For a brief overview of LDAP, these resources may be of use:

OpenLDAP provides the ldapsearch command line tool. You can install it on Gentoo by installing the openldap package (it's probably named similarly in other distributions).


To query all of objects at the base of the directory | Go to top

ldapsearch -x -s base -H "ldap://the.host.name" -D "cn=username,cn=Users,dc=mydomain,dc=com,dc=local" -w password

The -x specifies to use simple authentication rather than SASL. This depends on your setup.

I've used the -s flag to specify that I want the search scope to be 'base' rather than the default 'sub'. This means that the base object, rather than a subtree, will be searched. Note that if I left out this flag and the scope defaulted to 'sub', no results would be returned because no subtree was specified.

The -H flag specified the host to connect to. This can be an IP or a hostname.

The -D flag is used to provide my user details so that I can bind to the directory. The exact format of this string will probably differ for your configuration. It's known as the "distinguished name", which is basically another name for a unique identifier. In my case, it specifies the user "username", in the group "Users", domain "mydomain.com.local". In case you're wondering, "cn" stands for "commonName" and "dc" stands for "domainComponent". There are others, such as cn (commonName), ou (organizationalUnit), o (organizationName), etc etc. This Micro$oft knowledge base article on Distinguished Names shows some other possibilities. Your distinguished name will depend on how your directory's schema has been defined.

The -w flag is for specifying my password in the command. You can use -W if you want to be prompted for it.

Note: I belive the "local" domain controller (dc) is used for internal DNS queries. Presumably, if I ommitted this the traffic would leave the internal network.

To query a particular object in a subtree of the directory | Go to top

ldapsearch -x -H "ldap://the.host.name" -D "cn=username,cn=Users,dc=mydomain,dc=com,dc=local" -w password -b "cn=Users,dc=mydomain,dc=com,dc=local" "cn=username"

In this example, the -b flag specifies the search base. Note that I've removed the -s flag so that, by default, a subtree search is done. This is ok because I've specified the base to point to something which has a subtree.

The search is specified at the end of the command. In this case, I've searched for "cn=username", which means that I'll get all details of the users in the Users group of domain.com.local which have the common name "username". The search could be for any object in the directory. For example, if the above example searched for "mail" instead of "cn=username", I'd get the email addresses of all users in the Users group of domain.com.local. Wildcards are allowed, like "mail=*".

Last modified: 17/04/2006 (most likely earlier as a site migration in 2006 reset some dates) Tags: (none)

This website is a personal resource. Nothing here is guaranteed correct or complete, so use at your own risk and try not to delete the Internet. -Stephan

Site Info

Privacy policy

Go to top