LDAP from command line


Using LDAP from command line can be quite man (or info) expensive.

Usually LDAP is used for samba authentication, so it is set up something like this:

domain example.com is described in LDAP as base dn:
"dc=example,dc=com"

also two OU-s are usually present:
ou=groups for all groups and
ou=users for all users.
All this is case insensitive.

Selecting all groups from LDAP is done using ldapsearch.
ldapsearch -x -b "ou=groups,dc=example,dc=com" -h LDAP_host

This lists all groups.
-x is for simple authentication to simplify stuff 🙂
-b is searchbase or the thing we are looking for.
-h is needed if LDAP server is not on localhost. IP address will do.

Listing members in a specific group is as simple as
ldapsearch -x -b "cn=mygroup,ou=groups,dc=example,dc=com" -h LDAP_host

Modifying LDAP from command line is better done in two steps.

First a file describing needed modifications needs to be written as so:

dn: cn=mygroup,ou=groups,dc=example,dc=com
changetype: modify
add: memberUid
memberUid: myuser

dn is the same as in ldapsearch
changetype is either add, modify or delete
add is subkeyword witch can be either add, replace or delete
memberUid is attribute to work on.

Applying this action file on an LDAP server goes like that:
ldapmodify -x -h LDAP_host -D "uid=zimbra,cn=admins,cn=zimbra" -f ldapfile.ldif -W

the important thing to note is
-D "uid=zimbra,cn=admins,cn=zimbra" which is binddn – in ldap talk it is something like username.
-W prompts for password for that binddn.
BTW: this uid=zimbra is actually used in zimbra.

Those binddn and password values can sometimes be found in /etc/ldap.conf or in case of smbldap-tools (use those instead of direct LDAP modifying if You can) in /etc/smbldap-tools/smbldap_bind.conf.

Leave a comment

Your email address will not be published. Required fields are marked *