Example LDAP commands

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
Current revision (22:17, 19 February 2008) (edit) (undo)
 
(5 intermediate revisions not shown.)
Line 7: Line 7:
* To test the ''proxyagent'' password:
* To test the ''proxyagent'' password:
$ '''ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w ''password'' -b dc=example,dc=com objectclass=\*'''
$ '''ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w ''password'' -b dc=example,dc=com objectclass=\*'''
 +
 +
* To display the ''userPassword'' attribute with ''pam_ldap'' authentication for ''uid=hutchib'':
 +
$ '''ldapsearch -D "cn=Directory Manager" -w ''Directory_Manager_password'' -h ''LDAP_server'' -b ou=people,dc=example,dc=com uid=hutchib userPassword'''
* Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'':
* Two ways to delete an LDAP client profile named ''cn=default,ou=profile,dc=example,dc=com'':
Line 19: Line 22:
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime'''
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime'''
 +
 +
* View the default root level ACIs.
 +
$ '''ldapsearch -h ''LDAP_server'' -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci'''
 +
 +
* Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
 +
$ '''ldapsearch -h ''LDAP_server'' -s base -b "" "objectClass=*"'''
=== Changing an LDAP UID ===
=== Changing an LDAP UID ===

Current revision

  • To list the password policy on Sun Directory Server 5.2 and later:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "cn=Password Policy,cn=config" "objectClass=*"
  • To list LDAP client profiles on LDAP server:
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "ou=profile,dc=example,dc=com" "objectClass=*"
  • To test the proxyagent password:
$ ldapsearch -D "cn=proxyagent,ou=profile,dc=example,dc=com" -w password -b dc=example,dc=com objectclass=\*
  • To display the userPassword attribute with pam_ldap authentication for uid=hutchib:
$ ldapsearch -D "cn=Directory Manager" -w Directory_Manager_password -h LDAP_server -b ou=people,dc=example,dc=com uid=hutchib userPassword
  • Two ways to delete an LDAP client profile named cn=default,ou=profile,dc=example,dc=com:
$ /usr/bin/printf "cn=default,ou=profile,dc=example,dc=com\n" | ldapdelete -h LDAP_server -D "cn=Directory Manager"
$ /usr/bin/printf "dn: cn=default,ou=profile,dc=example,dc=com\nchangetype: delete" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
  • Modifying the defaultServerList attribute in the simple LDAP client profile:
$ /usr/bin/printf "dn: cn=simple,ou=profile,dc=example,dc=com\nchangetype: modify\nreplace: defaultServerList\ndefaultServerList: 192.168.1.100 192.168.1.101\n" | ldapmodify -h LDAP_server -D "cn=Directory Manager"
  • When does my proxyagent user password expire?
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b ou=profile,dc=example,dc=com cn=proxyagent passwordExpirationTime
  • View the default root level ACIs.
$ ldapsearch -h LDAP_server -D "cn=Directory Manager" -b "" -s base "(objectClass=*)" aci
  • Display the root Directory Server Entry (DSE). This is a good test of LDAP connectivity and basic functionality of the Directory Server, as the root DSE has to be available via anonymous bind.
$ ldapsearch -h LDAP_server -s base -b "" "objectClass=*"

Changing an LDAP UID

Changing an LDAP UID entails changing uid, cn, and homeDirectory. Because we are changing the cn RDN, we have to use ldapmodrdn instead of ldapmodify.

$ ldapmodify -h LDAP_server -D "cn=Directory Manager"
dn: uid=old_uid,ou=people,dc=example,dc=com
changetype: modify
replace: uid
uid: new_uid
-
replace: cn
cn: new_uid
-
replace: homeDirectory
homeDirectory: /home/new_uid
<Ctrl-D>
ldap_modify_s: Operation not allowed on RDN

ldapmodrdn takes as its arguments the DN of the entry to rename and the new RDN. The -r flag removes the old RDN, which would have been kept by default.

$ ldapmodrdn -r -h LDAP_server -D "cn=Directory Manager"
uid=old_uid,ou=people,dc=example,dc=com
uid=new_uid
<Ctrl-D>

Next, change the cn and homeDirectory using ldapmodify.

$ ldapmodify -h LDAP_server -D "cn=Directory Manager"
dn: uid=new_uid,ou=people,dc=example,dc=com
changetype: modify
replace: cn
cn: new_uid
-
replace: homeDirectory
homeDirectory: /home/new_uid
<Ctrl-D>
Personal tools