1. Query command
-p indicates the port number
-h indicates the host name
-D indicates the DN administrator account
-W indicates the way to manually enter the password for sampling
-w followed by the password, which is equivalent to -W enter the password
-b search base, the
usual query ldapsearch -p port number -h ldap://host address -D "cn=admin,dc=example,dc=com" -w "administrator password" -b "search scope, namely base (such as dc=example,dc=com)" "(Search criteria, if not set, all entries under base will be searched by default)"
2. Query filter conditions
1. Supported operators
Operator | Meaning |
---|---|
= | Equality |
>= | Greater than or equal to (lexicographical) |
<= | Less than or equal to (lexicographical) |
& | AND, all conditions must be met |
| | OR, any of the conditions must be met |
! | NOT, the clause must evaluate to False |
For example, query cn is Jim Smith or givenName is Jim and sn is Smith
"(|(cn=Jim Smith)(&(givenName=Jim)(sn=Smith)))"
2. Special characters
The special characters contained in LDAP are commonly used as follows. If the following special characters are included in the search criteria, they can be escaped with hexadecimal expressions
Character | Hex Representation |
---|---|
* | \ 2A |
( | \28 |
) | \29 |
\ | \5C |
No | \00 |
For example, to search for items whose cn is "James (Jim) Smith", the
condition should be written as "(cn=James Jim\2A\29 Smith)"
3. Examples
Example
1. LDAP authentication
ldapsearch -p 389 -h ldap://localhost -D "cn=admin,dc=example,dc=com" -W
2. Search for all entries
ldapsearch -p 389 -h ldap://localhost -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com"
3. Search for all entries with ou=People
ldapsearch -p 389 -h ldap://localhost -D "cn=admin,dc=example,dc=com" -W -b "ou=People,dc=example,dc=com"
4. Search for entries with uid of xxx
ldapsearch -p 389 -h ldap://localhost -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com" "(uid=xxx)"
4. Fuzzy query for entries with uid starting with xxx
ldapsearch -p 389 -h ldap://localhost -D "cn=admin,dc=example,dc=com" -W -b "dc=example,dc=com" "(uid=xxx*)"
To be improved...
Reference: https://social.technet.microsoft.com/wiki /contents/articles/5392.active-directory-ldap-syntax-filters.aspx?Sort=MostUseful
Reference: https://m.linuxidc.com/Linux/2013-08/88841.htm