如何使用 OpenLDAP 实用程序管理和使用 LDAP 服务器如何使用 OpenLDAP 实用程序管理和使用 LDAP 服务器如何使用 OpenLDAP 实用程序管理和使用 LDAP 服务器如何使用 OpenLDAP 实用程序管理和使用 LDAP 服务器
  • 业务
  • 目标
  • 支持
  • 登录
找到的结果: {phrase} (显示: {results_count} 共: {results_count_total})
显示: {results_count} 共: {results_count_total}

加载更多搜索结果...

搜索范围
模糊匹配
搜索标题
搜索内容

如何使用 OpenLDAP 实用程序管理和使用 LDAP 服务器

发表 admin at 2024年8月26日
类别
  • 未分类
标签

介绍

如果您不了解可用的工具以及 LDAP 所需的信息和方法,LDAP 系统似乎很难管理。在本指南中,我们将演示如何使用 OpenLDAP 团队开发的 LDAP 工具与 LDAP 目录服务器交互。

先决条件

首先,您应该可以访问已安装并配置 OpenLDAP 的系统。您可以在此处了解如何设置 OpenLDAP 服务器。您应该熟悉使用 LDAP 目录服务时使用的基本术语。 本指南可用于进一步熟悉这些主题。

安装工具

上述先决条件假设您已经有权访问 LDAP 系统,但您可能尚未安装本指南中讨论的 OpenLDAP 工具。

在 Ubuntu 或 Debian 系统上,您可以通过apt存储库安装这些工具。输入以下命令更新本地软件包索引并安装:

sudo apt-get update
sudo apt-get install ldap-utils

在 CentOS 或 Fedora 上,你可以使用 获取相应的文件yum。输入以下命令安装它们:

sudo yum install openldap-clients

安装正确的软件包后,请继续下面的操作。

连接到 LDAP 实例

大多数 OpenLDAP 工具都非常灵活,牺牲了简洁的命令结构,以换取以多种不同角色与系统交互的能力。因此,用户必须选择各种参数才能表达连接到 LDAP 服务器所需的最低限度。

在本节中,我们将重点介绍如何根据要执行的操作类型构建联系服务器所需的参数。此处讨论的参数将在各种工具中使用,但我们将用于ldapsearch演示目的。

指定服务器

OpenLDAP 工具要求您为每个操作指定身份验证方法和服务器位置。要指定服务器,请使用标志-H,后跟相关服务器的协议和网络位置。

对于基本的、未加密的通信,协议方案将ldap://如下所示:

ldapsearch -H ldap://server_domain_or_IP . . .

如果您正在与本地服务器通信,则可以省略服务器域名或 IP 地址(但仍然需要指定方案)。

如果您使用 LDAP 通过 SSL 连接到 LDAP 服务器,则您将需要使用该方案(请注意,这是一种已弃用的方法。OpenLDAP 项目建议在普通 LDAP 端口上使用 STARTTLS 升级。了解如何在此处ldaps://进行设置):

ldapsearch -H ldaps://server_domain_or_IP . . .

这些协议采用默认端口(389用于传统 LDAP 和636SSL 上的 LDAP)。如果您使用非标准端口,则需要在末尾添加冒号和端口号。

要通过 Linux IPC(进程间通信)连接到您正在查询的服务器上的 LDAP 目录,您可以使用该ldapi://协议。这对于某些管理任务来说更安全且必要:

ldapsearch -H ldapi:// . . .

由于该ldapi方案需要本地连接,因此我们永远不必在此处指定服务器名称。但是,如果您更改了 LDAP 服务器配置中的套接字文件位置,则需要将新的套接字位置指定为地址的一部分。

匿名绑定

LDAP 要求客户端确认自己的身份,以便服务器可以确定授予请求的访问级别。这通过使用一种称为“绑定”的 LDAP 机制来实现,该机制基本上只是将您的请求与已知安全实体相关联的术语。LDAP 可以理解三种不同类型的身份验证。

客户端可以使用的最通用的身份验证类型是“匿名”绑定。这几乎就是身份验证的缺失。LDAP 服务器可以将某些操作归类为任何人都可以访问(通常,默认情况下,面向公众的 DIT 配置为匿名用户的只读)。如果您使用匿名绑定,这些操作将可供您使用。

OpenLDAP 工具默认采用 SASL 身份验证(我们稍后会讨论这一点),因此要允许匿名绑定,我们必须提供参数-x。结合服务器规范,这将如下所示:

ldapsearch -H ldap://server_domain_or_IP -x

如果你输入该内容而不提供其他参数,你应该会得到如下结果:

具有匿名绑定的 ldapsearch 的输出
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 32 No such object

# numResponses: 1

这表示该工具未找到我们搜索的内容。由于我们没有提供查询参数,因此这是意料之中的,但它确实表明我们的匿名绑定已被服务器接受。

简单身份验证

第二种向 LDAP 服务器进行身份验证的方法是使用简单绑定。简单绑定使用 LDAP 服务器中的条目来验证请求。条目的 DN(可分辨名称)用作身份验证的用户名。条目内部的属性定义了在请求期间必须提供的密码。

查找 DIT 根条目和 RootDN 绑定

要使用简单身份验证进行身份验证,您需要知道 DIT 层次结构顶部的父元素,称为根、基础或后缀条目,所有其他条目都位于该元素下。您还需要知道要绑定到的 DN。

通常,在安装 LDAP 服务器期间,会设置初始 DIT,并配置一个管理条目(称为 rootDN)和一个密码。在启动时,这将是为绑定配置的唯一 DN。

如果您不知道要连接的 LDAP 服务器的根条目,则可以查询常规 LDAP DIT 之外的特殊“元”条目,以获取有关它知道的 DIT 根条目的信息(这称为根 DSE)。您可以通过键入以下内容来查询此条目以获取 DIT 名称:

ldapsearch -H ldap://server_domain_or_IP -x -LLL -s base -b "" namingContexts

LDAP 服务器应该返回它所知道的根条目,它看起来像这样:

LDAP 根条目结果
dn:
namingContexts: dc=example,dc=com

突出显示的区域是 DIT 的根。我们可以使用它来搜索要绑定的条目。管理条目通常使用 objectClasssimpleSecurityObject来获得在条目中设置密码的能力。我们可以使用它来搜索具有此类的条目:

ldapsearch -H ldap://server_domain_or_IP -x -LLL -b "dc=example,dc=com" "(objectClass=simpleSecurityObject)" dn

这将为您提供使用此类的条目列表。通常只有一个:

simpleSecurityObject 搜索结果
dn: cn=admin,dc=example,dc=com

这是我们可以绑定的 rootDN 帐户。您应该在服务器安装期间为该帐户配置了密码。如果您不知道密码,可以按照本指南重置密码。

执行绑定

一旦您有了条目和密码,您可以在请求期间执行简单的绑定,以向 LDAP 服务器验证您的身份。

同样,我们必须指定 LDAP 服务器位置并提供标志-x以表明我们不希望使用 SASL 身份验证。要执行实际绑定,我们需要使用标志-D指定要绑定到的 DN,并使用-w或-W命令提供密码。该-w选项允许您在命令中提供密码,而该-W选项将提示您输入密码。

绑定到 rootDN 的示例请求如下:

ldapsearch -H ldap://server_domain_or_IP -x -D "cn=admin,dc=example,dc=com" -W

我们应该得到与匿名绑定相同的结果,表明我们的凭据已被接受。绑定到条目通常会为您提供匿名绑定无法获得的额外权限。绑定到 rootDN 可让您获得对整个 DIT 的读/写访问权限,而不受访问控制的影响。

SASL 身份验证

SASL 代表简单身份验证和安全层。它是一个将身份验证方法与协议连接起来的框架,旨在提供不依赖于特定实现的灵活身份验证系统。您可以查看维基百科页面以了解可用的各种方法。

您的 LDAP 服务器可能仅支持部分可能的 SASL 机制。要了解它允许哪些机制,您可以键入:

ldapsearch -H ldap:// -x -LLL -s base -b "" supportedSASLMechanisms

您看到的结果将根据您用于连接的方案而有所不同。对于未加密的ldap://方案,大多数系统将默认允许:

ldap:// 支持的SASLM 机制
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5

如果您使用ldapi://采用安全进程间通信的方案,您可能会有更多的选择:

ldapsearch -H ldapi:// -x -LLL -s base -b "" supportedSASLMechanisms
ldapi:// 支持的SASLM 机制
dn:
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: NTLM
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN

配置大多数 SASL 身份验证方法可能需要一些时间,因此我们不会在这里介绍太多细节。虽然 SASL 身份验证通常不在本文的讨论范围内,但我们应该讨论一下EXTERNAL我们认为可用于该ldapi://方案的方法。

该EXTERNAL机制表示身份验证和安全由与连接相关的其他方式处理。例如,它可以与 SSL 一起使用来提供加密和身份验证。

ldapi://最常见的是,您会看到它与root 或用户的接口一起使用sudo。由于ldapi://使用 Unix 套接字,因此可以获取发起请求的用户,并用于对某些操作进行身份验证。LDAP 用于配置的 DIT 使用此机制来验证 root 用户以读取和更改 LDAP。这些请求如下所示:

sudo ldapsearch -H ldapi:// -Y EXTERNAL . . .

这用于修改通常保存在以cn=config根条目开始的 DIT 中的 LDAP 配置。

设置 .ldaprc 文件

到目前为止,我们主要在命令行上指定连接信息。但是,您可以通过将一些常用连接值放入配置文件中来节省一些输入工作量。

全局客户端配置文件位于/etc/ldap/ldap.conf,但您主要想对位于主目录中的用户配置文件进行更改~/.ldaprc。在文本编辑器中创建并打开一个具有此名称的文件:

nano ~/.ldaprc

在里面,您可能想要配置的基本设置是BASE、URI和BINDDN:

  • BASE:用于指定搜索应从哪个条目开始的默认基本 DN。如果在命令行中提供了另一个搜索基本 DN,则此 DN 将被覆盖(我们将在下一节中看到更多相关内容)。
  • URI:可以访问 LDAP 服务器的地址。这应该包括一个方案(ldap用于常规 LDAP、ldaps用于通过 SSL 的 LDAP 以及ldapi用于通过 IPC 套接字的 LDAP),后跟服务器的名称和端口。如果服务器位于同一台计算机上,则可以省略名称;如果服务器在所选方案的默认端口上运行,则可以省略端口。
  • BINDDN:这指定要绑定到的默认 LDAP 条目。这用于提供您要使用的访问权限的“帐户”信息。您仍需要在命令行上指定任何密码。

这将处理简单的身份验证信息。如果您使用 SASL 身份验证,请man ldap.conf查看配置 SASL 凭据的选项。

如果我们的 LDAP 的基本条目是dc=example,dc=com,服务器位于本地计算机上,并且我们使用cn=admin,dc=example,dc=com绑定到,我们可能会有一个~/.ldaprc如下所示的文件:

〜/ .ldaprc
BASE    dc=example,dc=com
URI     ldap://
BINDDN  cn=admin,dc=example,dc=com

使用此功能,我们只需指定非 SASL 身份验证并提供与管理员条目关联的密码即可执行基本搜索。这将提供我们指定的默认基本 DN 的完整子树搜索:

ldapsearch -x -w password

这可以帮助缩短您使用 LDAP 实用程序时的“样板”连接选项。在本指南中,我们将在命令中包含连接信息以使其明确,但在运行命令时,您可以删除配置文件中指定的任何部分。

使用 ldapsearch 查询 DIT 和查找条目

现在我们已经很好地掌握了如何验证和指定 LDAP 服务器,我们可以开始更多地讨论您可以使用的实际工具。对于我们的大多数示例,我们假设我们在托管 LDAP 服务器的同一台服务器上执行这些操作。这意味着我们的主机规范在方案之后将为空白。我们还假设服务器管理的 DIT 的基本条目是dc=example,dc=com。rootDN 将是cn=admin,dc=example,dc=com。让我们开始吧。

我们将从 开始ldapsearch,因为到目前为止我们一直在示例中使用它。LDAP 系统针对搜索、读取和查找操作进行了优化。如果您正在使用 LDAP 目录,则您的大多数操作可能是搜索或查找。该ldapsearch工具用于查询和显示 LDAP DIT 中的信息。

我们介绍了负责命名和连接服务器的部分语法,如下所示:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -W

这为我们提供了连接和验证服务器上运行的 LDAP 实例所需的最低限度,但是,我们实际上并没有搜索任何东西。要了解更多信息,我们必须讨论搜索基础和搜索范围的概念。

搜索基础和范围

在 LDAP 中,搜索开始的地方称为搜索基。这是 DIT 中的一个条目,操作将从该条目开始,并充当锚点。我们通过传递带有标志的条目名称来指定搜索基-b。

例如,从dc=example,dc=comDIT 的根开始,我们可以使用它作为搜索基础,如下所示:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com"

此命令应生成dc=example,dc=com您绑定的用户有权访问的条目下的每个条目。如果我们使用不同的条目,将获得树的另一部分。例如,如果我们从管理员条目开始,您可能只会获得管理员条目本身:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "cn=admin,dc=example,dc=com"
搜索基准为 cn=admin,dc=example,dc=com
# extended LDIF
#
# LDAPv3
# base <cn=admin,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# admin, example.com
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9ejN2UmHoRjdha09tQY96TC9IN0kxYUVCSjhLeXBsc3A=

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

我们已经在这些示例中指定了基础,但我们可以通过指定搜索范围来进一步塑造工具查找结果的方式。此选项由选项设置-s,可以是以下任何一项:

  • sub:如果未指定其他搜索范围,则为默认搜索范围。这将搜索基本条目本身以及树中的所有后代。这是最大的范围。
  • base:这仅搜索搜索库本身。它用于返回搜索库中指定的条目,并且更适合定义为查找而不是搜索。
  • one: This searches only the immediate descendants/children of the search base (the single hierarchy level below the search base). This does not include the search base itself and does not include the subtree below any of these entries.
  • children: This functions the same as the sub scope, but it does not include the search base itself in the results (searches every entry beneath, but not including the search base).

Using the -s flag and the -b flag, we can begin to shape the areas of the DIT that we want the tool to look in. For instance, we can see all of the first-level children of our base entry by using the one scope, like this:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -s one -LLL dn

We added -LLL dn to the end to filter the output a bit. We’ll discuss this further later in the article. If we had added a few more entries to the tree, this might have returned results like this:

output
dn: cn=admin,dc=example,dc=com

dn: ou=groups,dc=example,dc=com

dn: ou=people,dc=example,dc=com

If we wanted to see everything under the ou=people entry, we could set that as the search base and use the children scope:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "ou=people,dc=example,dc=com" -s children -LLL dn

By tweaking the search base and search scope, you can operate on just the portions of the DIT that you are interested in. This will make your query perform better by only searching a section of the tree and it will only return the entries you are interested in.

Removing Extraneous Output

Before moving on, let’s talk about how to remove some of the extra output that ldapsearch produces.

The majority of the extra output is controlled with -L flags. You can use zero to three -L flags depending on the level of output that you’d like to see. The more -L flags you add, the more information is suppressed. It might be a good idea to refrain from suppressing any output when learning or troubleshooting, but during normal operation, using all three levels will probably lead to a better experience.

If you are using SASL authentication, when modifying the cn=config DIT for instance, you can additionally use the -Q flag. This will enable SASL quiet mode, which will remove any SASL-related output. This is fine when using the -Y EXTERNAL method, but be careful if you are using a mechanism that prompts for credentials because this will be suppressed as well (leading to an authentication failure).

Search Filters and Output Attribute Filters

To actually perform a search instead of simply outputting the entirety of the search scope, you need to specify the search filter.

These can be placed towards the end of the line and take the form of an attribute type, a comparison operator, and a value. Often, they are specified within quotation marks to prevent interpretation by the shell. Parentheses are used to indicate the bounds of one filter from another. These are optional in simple, single-attribute searches, but required in more complex, compound filters. We’ll use them here to better indicate where the search filter is.

As an example, we could see if there is an entry within the dc=example,dc=com DIT with a username (uid) attribute set to “jsmith”. This searches each entry within the search scope for an attribute set to that value:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -LLL "(uid=jsmith)"

We used the equality operator in the above example, which tests for an exact match of an attribute’s value. There are various other operator as well, which function as you would expect. For example, to search for entries that contain an attribute, without caring about the value set, you can use the “presence” operator, which is simply an equals sign with a wildcard on the right side of the comparison. We could search for entries that contain a password by typing:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -LLL "(userPassword=*)"

Some search filters that are useful are:

  • Equality: Uses the = operator to match an exact attribute value.
  • Presence: Uses =* to check for the attribute’s existence without regard to its value.
  • Greater than or equal: Uses the >= operator to check for values greater than or equal to the given value.
  • Less than or equal: Uses the <= operator to check for values less than or equal to the given value.
  • Substring: Uses = with a string and the * wildcard character as part of a string. Used to specify part of the value you are looking for.
  • Proximity: Uses the ~= operator to approximately match what is on the right. This is not always supported by the LDAP server (in which case an equality or substring search will be performed instead).

You can also negate most of the searches by wrapping the search filter in an additional set of parentheses prefixed with the “!” negation symbol. For example, to search for all organizational unit entries, we could use this filter:

"(ou=*)"

To search for all entries that are not organizational unit entries, we could use this filter:

"(!(ou=*)"

The negation modifier reverses the meaning of the search filter that follows.

Following the filter specification, we can also add attribute output filters. This is just a list of attributes that you wish to display from each matched entry. By default, every attribute that your credentials have read access to are displayed for each matched entry. Setting an attribute output filter allows you to specify exactly what type of output you’d like to see.

For instance, we can search for all entries that have user IDs, but only display the associated common name of each entry by typing:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -LLL "(uid=*)" cn

This might produce a list that looks like this:

Output
dn: uid=bwright,ou=People,dc=example,dc=com
cn: Brian Wright

dn: uid=jsmith1,ou=People,dc=example,dc=com
cn: Johnny Smith

dn: uid=sbrown2,ou=People,dc=example,dc=com
cn: Sally Brown

If we want to see their entry description as well, we can just add that to the list of attributes to display:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" -LLL "(uid=*)" cn description

It would instead show something like this:

Output
dn: uid=bwright,ou=People,dc=example,dc=com
cn: Brian Wright
description: Brian Wright from Marketing.  Brian takes care of marketing, pres
 s, and community.  Ask him for help if you need any help with outreach.

dn: uid=jsmith1,ou=People,dc=example,dc=com
cn: Johnny Smith
description: Johnny Smith from Accounting.  Johnny is in charge of the company
  books and hiring within the Accounting department.

dn: uid=sbrown2,ou=People,dc=example,dc=com
cn: Sally Brown
description: Sally Brown from engineering.  Sally is responsible for designing
  the blue prints and testing the structural integrity of the design.

If no attribute filter is given, all attributes are returned. This can be made explicit with the “*” character. To return operational attributes (special metadata attributes managed in the background for each entry), you can use the special “+” symbol. For instance, to see the operational attributes for our rootDN, we could type:

ldapsearch -H ldap:// -x -D "cn=admin,dc=example,dc=com" -b "dc=example,dc=com" -LLL "(cn=admin)" "+"

The results would look something like this:

Output
dn: cn=admin,dc=example,dc=com
structuralObjectClass: organizationalRole
entryUUID: cdc718a0-8c3c-1034-8646-e30b83a2e38d
creatorsName: cn=admin,dc=example,dc=com
createTimestamp: 20150511151904Z
entryCSN: 20150514191233.782384Z#000000#000#000000
modifiersName: cn=admin,dc=example,dc=com
modifyTimestamp: 20150514191233Z
entryDN: cn=admin,dc=example,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

Compound Searching

Compound searching involves combining two or more individual search filters to get more precise results. Search filters are combined by wrapping them in another set of parentheses with a relational operator as the first item. This is easier demonstrated than explained.

The relational operators are the “&” character which works as a logical AND, and the “|” character, which signifies a logical OR. These precede the filters whose relationships they define within an outer set of parentheses.

So to search for an entry that has both a description and an email address in our domain, we could construct a filter like this:

"(&(description=*)(mail=*@example.com))"

For an entry to be returned, it must have both of those attributes defined.

The OR symbol will return the results if either of the sub-filters are true. If we want to output entries for which we have contact info, we might try a filter like this:

"(|(telephoneNumber=*)(mail=*)(street=*))"

Here, we see that the operator can apply to more than two sub-filters. We can also nest these logical constructions as needed to create quite complex patterns.

Using ldapmodify and Variations to Change or Create LDAP Entries

So far, we have focused exclusively on the ldapsearch command, which is useful for looking up, searching, and displaying entries and entry segments within an LDAP DIT. This will satisfy the majority of users’ read-only requirements, but we need a different tool if we want to change the objects in the DIT.

The ldapmodify command manipulates a DIT through the use of LDIF files. You can learn more about LDIF files and the specifics of how to use these to modify or add entries by looking at this guide.

The basic format of ldapmodify closely matches the ldapsearch syntax that we’ve been using throughout this guide. For instance, you will still need to specify the server with the -H flag, authenticate using the -Y flag for SASL authentication or the -x, -D, and -[W|w] flags for simple authentication.

Applying Changes from an LDIF File

After providing these boilerplate options, the most common action is to read in an LDIF file and apply it to the DIT. This can be accomplished with the -f option (if you do not use the -f option, you will have to type in a change using the LDIF format on the command line). You will need to create the LDIF file yourself, using the syntax described in the guide linked to above:

ldapmodify -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -f /path/to/file.ldif

This will read the LDIF file and apply the changes specified within. For the ldapmodify command, each LDIF change should have a changetype specified. The ldapmodify command is the most general form of the DIT manipulation commands.

If your LDIF file is adding new entries and does not include changetype: add for each entry, you can use the -a flag with ldapmodify, or simply use the ldapadd command, which basically aliases this behavior. For example, an LDIF file which includes the changetype would look like this:

LDIF with changetype
dn: ou=newgroup,dc=example,dc=com
changetype: add
objectClass: organizationalUnit
ou: newgroup

To process this file, you could simply use ldapmodify:

ldapmodify -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -f /path/to/file.ldif

However, the file could also be constructed without the changetype, like this:

LDIF without changetype
dn: ou=newgroup,dc=example,dc=com
objectClass: organizationalUnit
ou: newgroup

In this case, to add this entry to the DIT, you would either need to use the -a flag with ldapmodify, or use the ldapadd command. Either:

ldapmodify -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -a -f /path/to/file.ldif

Or this:

ldapadd -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -f /path/to/file.ldif

Similar commands are available for entry deletion (ldapdelete) and moving LDAP entries (ldapmodrdn). Using these commands eliminates the need for you to specify changetype: delete and changetype: modrdn explicitly in the files, respectively. For each of these, it is up to you which format to use (whether to specify the change in the LDIF file or on the command line).

Testing Changes and Handling Errors

If you want to do a dry run of any LDIF file, you can use the -n and -v flags. This will tell you what change would be performed without modifying the actual DIT:

ldapmodify -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -n -v -f /path/to/file.ldif

Typically, if an error occurs while processing an LDIF file, the operation halts immediately. This is generally the safest thing to do because often, change requests later in the file will modify the DIT under the assumption that the earlier changes were applied correctly.

However, if you want the command to continue through the file, skipping the error-causing changes, you can use the -c flag. You’ll probably also want to use the -S flag to point to a file where the errors can be written to so that you can fix the offending requests and re-run them:

ldapmodify -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w password -c -S /path/to/error_file -f /path/to/file.ldif

This way, you will have a log (complete with comments indicating the offending entries) to evaluate after the operation.

Various Other LDAP Commands

The commands that we’ve already covered perform the most common LDAP operations you will use on a day-to-day basis. There are a few more commands though that are useful to know about.

ldappasswd

If some of your LDAP entries have passwords, the ldappasswd command can be used to modify the entry. This works by authenticating using the account in question or an administrative account and then providing the new password (and optionally the old password).

The old password should be specified using either the -a flag (the old password is given in-line as the next item), the -A flag (the old password is prompted for), or the -t flag (the old password is read from the file given as the next item). This is optional for some LDAP implementations but required by others, so it is best to include.

The new password should be specified using either the -s flag (the new password is given in-line as the next item), the -S flag (the new password is prompted for), or the -T flag (the new password is read from the file given as the next item).

So a typical change may look like this:

ldappasswd -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w oldpassword -a oldpassword -s newpassword

If no entry is given, the entry that is being used for binding will be changed. If you are binding to an administrative entry, you can change other entries that you have write access to by providing them after the command.

ldappasswd -H ldap:// -x -D "cn=admin,dc=example,dc=com" -w adminpassword -a oldpassword -s newpassword "uid=user,dc=example,dc=com"

To learn more about changing and resetting passwords, check out this guide.

ldapwhoami

The ldapwhoami command can tell you how the LDAP server sees you after authenticating.

If you are using anonymous or simple authentication, the results will probably not be too useful (“anonymous” or exactly the entry you are binding to, respectively). However, for SASL authentication, this can provide insight into how your authentication mechanism is being seen.

For instance, if we use the -Y EXTERNAL SASL mechanism with sudo to perform operations on the cn=config DIT, we could check with ldapwhoami to see the authentication DN:

sudo ldapwhoami -H ldapi:// -Y EXTERNAL -Q
ldapwhoami output
dn:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth

This is not an actual entry in our DIT, it is just how SASL authentication gets translated into a format that LDAP can understand. Seeing the authentication DN can be used to create mappings and access restrictions though, so it is good to know how to get this information.

ldapurl

The ldapurl tool allows you to construct LDAP URLs by specifying the various components involved in your query. LDAP URLs are a way that you can request resources from an LDAP server through a standardized URL. These are unauthenticated connections and are read-only. Many LDAP solutions no longer support LDAP URLs for requesting resources, so their use may be limited depending on the software you are using.

The standard LDAP URL is formatted using the following syntax:

ldap://host:port/base_dn?attr_to_return?search_scope?filter?extension

The components are as follows:

  • base_dn: The base DN to begin the search from.
  • attr_to_return: The attributes from the matching entities that you’re interested in. These should be comma-separated.
  • search_scope: The search scope. Either base, sub, one, or children.
  • filter: The search filter used to select the entries that should be returned.
  • extension: The LDAP extensions that you wish to specify. We won’t cover these here.

URL 中的每个项目都用问号分隔。您不必提供未使用的项目,但由于项目类型由其在字符串中的位置标识,因此您必须将该项目的“位置”留空,这将留下多个连续的问号。添加信息后,您可以立即停止 URL(您不需要在末尾使用问号来表示未使用的“位置”)。

例如,URL 可能如下所示:

ldap://localhost:389/dc=example,dc=com?dn,ou?sub?(ou=*)

如果要将其输入到ldapurl工具中,您可以使用标志-H并将 URL 放在引号中:

ldapurl -H "ldap://localhost:389/dc=example,dc=com?dn,ou?sub?(ou=*)"

该命令会将其分解如下:

ldapurl 输出
scheme: ldap
host: localhost
port: 389
dn: dc=chilidonuts,dc=tk
selector: dn
selector: ou
scope: sub
filter: (ou=*)

您还可以使用这些标志来逆转该过程并拼凑 LDAP URL。这些标志反映了 LDAP URL 的各个组成部分:

  • -S:URL 方案(ldap、ldaps或ldapi)。ldap方案为默认方案。
  • -h:LDAP 服务器名称或地址
  • -p:LDAP 服务器端口。默认值取决于方案。
  • -b:启动查询的基本 DN
  • -a:要返回的属性的逗号分隔列表
  • -s:要使用的搜索范围(base、sub、children 或 one)
  • -f:LDAP 过滤器用于选择要返回的条目
  • -e:要指定的 LDAP 扩展

使用这些,您可以输入如下内容:

ldapurl -h localhost -b "dc=example,dc=com" -a dn,ou -s sub -f "(ou=*)"

该命令将返回构造的 URL,如下所示:

ldapurl 输出
ldap://localhost:389/dc=example,dc=com?dn,ou?sub?(ou=*)

您可以使用它来构建可与能够使用此格式进行通信的 LDAP 客户端一起使用的 URL。

ldap比较

此ldapcompare工具可用于将条目的属性与值进行比较。这用于执行简单的断言检查以验证数据。

该过程涉及根据查询的数据进行通常的绑定,提供条目 DN 和要检查的断言。断言通过指定属性和值来给出,属性和值之间用一个或两个冒号分隔。对于简单的字符串值,应使用单个冒号。双冒号表示给出了 base64 编码值。

因此,你可以断言 John 是“powerusers”组的成员,如下所示:

ldapcompare -H ldap:// -x "ou=powerusers,ou=groups,dc=example,dc=com" "member:uid=john,ou=people,dc=example,dc=com"

如果他在该组中,它将返回 。如果不在组中TRUE,命令将返回FALSE。如果用于绑定的 DN 没有足够的权限来读取相关属性,它将返回UNDEFINED。

这可以作为授权系统的基础,通过在执行请求的操作之前检查组成员身份。

结论

现在您应该已经很好地了解如何使用某些 LDAP 实用程序来连接、管理和使用 LDAP 服务器。其他客户端可能会为您的 LDAP 系统提供更易用的界面以进行日常管理,但这些工具可以帮助您熟悉基本知识并提供对 DIT 数据和结构的良好低级访问。

©2015-2025 Norria support@alaica.com