Red Hat Summit10장. Searching IdM entries using the ldapsearch command
You can use the ipa find command to search through the Identity Management entries. For more information about ipa command see Structure of IPA commands section in the Accessing Identity Management services documentation.
This section introduces the basics of an alternative search option using ldapsearch command line command through the Identity Management entries.
10.1. Using the ldapsearch command
The ldapsearch command has the following format:
# ldapsearch [-x | -Y mechanism] [options] [search_filter] [list_of_attributes]-
To configure the authentication method, specify the
-xoption to use simple binds or the-Yoption to set the Simple Authentication and Security Layer (SASL) mechanism. Note that you need to obtain a Kerberos ticket if you are using the-Y GSSAPIoption. -
The options are the
ldapsearchcommand options described in a table below. - The search_filter is an LDAP search filter.
- The list_of_attributes is a list of the attributes that the search results return.
For example, you want to search all the entries of a base LDAP tree for the user name user01:
# ldapsearch -x -H ldap://ldap.example.com -s sub "(uid=user01)"-
The
-xoption tells theldapsearchcommand to authenticate with the simple bind. Note that if you do not provide the Distinguish Name (DN) with the-Doption, the authentication is anonymous. -
The
-Hoption connects you to the ldap://ldap.example.com. -
The
-s suboption tells theldapsearchcommand to search all the entries, starting from the base DN, for the user with the name user01. The "(uid=user01)" is a filter.
Note that if you do not provide the starting point for the search with the -b option, the command searches in the default tree. It is specified in the BASE parameter of the etc/openldap/ldap.conf file.
| Option | Description |
|---|---|
| -b |
The starting point for the search. If your search parameters contain an asterisk (*) or other character, that the command line can interpret into a code, you must wrap the value in single or double quotation marks. For example, |
| -D | The Distinguished Name (DN) with which you want to authenticate. |
| -H |
An LDAP URL to connect to the server. The |
| -l | The time limit in seconds to wait for a search request to complete. |
| -s scope | The scope of the search. You can choose one of the following for the scope:
|
| -W | Requests for the password. |
| -x | Disables the default SASL connection to allow simple binds. |
| -Y SASL_mechanism | Sets the SASL mechanism for the authentication. |
| -z number | The maximum number of entries in the search result. |
Note, you must specify one of the authentication mechanisms with the -x or -Y option with the ldapsearch command.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}