The ldap-utils package includes a number of utilities that can be used to perform queries on the LDAP server.
The configuration file /etc/ldap/ldap.conf for utilities like like 'ldapsearch' should be correctly set for the server by default. That is, it should contain something like:
BASE dc=<your>,dc=<domain> URI ldap://localhost
You will need to make changes on clients who will be using the ldap-utils package, however. You should use something like:
BASE dc=<your>,dc=<domain> URI ldap://your.ldap.server
Where 'your.ldap.server' is the name of your LDAP server. You may want to use the numeric IP address instead of the dns name so that you can continue to use ldap-utils even if DNS is down, especially if using an LDAP DNS server.
Tools available in ldap-utils
ldapsearch - search for and display entries
ldapmodify - modify an entry
ldapadd - add a new entry
ldapdelete - remove and entry
ldapmodrdn - rename an entry
ldappasswd - change the password for an entry *NOTE: This is not a replacement for passwd
ldapwhoami: display with which entry I am bound to the server
ldapcompare: compare a field in the entry to some value
Some Details for Useful Tools
When using this to edit cn=config, be aware the debian doesn't set a rootpw at the start so you'll need to add -Y EXTERNAL onto your command to run as local root.
The ldapsearch command can return the LDAP info for <username> direct from LDAP (assuming of course you are using LDAP for authentication).
$ ldapsearch -x uid=<username>
This requires you to set your defaults correctly in /etc/ldap/ldap.conf to point at your LDAP server.
A more complete command line specifying the admin bind DN is:
$ ldapsearch -x -D 'cn=<your admin>, dc=example,dc=com' -W \ -b'cn=username,ou=People,dc=example,dc=com'
-x Use simple authentication instead of SASL. -D bind DN (user who is allowed to read entries from the database) -W prompt for bind passwd -b base dn for search
If you cannot query LDAP without specifying the admin bind DN and password, then you have a problem. Only root should have access to the admin password. Non-root users should be able to query LDAP without needing the admin password, otherwise libnss-ldap will not be able to do things like map uid's to names for 'ls -l' as a non-root user. Note that nscd can mask problems like this, as it runs as root, effectively giving root permissions to libnss-ldap for all users.
It should say this if it's working correctly:
# <username>, example, com dn: cn=<username>,dc=example,dc=com -- a bunch of user information -- # search result search: 2 result: 0 Success
If you did not specify the admin bind DN, then you should see all the users information except the userPassword. You should only see the userPassword when specifying the admin bind DN, otherwise you have a security hole equivalent to a world-readable /etc/shadow file.
If it is not working correctly, you should see something like this:
# search result search: 2 result: 32 No such object ["matchedDN"]: ou=People, dc=example,dc=com
If it doesn't work correctly, you can also try:
ldapsearch -b'dc=example,dc=com' -x
Which should list everything in the LDAP graph, hopefully giving you a clue for further investigation.
If you forget to use -x and SASL authentication isn't configured (not configured by default in 2.3.30-5+etch2) you will get an SASL error:
SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database