2020年8月的时候检查某个环境对接，用过 ldapsearch 这个命令，最近又用上了，还是记录一下吧。

无论 OpenLDAP 还是 AD Server，本质上都是通过 LDAP 协议在工作，因此可以通过 LDAP 命令验证，比如用 ldapsearch 自己查询一下自己是否在 LDAP 服务器，这样能完成其他系统的使用和对接。

安装

yum install openldap-clients  #用来安装 ldap相关命令

测试

ldapsearch -x -D "cn=jie.wan,dc=abcd,dc=com" -b "dc=abcd,dc=com" -H ldap://10.10.111.17:389 -w password -L "(objectClass=*)"

返回结果节选


# jie.wan, abcd.com
dn: cn=jie.wan,dc=abcd,dc=com
cn: jie.wan
givenName: jie
mail: [email protected]
objectClass: inetOrgPerson
objectClass: top
sn: wan
uid: jie.wan
userPassword:: e01ENX1Db0VUbEIwMVJteDVJWTZERjFabDd3PT0=
# search result
# numResponses: 4104
# numEntries: 4103


异常报错

如果账号密码又异常，返回结果会是这样

ldap_bind: Invalid credentials (49)

还可以加一个 -d1 参数看更详细的信息

类似输出如下

[root@abcd ~]# ldapsearch -d1 -x -D "cn=jie.wan,dc=abcd,dc=com" -b "dc=abcd,dc=com" -H ldap://10.88.1.202:389 -w dangerousd -L "(objectClass=*)"
ldap_url_parse_ext(ldap://10.88.1.202:389)
ldap_create
ldap_url_parse_ext(ldap://10.88.1.202:389/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 10.88.1.202:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 10.88.1.202:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 52 bytes to sd 3
ldap_result ld 0x55fea06bc0c0 msgid 1
wait4msg ld 0x55fea06bc0c0 msgid 1 (infinite timeout)
wait4msg continue ld 0x55fea06bc0c0 msgid 1 all 1
** ld 0x55fea06bc0c0 Connections:
* host: 10.88.1.202 port: 389 (default)
refcnt: 2 status: Connected
last used: Fri Jan 15 13:58:56 2021
** ld 0x55fea06bc0c0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x55fea06bc0c0 request count 1 (abandoned 0)
** ld 0x55fea06bc0c0 Response Queue:
Empty
ld 0x55fea06bc0c0 response count 0
ldap_chkResponseList ld 0x55fea06bc0c0 msgid 1 all 1
ldap_chkResponseList returns ld 0x55fea06bc0c0 NULL
ldap_int_select
read1msg: ld 0x55fea06bc0c0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x55fea06bc0c0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x55fea06bc0c0 0 new referrals
read1msg: mark request completed, ld 0x55fea06bc0c0 msgid 1
request done: ld 0x55fea06bc0c0 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed


高级过滤

常见的分组 是 (objectClass=*)，如果公司规模较大，ad用户列表数千、数十万，估计查询效果大受影响，可以试试下面这个参数，按人，按部门，进一步细分，支持中文。

过滤表达式这边这样试试看 (&(objectCategory=Person)(sAMAccountName=)(department=上海分公司信息技术部))，即后面接完整的部门名称

下图仅为示范