LDAP Notes and Snippets

LDAP is fucking hard and unintuitive, therefore here I provide a few snippets. -LLL means subtree search. I’ve never really understood SASL connection and authentication. For me it is black magic.

Check out my Introduction to LDAP in the modern era to learn about concepts and get some introduction about LDAP.

List all entries in whole LDAP

ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -s base '(objectclass=*)'

List distinguished names

This lists all distinguished names of objects in the domain. Accounts, groups and other things.

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=foo,dc=org dn

List configuration of LDAP

You will certainly need this to see pagination and cache size.

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b olcDatabase={1}hdb,cn=config

List mail aliases

NIS aliases are in core.schema file.

ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b ou=Aliases,dc=example,dc=foo,dc=org objectClass=nisMailAlias

Another search

Search for smith and select cn, sn and telephoneNumber.

ldapsearch -LLL "(sn=smith)" cn sn telephoneNumber

Import from ldif file

Try to avoid this somehow.

ldapadd -h localhost -x -W -D "cn=admin,dc=example,dc=org" -c -f base.ldif
ldapadd -Q -Y EXTERNAL -H ldapi:/// -f samba.ldif

Delete by dn

Delete object speficied by its distinguished name.

ldapdelete -h localhost -x -W -D "cn=admin,dc=example,dc=org" -c "uid=lordoflulz,ou=People,dc=example,dc=org"

Restore index?

If you change or set indexing on objects, run this. Syslog.log will tell…

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f index

Backup

DO NOT copy db from /var/lib/ldap and /etc/ldap/schema. It won’t work, I’ve tried. slapcat is program of choice.

original server with the database

This lists lots of entries.

foo@n2orava:/etc/ldap/schema$ ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'dc=example,dc=com' -s children '(objectclass=*)'

second box with copied database

root@witch:~# ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b 'dc=example,dc=com' -s base '(objectclass=*)' dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
No such object (32)

root@witch:/var/lib#  ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// dn
No such object (32)

root@witch:/var/lib# ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b dc=example,dc=com dn
No such object (32)

# syslog
Mar 24 11:16:36 witch slapd[7841]: conn=1011 op=1 do_search: invalid dn: "AccountsService"

The frustrating thing is, that slapcat will list all items in both cases. I guess I’ve somehow misconfigured it, but I have only one life.

If using OpenLDAP, backup the database like this:

slapcat -l backup.ldif

So copy the database via slapcat (LDIF) and copy schemas. I still think, that these utilities are from stone age and everything in LDAP is so obscure.

Postfix aliases and LDAP bug, maybe postfix-ldap bug

It took me like two years to notice. It all began when…

Somebody writes a mail message to man called foo and to another man called bar. Both have accounts on our domain. Well, only bar, foo does not exist (anymore).

Mail recipient: foo@example.org, CC: bar@example.org.

So if foo is not found and bar exists, the mail won’t be delivered to anyone. It’s sent to the postmaster.

Conclusion

I’m still so tired of LDAP. It is enough for me to think or write about it and I feel insanity and really heavy chains around me again ;-) I need to rest now…go to the land where I don’t feel so much despair and torture. Battleworn user out!

Edit 2021: I’m free! Yeah, I chose hard technology without much documentation when I wasn’t even able to read the source code. I don’t see it now as something hard as I can write stuff to automate everything.