一个伪linux粉丝的blog

  1. 首页
  2. unix/linux
  3. 正文

ldapsearch

15 1 月, 2021 779点热度 0人点赞 0条评论

2020年8月的时候检查某个环境对接,用过 ldapsearch 这个命令,最近又用上了,还是记录一下吧。

无论 OpenLDAP 还是 AD Server,本质上都是通过 LDAP 协议在工作,因此可以通过 LDAP 命令验证,比如用 ldapsearch 自己查询一下自己是否在 LDAP 服务器,这样能完成其他系统的使用和对接。

安装

yum install openldap-clients  #用来安装 ldap相关命令

测试

ldapsearch -x -D "cn=jie.wan,dc=abcd,dc=com" -b "dc=abcd,dc=com" -H ldap://10.10.111.17:389 -w password -L "(objectClass=*)"

返回结果节选


# jie.wan, abcd.com
dn: cn=jie.wan,dc=abcd,dc=com
cn: jie.wan
givenName: jie
mail: [email protected]
objectClass: inetOrgPerson
objectClass: top
sn: wan
uid: jie.wan
userPassword:: e01ENX1Db0VUbEIwMVJteDVJWTZERjFabDd3PT0=
# search result
# numResponses: 4104
# numEntries: 4103

异常报错

如果账号密码又异常,返回结果会是这样

ldap_bind: Invalid credentials (49)

还可以加一个 -d1 参数看更详细的信息

类似输出如下

[root@abcd ~]# ldapsearch -d1 -x -D "cn=jie.wan,dc=abcd,dc=com" -b "dc=abcd,dc=com" -H ldap://10.88.1.202:389 -w dangerousd -L "(objectClass=*)"
ldap_url_parse_ext(ldap://10.88.1.202:389)
ldap_create
ldap_url_parse_ext(ldap://10.88.1.202:389/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.88.1.202:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.88.1.202:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 52 bytes to sd 3
ldap_result ld 0x55fea06bc0c0 msgid 1
wait4msg ld 0x55fea06bc0c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x55fea06bc0c0 msgid 1 all 1
** ld 0x55fea06bc0c0 Connections:
* host: 10.88.1.202 port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 15 13:58:56 2021
** ld 0x55fea06bc0c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55fea06bc0c0 request count 1 (abandoned 0)
** ld 0x55fea06bc0c0 Response Queue:
Empty
ld 0x55fea06bc0c0 response count 0
ldap_chkResponseList ld 0x55fea06bc0c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x55fea06bc0c0 NULL
ldap_int_select
read1msg: ld 0x55fea06bc0c0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55fea06bc0c0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55fea06bc0c0 0 new referrals
read1msg: mark request completed, ld 0x55fea06bc0c0 msgid 1
request done: ld 0x55fea06bc0c0 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

高级过滤

常见的分组 是 (objectClass=*),如果公司规模较大,ad用户列表数千、数十万,估计查询效果大受影响,可以试试下面这个参数,按人,按部门,进一步细分,支持中文。

过滤表达式这边这样试试看 (&(objectCategory=Person)(sAMAccountName=)(department=上海分公司信息技术部)),即后面接完整的部门名称

下图仅为示范

相关文章:

  1. gitlab with ldap
标签: ldap
最后更新:15 1 月, 2021

wanjie

这个人很懒,什么都没留下

点赞
< 上一篇
下一篇 >

文章评论

razz evil exclaim smile redface biggrin eek confused idea lol mad twisted rolleyes wink cool arrow neutral cry mrgreen drooling persevering
取消回复

This site uses Akismet to reduce spam. Learn how your comment data is processed.

归档
分类
  • network / 332篇
  • Uncategorized / 116篇
  • unix/linux / 121篇
  • 业界资讯 / 38篇
  • 公司杂事 / 11篇
  • 数码影像 / 12篇
  • 美剧 / 3篇
  • 美图共赏 / 21篇
  • 英语学习 / 3篇
标签聚合
squid ssh wget dreamhost空间 邮件归档 浏览器 k8s gitlab d90 天翼live ldap postgres debian Nginx google-chrome docker Google Voice VPS jira Google deepseek 泰国 Ubuntu kernel dreamhost 虚拟主机 nexus openssl kubectl 网站运营

COPYRIGHT © 2008-2025 wanjie.info. ALL RIGHTS RESERVED.

Theme Kratos Made By Seaton Jiang