'' -b dc=example,dc=com objectclass=\*''' | ||
| + | |||
| + | * To display the ''userPassword'' attribute with ''pam_ldap'' authentication for ''uid=hutchib'': | ||
| + | $ '''ldapsearch -D "cn=Directory Manager" -w ''Directory_Manager_password'' -h ''LDAP_server'' -b ou=people,dc=example,dc=com uid=hutchib userPassword''' | ||
| + | |||
| + | * Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'': | ||
$ '''/usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h ''LDAP_server'' -D "cn=Directory Manager"''' | $ '''/usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
$ '''/usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"''' | $ '''/usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
| - | Modifying the ''defaultServerList'' attribute in the ''simple'' LDAP client profile: | + | * Modifying the ''defaultServerList'' attribute in the ''simple'' LDAP client profile: |
$ '''/usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"''' | $ '''/usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
| - | When does my ''proxyagent'' user password expire? | + | * When does my ''proxyagent'' user password expire? |
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime''' | $ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime''' | ||
| + | |||
| + | * View the default root level ACIs. | ||
| + | $ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci''' | ||
| + | |||
| + | * Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind. | ||
| + | $ '''ldapsearch -h ''LDAP_server'' -s base -b "" "objectClass=*"''' | ||
| + | |||
| + | === Changing an LDAP UID === | ||
| + | |||
| + | Changing an LDAP UID entails changing ''uid'', ''cn'', and ''homeDirectory''. Because we are changing the ''cn'' RDN, we have to use ''ldapmodrdn'' instead of ''ldapmodify''. | ||
| + | $ '''ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
| + | '''dn: uid=old_uid,ou=people,dc=example,dc=com''' | ||
| + | '''changetype: modify''' | ||
| + | '''replace: uid''' | ||
| + | '''uid: new_uid''' | ||
| + | '''-''' | ||
| + | '''replace: cn''' | ||
| + | '''cn: new_uid''' | ||
| + | '''-''' | ||
| + | '''replace: homeDirectory''' | ||
| + | '''homeDirectory: /home/new_uid''' | ||
| + | '''<Ctrl-D>''' | ||
| + | ldap_modify_s: Operation not allowed on RDN | ||
| + | |||
| + | ''ldapmodrdn'' takes as its arguments the DN of the entry to rename and the new RDN. The ''-r'' flag removes the old RDN, which would have been kept by default. | ||
| + | $ '''ldapmodrdn -r -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
| + | '''uid=old_uid,ou=people,dc=example,dc=com''' | ||
| + | '''uid=new_uid''' | ||
| + | '''<Ctrl-D>''' | ||
| + | |||
| + | Next, change the ''cn'' and ''homeDirectory'' using ''ldapmodify''. | ||
| + | $ '''ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"''' | ||
| + | '''dn: uid=new_uid,ou=people,dc=example,dc=com''' | ||
| + | '''changetype: modify''' | ||
| + | '''replace: cn''' | ||
| + | '''cn: new_uid''' | ||
| + | '''-''' | ||
| + | '''replace: homeDirectory''' | ||
| + | '''homeDirectory: /home/new_uid''' | ||
| + | '''<Ctrl-D>''' | ||
Current revision
- To list the password policy on Sun Directory Server 5.2 and later:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"
- To list LDAP client profiles on LDAP server:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"
- To test the proxyagent password:
$ ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w password -b dc=example,dc=com objectclass=\*
- To display the userPassword attribute with pam_ldap authentication for uid=hutchib:
$ ldapsearch -D "cn=Directory Manager" -w Directory_Manager_password -h LDAP_server -b ou=people,dc=example,dc=com uid=hutchib userPassword
- Two ways to delete an LDAP client profile named cn=default,ou=profile,dc=example,dc=com:
$ /usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h LDAP_server -D "cn=Directory Manager" $ /usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
- Modifying the defaultServerList attribute in the simple LDAP client profile:
$ /usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
- When does my proxyagent user password expire?
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime
- View the default root level ACIs.
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci
- Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
$ ldapsearch -h LDAP_server -s base -b "" "objectClass=*"
Changing an LDAP UID
Changing an LDAP UID entails changing uid, cn, and homeDirectory. Because we are changing the cn RDN, we have to use ldapmodrdn instead of ldapmodify.
$ ldapmodify -h LDAP_server -D "cn=Directory Manager" dn: uid=old_uid,ou=people,dc=example,dc=com changetype: modify replace: uid uid: new_uid - replace: cn cn: new_uid - replace: homeDirectory homeDirectory: /home/new_uid <Ctrl-D> ldap_modify_s: Operation not allowed on RDN
ldapmodrdn takes as its arguments the DN of the entry to rename and the new RDN. The -r flag removes the old RDN, which would have been kept by default.
$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager" uid=old_uid,ou=people,dc=example,dc=com uid=new_uid <Ctrl-D>
Next, change the cn and homeDirectory using ldapmodify.
$ ldapmodify -h LDAP_server -D "cn=Directory Manager" dn: uid=new_uid,ou=people,dc=example,dc=com changetype: modify replace: cn cn: new_uid - replace: homeDirectory homeDirectory: /home/new_uid <Ctrl-D>
