Ldapsearch
De Linuxmemo.
(Différences entre les versions)
(Page créée avec « Catégorie:Commandes Client d'annuaire LDAP === Configuration === Fichiers: /etc/openldap/ldap.conf, .ldaprc # # LDAP Defaults # # See ldap.conf(5) for details ... ») |
(→Problème) |
||
| (14 versions intermédiaires masquées) | |||
| Ligne 1 : | Ligne 1 : | ||
[[Catégorie:Commandes]] | [[Catégorie:Commandes]] | ||
| - | |||
Client d'annuaire LDAP | Client d'annuaire LDAP | ||
| - | + | '''ldapsearch [options] "(filtre)" attrib [attrib] [attrib]...''' | |
| + | |||
| + | ; Options: | ||
| + | -LLL Affichage au format LDIF (sans commentaires, sans version LDIF) | ||
| + | -x Authentification simple (sans utiliser SASL) | ||
| + | -D dn DN de connexion | ||
| + | -W Demande le mot de passe | ||
| + | -h uri URI du serveur LDAP | ||
| + | -b base Base de la recherche | ||
| + | -s scope Etendue de la recherche (base, one, sub) | ||
| + | -S "attr" trie selon l'attribut | ||
| + | |||
| + | -W prompt for password | ||
| + | |||
| + | == Configuration == | ||
Fichiers: | Fichiers: | ||
/etc/openldap/ldap.conf, .ldaprc | /etc/openldap/ldap.conf, .ldaprc | ||
| - | |||
| + | ===LDAP=== | ||
# | # | ||
# LDAP Defaults | # LDAP Defaults | ||
| Ligne 22 : | Ligne 35 : | ||
BASE dc=xxxx,dc=xxxx,dc=fr | BASE dc=xxxx,dc=xxxx,dc=fr | ||
URI ldap://machine.domain.topdomain:389 | URI ldap://machine.domain.topdomain:389 | ||
| + | BINDDN | ||
| + | |||
| + | ===LDAPS=== | ||
| + | |||
| + | URI ldaps://ldapd.dom:636 | ||
| + | BASE dc=dom | ||
| + | BINDDN uidNumber=11259, dc=dom | ||
| + | #HOST | ||
| + | #PORT | ||
| + | #SIZELIMIT | ||
| + | #TIMELIMIT | ||
| + | #DEREF | ||
| + | #TLS_CACERT | ||
| + | #TLS_CACERTDIR | ||
| + | #TLS_CERT | ||
| + | #TLS_KEY | ||
| + | #TLS_RANDFILE | ||
| + | TLS_REQCERT allow | ||
| + | ldap_version 3 | ||
| + | bind_policy soft | ||
| + | scope sub | ||
| + | timelimit 10 | ||
| + | bind_timelimit 15 | ||
| + | tls_checkpeer no | ||
| + | |||
| + | ==Filtres== | ||
| + | Voir: [[Ldap]] | ||
| + | |||
| + | ==Problème== | ||
| + | |||
| + | *ldapsearch says hostname does not match CN | ||
| + | if the TLS: hostname does not match CN in peer certificate error appears during LDAPS handshake get the LDAP server certificate to check for the servename with command | ||
| + | # openssl s_client -connect ldapserver:port | ||
| + | To avoid certificate check on client modify the /etc/openldap/ldap.conf and add/replace TLS_REQCERT ie | ||
| + | TLS_REQCERT allow | ||
| + | |||
| + | *dn tronqué dans les résultats: http://blog.tirasa.net/inhibiting-line-wrap-in-ldapsearch.html | ||
| + | Ajoutez l'option "ldif-wrap=no" | ||
| + | exemple: | ||
| + | ldapsearch -o ldif-wrap=no -x -h adhost.domain.com -p 389 -D cn=administrator,cn=users,dc=domain,dc=com -w password -s sub -b "DC=domain,DC=com" "cn=Fabio Martelli" dn title | ||
Version actuelle en date du 7 octobre 2016 à 14:36
Client d'annuaire LDAP
ldapsearch [options] "(filtre)" attrib [attrib] [attrib]...
- Options
-LLL Affichage au format LDIF (sans commentaires, sans version LDIF)
-x Authentification simple (sans utiliser SASL)
-D dn DN de connexion
-W Demande le mot de passe
-h uri URI du serveur LDAP
-b base Base de la recherche
-s scope Etendue de la recherche (base, one, sub)
-S "attr" trie selon l'attribut
-W prompt for password
Sommaire |
[modifier] Configuration
Fichiers: /etc/openldap/ldap.conf, .ldaprc
[modifier] LDAP
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 TIMELIMIT 10 #DEREF never TLS_REQCERT allow BASE dc=xxxx,dc=xxxx,dc=fr URI ldap://machine.domain.topdomain:389 BINDDN
[modifier] LDAPS
URI ldaps://ldapd.dom:636 BASE dc=dom BINDDN uidNumber=11259, dc=dom #HOST #PORT #SIZELIMIT #TIMELIMIT #DEREF #TLS_CACERT #TLS_CACERTDIR #TLS_CERT #TLS_KEY #TLS_RANDFILE TLS_REQCERT allow ldap_version 3 bind_policy soft scope sub timelimit 10 bind_timelimit 15 tls_checkpeer no
[modifier] Filtres
Voir: Ldap
[modifier] Problème
- ldapsearch says hostname does not match CN
if the TLS: hostname does not match CN in peer certificate error appears during LDAPS handshake get the LDAP server certificate to check for the servename with command
# openssl s_client -connect ldapserver:port
To avoid certificate check on client modify the /etc/openldap/ldap.conf and add/replace TLS_REQCERT ie
TLS_REQCERT allow
- dn tronqué dans les résultats: http://blog.tirasa.net/inhibiting-line-wrap-in-ldapsearch.html
Ajoutez l'option "ldif-wrap=no" exemple: ldapsearch -o ldif-wrap=no -x -h adhost.domain.com -p 389 -D cn=administrator,cn=users,dc=domain,dc=com -w password -s sub -b "DC=domain,DC=com" "cn=Fabio Martelli" dn title
