LDAP Commands



A simple search for a user on LDAP server

# search for user jw using base=jw.com

(if you dont specify the password for the BIND DN it will prompt you)



#ldapsearch -D "cn=Directory manager" -w  -b "dc=jw,dc=com" cn=jw


cn=jw,ou=People,dc=jw,dc=com

gecos=John

uidnumber=10000

gidnumber=1000

homedirectory=/home/sa/jw

objectclass=top

objectclass=account

objectclass=posixAccount

loginshell=/bin/ksh

uid=jw

cn=jw

userpassword={crypt}zzzzzzzzzzzzz





 A more complicated search with multiple attributes

# To search for all entries with objectclass=posixaccount that dont have obectclass=shadowaccount as well


ldapsearch -D"cn=Directory Manager" -w  -b "ou=people,dc=jw,dc=com" "(&(objectclass=posixaccount)(!(objectclass=shadowaccount)))" 



# and a search for entries with both objectclasses


ldapsearch -h olidir1 -s one -b "ou=people,dc=cg,dc=com"

"(&((objectclass=shadowaccount)(objectclass=posixaccount)))"



# To add LDAP entrys from LDIF file

ldapadd -D "cn=directory manager" -w  -f passwd.ldif



# To modify LDAP entrys from LDIF file

#ldapmodify -D "cn=directory manager" -w  -f passwd.ldif





# To search for a particular user password entry from the client to LDAP server called bogota

# ldapsearch -h bogota -b "dc=jw,dc=com" cn=jw


# the same search but specifing a BIND DN

# ldapsearch -D "cn=directory manager" -h bogota -b "dc=jw,dc=com" cn=jw



To find all attributes of a directory
# note the -s option - this is the scope

# either base (this dir), one (one sublevel) or sub (all sublevels)

# -L prints in LDIF format




root@cartagena<297>ldapsearch -h bogota -L -b "dc=jw,dc=com" -s base "objectclass=\*"                     

dn: dc=jw,dc=com

dc: jw

o: jw,dc=com

aci: (targetattr != "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastC

 hange || shadowMin || shadowMax || shadowWarning || shadowInactive || shadow

 Expire || shadowFlag || memberUid")(version 3.0; acl "Allow self entry modif

 ication"; allow (write)userdn = "ldap:///self";)

aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous access"; allo

 w (read, search, compare)userdn = "ldap:///anyone";)

aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrator"; allow (

 all) userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, 

 o=NetscapeRoot";)

aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators Group";al

 low (all) (groupdn = "ldap:///cn=Configuration Administrators, ou=Groups, ou

 =TopologyManagement, o=NetscapeRoot");)

aci: (targetattr ="*")(version 3.0;acl "Directory Administrators Group";allow 

 (all) (groupdn = "ldap:///ou=Directory Administrators, dc=jw,dc=com");)

aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow (all)groupdn = "ld

 ap:///cn=slapd-bogota, cn=Netscape Directory Server, cn=Server Group, cn=bog

 ota.eu.jw.com, ou=admin.com, o=NetscapeRoot";)

nisdomain: jw.com

associateddomain: jw.com

objectclass: top

objectclass: domain

objectclass: organization

objectclass: nisdomainobject

objectclass: domainrelatedobject




*********************** note this command didn't work but its something very close to this! ************

 Modifying an ACI using an ldif file
# eg to grant access to read userpassword field for user proxyagent



Create LDIF file called aci.ldif



dn: dc=jw,dc=com

changetype: modify

add: aci

aci: (target="ldap:///dc=jw,dc=com")

     (targetaddr="userpassword")(version 3.0; acl "password read";

      allow (compare,read,search)

      userdn = "ldap:///cn=proxyagent,ou=profile,dc=jw,dc=com";)



run the command:



#ldapmodify -D "cn=Directory Manager" -h bogota -f aci.ldif


 


Creating addtional top level domain (suffix) using Netscape DS

This is not very intuitive !!



Firstly add the new suffix

	Select the configuration tab on the directory server

	Click on the Database part of the directory tree

	Click on the Settings tab

	Click on Add

	Add in the new suffix

	Click on save



Then select directory tab

	select the server and right click to add new...

	add domain

		set dc to "cg,dc=com"

	click on ok

	refresh display

	right click on cg to get properties

		Add value of "organization" to Object Class

	for example, to add "dc=cg,dc=com"

		delete value of cg,dc=com from dc leaving just dc set to cg

		set value of organization to cg,dc=com

	click on ok

	refresh display





 Additional Solaris commands

# To list password entries

#ldaplist passwd



# To list hosts

#ldaplist hosts



# To list databases and objectclasses

#ldaplist -h