Ldapsearch
De Linuxmemo.
Version du 7 octobre 2016 à 14:29 par Linuxmemo (discuter | contributions)
Client d'annuaire LDAP
ldapsearch [options] "(filtre)" attrib [attrib] [attrib]...
- Options
-LLL Affichage au format LDIF (sans commentaires, sans version LDIF)
-x Authentification simple (sans utiliser SASL)
-D dn DN de connexion
-W Demande le mot de passe
-h uri URI du serveur LDAP
-b base Base de la recherche
-s scope Etendue de la recherche (base, one, sub)
-S "attr" trie selon l'attribut
-W prompt for password
Sommaire |
Configuration
Fichiers: /etc/openldap/ldap.conf, .ldaprc
LDAP
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 TIMELIMIT 10 #DEREF never TLS_REQCERT allow BASE dc=xxxx,dc=xxxx,dc=fr URI ldap://machine.domain.topdomain:389 BINDDN
LDAPS
URI ldaps://ldapd.dom:636 BASE dc=dom BINDDN uidNumber=11259, dc=dom #HOST #PORT #SIZELIMIT #TIMELIMIT #DEREF #TLS_CACERT #TLS_CACERTDIR #TLS_CERT #TLS_KEY #TLS_RANDFILE TLS_REQCERT allow ldap_version 3 bind_policy soft scope sub timelimit 10 bind_timelimit 15 tls_checkpeer no
Filtres
Voir: Ldap
Problème
- ldapsearch says hostname does not match CN
if the TLS: hostname does not match CN in peer certificate error appears during LDAPS handshake get the LDAP server certificate to check for the servename with command
# openssl s_client -connect ldapserver:port
To avoid certificate check on client modify the /etc/openldap/ldap.conf and add/replace TLS_REQCERT ie
TLS_REQCERT allow
- dn tronqué dans les résultats:
Ajoutez l'option "ldif-wrap=no" exemple: ldapsearch -o ldif-wrap=no -x -h adhost.domain.com -p 389 -D cn=administrator,cn=users,dc=domain,dc=com -w password -s sub -b "DC=domain,DC=com" "cn=Fabio Martelli" dn title
