LDAP Tools

Initial Notes

The configuration file /etc/ldap/ldap.conf for utilities like like 'ldapsearch' should be correctly set for the server by default. That is it should be (see ["OpenLDAPSetup"] for the definition of [["BaseDN"]]):

 BASE [["BaseDN"]]
 URI ldap://localhost

You will need to make changes on clients who will be using the ldap-utils package, however. You should instead use

 BASE [["BaseDN"]]
 URI ldap://your.ldap.server

Where 'your.ldap.server' is the name of your LDAP server. You may want to use the numeric IP address instead of the dns name so that you can continue to use ldap-utils even if dns is down, especially if using an LDAP DNS server.

Tools available in {{{ldap-tools}}}

Show Entries

Manipulate Entries

Miscellaneous Operations

Some Details for Useful Tools

{{{ldapsearch}}}

The ldapsearch command can return the LDAP info for <username> direct from LDAP (assuming of course you are using LDAP for authentication).

$ ldapsearch -x uid=<username>

This requires you to [set your defaults correctly http:?["OpenLDAPSetup"]] in /etc/ldap/ldap.conf to point at your LDAP server.

A more complete command line specifying the admin bind DN is:

 $ ldapsearch -D 'cn=<your admin>, dc=example,dc=com' -W -b'cn=username,ou=People,dc=example,dc=com'

 -D bind DN (user who is allowed to read entries from the database)
 -W prompt for bind passwd
 -b base dn for search

If you cannot query ldap without specifying the admin bind DN and password, then you have a problem. Only root should have access to the admin password. Non-root users should be able to query LDAP without needing the admin password, otherwise libnss-ldap will not be able to do things like map uid's to names for 'ls -l' as a non-root user. Note that nscd can mask problems like this, as it runs as root, effectively giving root permissions to libnss-ldap for all users.

It should say this if it's working correctly:

 # <username>, example, com
 dn: cn=<username>,dc=example,dc=com
 -- a bunch of user information --
 # search result
 search: 2
 result: 0 Success

If you did not specify the admin bind DN, then you should see all the users information except the userPassword. You should only see the userPassword when specifying the admin bind DN, otherwise you have a security hole equivalent to a world-readable /etc/shadow file.

If it is not working correctly, you should see something like this:

 # search result
 search: 2
 result: 32 No such object
 ["matchedDN"]: ou=People, dc=example,dc=com

If it doesn't work correctly, you can also try:

 ldapsearch -b'dc=example,dc=com' -x

Which should list everything in the LDAP graph, hopefully giving you a clue for further investigation. -Rj

{{{getent}}}

getent will return the current NSS view of passwd, shadow, group whatever. This is handy to check that NSS is using LDAP correctly.

 $ getent <etcfile>

Running getent shadow as root should return a shadow file that includes your ldap user accounts. If getent shadow as non-root returns passwords, you have a security hole.


See also: ["LDAPAuthenticationTools"], ["LDAP"], ["LDAPAuthentication"]