Example LDAP commands

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
(Changing an LDAP UID)
Current revision (22:17, 19 February 2008) (edit) (undo)
 
(11 intermediate revisions not shown.)
Line 1: Line 1:
-
To list the password policy on Sun Directory Server 5.2 and later:
+
* To list the password policy on Sun Directory Server 5.2 and later:
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"'''
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"'''
-
To list LDAP client profiles on LDAP server:
+
* To list LDAP client profiles on LDAP server:
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"'''
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"'''
-
Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'':
+
* To test the ''proxyagent'' password:
 +
$ '''ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w ''password'' -b dc=example,dc=com objectclass=\*'''
 +
 
 +
* To display the ''userPassword'' attribute with ''pam_ldap'' authentication for ''uid=hutchib'':
 +
$ '''ldapsearch -D "cn=Directory Manager" -w ''Directory_Manager_password'' -h ''LDAP_server'' -b ou=people,dc=example,dc=com uid=hutchib userPassword'''
 +
 
 +
* Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'':
$ '''/usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
-
Modifying the ''defaultServerList'' attribute in the ''simple'' LDAP client profile:
+
* Modifying the ''defaultServerList'' attribute in the ''simple'' LDAP client profile:
$ '''/usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
$ '''/usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
-
When does my ''proxyagent'' user password expire?
+
* When does my ''proxyagent'' user password expire?
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime'''
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime'''
 +
 +
* View the default root level ACIs.
 +
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci'''
 +
 +
* Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
 +
$ '''ldapsearch -h ''LDAP_server'' -s base -b "" "objectClass=*"'''
=== Changing an LDAP UID ===
=== Changing an LDAP UID ===
Changing an LDAP UID entails changing ''uid'', ''cn'', and ''homeDirectory''. Because we are changing the ''cn'' RDN, we have to use ''ldapmodrdn'' instead of ''ldapmodify''.
Changing an LDAP UID entails changing ''uid'', ''cn'', and ''homeDirectory''. Because we are changing the ''cn'' RDN, we have to use ''ldapmodrdn'' instead of ''ldapmodify''.
-
$ '''/usr/bin/printf "dn: uid=old_uid,ou=people,dc=example,dc=com\nchangetype: modify\nreplace: uid\nuid: new_uid\n-\nreplace: cn\ncn: new_uid\n-\nreplace: homeDirectory\nhomeDirectory: /home/new_uid\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
+
$ '''ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
'''dn: uid=old_uid,ou=people,dc=example,dc=com'''
 +
'''changetype: modify'''
 +
'''replace: uid'''
 +
'''uid: new_uid'''
 +
'''-'''
 +
'''replace: cn'''
 +
'''cn: new_uid'''
 +
'''-'''
 +
'''replace: homeDirectory'''
 +
'''homeDirectory: /home/new_uid'''
 +
'''<Ctrl-D>'''
ldap_modify_s: Operation not allowed on RDN
ldap_modify_s: Operation not allowed on RDN
''ldapmodrdn'' takes as its arguments the DN of the entry to rename and the new RDN. The ''-r'' flag removes the old RDN, which would have been kept by default.
''ldapmodrdn'' takes as its arguments the DN of the entry to rename and the new RDN. The ''-r'' flag removes the old RDN, which would have been kept by default.
-
$ '''/usr/bin/printf "dn: uid=old_uid,ou=people,dc=example,dc=com\nuid=new_uid | ldapmodrdn -r -h ''LDAP_server'' -D "cn=Directory Manager"'''
+
$ '''ldapmodrdn -r -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
'''uid=old_uid,ou=people,dc=example,dc=com'''
 +
'''uid=new_uid'''
 +
'''<Ctrl-D>'''
Next, change the ''cn'' and ''homeDirectory'' using ''ldapmodify''.
Next, change the ''cn'' and ''homeDirectory'' using ''ldapmodify''.
-
$ '''/usr/bin/printf "dn: uid=new_uid,ou=people,dc=example,dc=com\nchangetype: modify\nreplace: cn\ncn: new_uid\n-\nreplace: homeDirectory\nhomeDirectory: /home/new_uid\n" | ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
+
$ '''ldapmodify -h ''LDAP_server'' -D "cn=Directory Manager"'''
 +
'''dn: uid=new_uid,ou=people,dc=example,dc=com'''
 +
'''changetype: modify'''
 +
'''replace: cn'''
 +
'''cn: new_uid'''
 +
'''-'''
 +
'''replace: homeDirectory'''
 +
'''homeDirectory: /home/new_uid'''
 +
'''<Ctrl-D>'''

Current revision

  • To list the password policy on Sun Directory Server 5.2 and later:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"
  • To list LDAP client profiles on LDAP server:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"
  • To test the proxyagent password:
$ ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w password -b dc=example,dc=com objectclass=\*
  • To display the userPassword attribute with pam_ldap authentication for uid=hutchib:
$ ldapsearch -D "cn=Directory Manager" -w Directory_Manager_password -h LDAP_server -b ou=people,dc=example,dc=com uid=hutchib userPassword
  • Two ways to delete an LDAP client profile named cn=default,ou=profile,dc=example,dc=com:
$ /usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h LDAP_server -D "cn=Directory Manager"
$ /usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
  • Modifying the defaultServerList attribute in the simple LDAP client profile:
$ /usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
  • When does my proxyagent user password expire?
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime
  • View the default root level ACIs.
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci
  • Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
$ ldapsearch -h LDAP_server -s base -b "" "objectClass=*"

Changing an LDAP UID

Changing an LDAP UID entails changing uid, cn, and homeDirectory. Because we are changing the cn RDN, we have to use ldapmodrdn instead of ldapmodify.

$ ldapmodify -h LDAP_server -D "cn=Directory Manager"
dn: uid=old_uid,ou=people,dc=example,dc=com
changetype: modify
replace: uid
uid: new_uid
-
replace: cn
cn: new_uid
-
replace: homeDirectory
homeDirectory: /home/new_uid
<Ctrl-D>
ldap_modify_s: Operation not allowed on RDN

ldapmodrdn takes as its arguments the DN of the entry to rename and the new RDN. The -r flag removes the old RDN, which would have been kept by default.

$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager"
uid=old_uid,ou=people,dc=example,dc=com
uid=new_uid
<Ctrl-D>

Next, change the cn and homeDirectory using ldapmodify.

$ ldapmodify -h LDAP_server -D "cn=Directory Manager"
dn: uid=new_uid,ou=people,dc=example,dc=com
changetype: modify
replace: cn
cn: new_uid
-
replace: homeDirectory
homeDirectory: /home/new_uid
<Ctrl-D>
Personal tools