OpenLDAP commonly used commands

This article Original Address: https://sitoi.cn/posts/5308.html

ldapsearch

ldapsearch - ldap search tool

ldapsearch utility opens a connection to the LDAP server, using a filter binding filter and perform a search.

If ldapsearch finds one or more entries is retrieved and specified by attrs attribute value entries and will output to standard output. If no attrs are listed, all attributes are returned.

Options	description
`-d`	debuglevel set LDAP debug level. Suitable ldapdelete useful debug levels include: 1: 2 tracking: Package 4: Option 32: filter 128: access control information for a debug request plurality of categories, set by adding the mask. For example, to track and filter information request, please specify debuglevel 33.
`-x`	Simple authentication
`-D`	DN used to bind the server
`-w`	Bind DN password
`-b`	Specifies the root node to be queried
`-H`	The development server to query

example

All user queries

ldapsearch -x -b "dc=sitoi,dc=cn" -H ldap://192.168.1.143

The query specified conditions

ldapsearch -x -b "dc=sitoi,dc=cn" "uid=demo" -H ldap://192.168.1.143

Or a criteria query with a regular match

ldapsearch -x -b "dc=sitoi,dc=cn" "(|(uid=*de*)(cn=*Ada Cather*))" -H ldap://192.168.1.143

And conditions of the query with a regular match

ldapsearch -x -b "dc=sitoi,dc=cn" "(&(uid=*de*)(cn=*Ada Cather*))" -H ldap://192.168.1.143

ldapadd

ldapadd - ldap entry is added tool

ldapadd utility as a hard link to ldapmodify tool to achieve. When invoked as ldapadd, will automatically open -a (add new entry) option.

Options	description
`-x`	Simple authentication
`-D`	DN used to bind the server
`-h`	Address directory service
`-w`	Bind DN password
`-f`	Ldif file using the file entry added

example

ldapadd -x -D "cn=root,dc=sitoi,dc=cn" -w sitoi -f demo.ldif
ldapadd -x -D "cn=root,dc=sitoi,dc=cn" -w sitoi #(这样写就是在命令行添加条目)

ldappasswd

ldapmodify - ldap password editing tools

ldapmodify utility to open the connection to the LDAP server, modify the password entry.

Options	description
`-x`	Simple authentication
`-D`	DN used to bind the server
`-w`	Bind DN password
`-S`	Prompt for a password
`-s`	pass the password is set to pass
`-a`	Set old passwd pass to pass
`-A`	Tip of the old passwd Set
`-H`	Server is simply more binding
`-I`	Way conversation using sasl

example

ldappasswd -x -D 'cm=root,dc=sitoi,dc=cn' -w sitoi 'uid=Sitoi,dc=sitoi,dc=cn' -S

New password:
Re-enter new password:

You can change your password, and if the original records without a password, it will automatically generate a userPassword.

ldapmodify

ldapmodify - ldap entry editing tools

ldapmodify utility to open the connection to the LDAP server, and to modify or add entries binding. The entry information is read from the standard input or from a specified file in the -f option. ldapadd utility as a hard link to ldapmodify tool to achieve. When invoked as ldapadd, will automatically open -a (add new entry) option.

ldapadd and ldapmodify refused repeat the same entry attribute name / value pairs.

Options	description
`-a`	Add a new entry. The default is to modify the existing entry.
`-C`	Automatic tracking reference.
`-c`	Continue program execution is not aborted after an error. The error default stop immediately. For example, if an entry in your ldif file does not exist in the database, the program quits immediately by default, but if you use this option , the program continues to ignore the error.
`-n`	Used to debug the server communications but does not actually perform the search when the server shuts down, an error is returned; when the server is open, and often with the -v option to test whether the server is a path.
`-v`	Run detailed block play some more detailed information, such as the standard output: connecting to the server ip address and port number.
`-M[M]`	Open manage DSA IT control. -MM to the control settings of paramount importance.
`-f`	file read entries from a file rather than the modification information is read from the standard input.
`-x`	Use simple authentication.
`-D`	binddn specified search the user name (usually a dn value).
`-W`	This option is specified, the system will pop up a prompt into the user's password. It -w option relative to use.
`-w`	bindpasswd directly specifying the user's password. It -W options relative to use.
`-H`	ldapuri specify a connection to the server uri (ip address and port number, usually in the format the LDAP: // hostname: Port ). If the -h and -H can not use the -p option.
`-h`	ldaphost Specifies the name of the host to connect / ip address and use it with -p.
`-p`	ldapport specify the port number to connect to the directory server. It is used with -h. If you use the -p option -h and -H option can not be used.
`-Z[Z]`	Use StartTLS extended operation. If you use -ZZ, StartTLS command to force the use of a handshake successful.
`-V`	启用证书认证功能,目录服务器使用客户端证书进行身份验证,必须与-ZZ 强制启用TLS 方式配合使用,并且匿名绑定到目录服务器.
`-e`	设置客户端证书文件,例: -e cert/client.crt
`-E`	设置客户端证书私钥文件,例: -E cert/client.key

例子

ldapmodify -x -D "cn=root,dc=sitoi,dc=cn" -W -f modify.ldif

将 modify.ldif 中的记录更新原有的记录。

ldapdelete

ldapdelete - ldap 删除条目工具

ldapmodify 实用程序可打开与 LDAP 服务器的连接，绑定并修改或添加条目。条目信息是从标准输入或者从使用 –f 选项指定的 file 中读取的。ldapadd 实用程序是作为到 ldapmodify 工具的硬链接实现的。当作为 ldapadd 调用时，会自动打开 –a（添加新条目）选项。

ldapadd 和 ldapmodify 都拒绝同一条目的重复属性名/值对。

选项	描述
-d debuglevel	设置 LDAP 调试级别。适用于 ldapdelete 的有用调试级别包括：1:跟踪 2:包 4:选项 32:过滤器 128:访问控制要请求多个类别的调试信息，请将掩码相加。例如，要请求跟踪和过滤器信息，请将 debuglevel 指定为 33。
-D bindDN	使用标识名 bindDN 绑定到目录。
-f file	从 file 而不是从标准输入读取条目删除信息。
-h ldaphost	指定运行 LDAP 服务器的备用主机。
-p ldapport	指定 LDAP 服务器侦听的备用 TCP 端口。
-W password	指定在 –P 选项中给出的客户端密钥数据库的口令。对于基于证书的客户端验证，此选项是必需的。在命令行上指定 password 会有安全问题，因为系统上的其他人可以通过 ps 命令看到口令。请改用 –j 从文件中指定口令。此选项与 –j 互斥。
-w passwd	使用 passwd 作为用于对目录进行验证的口令。当使用 –w passwd 指定用于验证的口令时，系统的其他用户可以通过 ps 命令在脚本文件中或者在 shell 历史记录中看到口令。如果在不使用此选项的情况下使用 ldapdelete 命令，则该命令将提示输入口令并从标准输入中读取口令。不与 –w 选项一起使用时，其他用户将看不到口令。

例子

ldapdelete -x -D "cn=Manager,dc=sitoi,dc=cn" -w sitoi "uid=Sitoi,ou=People,dc=sitoi,dc=cn"

Tips:

如果o或ou中有成员是不能删除的,那么o或ou不能删除。