LDAP Utilities

The ldap-utils package includes a number of utilities that can be used to perform queries on the LDAP server.

Initial Notes

The configuration file /etc/ldap/ldap.conf for utilities like like 'ldapsearch' should be correctly set for the server by default. That is, it should contain something like:

 BASE dc=<your>,dc=<domain>
 URI ldap://localhost

You will need to make changes on clients who will be using the ldap-utils package, however. You should use something like:

 BASE dc=<your>,dc=<domain>
 URI ldap://your.ldap.server

Where 'your.ldap.server' is the name of your LDAP server. You may want to use the numeric IP address instead of the dns name so that you can continue to use ldap-utils even if DNS is down, especially if using an LDAP DNS server.

Tools available in ldap-utils

Show Entries

Manipulate Entries

Miscellaneous Operations

Some Details for Useful Tools


When using this to edit cn=config, be aware the debian doesn't set a rootpw at the start so you'll need to add -Y EXTERNAL onto your command to run as local root.


The ldapsearch command can return the LDAP info for <username> direct from LDAP (assuming of course you are using LDAP for authentication).

$ ldapsearch -x uid=<username>

This requires you to set your defaults correctly in /etc/ldap/ldap.conf to point at your LDAP server.

A more complete command line specifying the admin bind DN is:

 $ ldapsearch -x -D 'cn=<your admin>, dc=example,dc=com' -W \

 -x Use simple authentication instead of SASL.
 -D bind DN (user who is allowed to read entries from the database)
 -W prompt for bind passwd
 -b base dn for search

If you cannot query LDAP without specifying the admin bind DN and password, then you have a problem. Only root should have access to the admin password. Non-root users should be able to query LDAP without needing the admin password, otherwise libnss-ldap will not be able to do things like map uid's to names for 'ls -l' as a non-root user. Note that nscd can mask problems like this, as it runs as root, effectively giving root permissions to libnss-ldap for all users.

It should say this if it's working correctly:

 # <username>, example, com
 dn: cn=<username>,dc=example,dc=com
 -- a bunch of user information --
 # search result
 search: 2
 result: 0 Success

If you did not specify the admin bind DN, then you should see all the users information except the userPassword. You should only see the userPassword when specifying the admin bind DN, otherwise you have a security hole equivalent to a world-readable /etc/shadow file.

If it is not working correctly, you should see something like this:

 # search result
 search: 2
 result: 32 No such object
 ["matchedDN"]: ou=People, dc=example,dc=com

If it doesn't work correctly, you can also try:

 ldapsearch -b'dc=example,dc=com' -x

Which should list everything in the LDAP graph, hopefully giving you a clue for further investigation.

If you forget to use -x and SASL authentication isn't configured (not configured by default in 2.3.30-5+etch2) you will get an SASL error:

SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
        additional info: SASL(-13): user not found: no secret in database