/projects/ ldapsearch oneliners

ldapsearch is a command line tool for querying ldap. Sometimes you want to retrieve directory information and don't have access an administrative interface, or you want something that's scriptable -- that's when ldapsearch comes in handy.

handy environmental variables:

export LDAP_HOST="ldap01.example.com"
export LDAP_SEARCH_BASE="dc=foo,dc=bar" # the search base for your searches 
export LDAP_BIND_DN="$USERNAME@foo.bar" the DistinguishedName to use when binding to the ldap host

export LDAP_PASSWORD_ARG="-w" #prompts everytime the command is run
export LDAP_PASSWORD_ARG="-W mysecurepassword" #stores your password to the ldap server in memory (probably a bad idea)

here are some one-liners that I use pretty frequently:

#list all groups
#usage: ldaplistgroups
alias ldaplistgroups='ldapsearch -x -h $LDAP_HOST -b "$LDAP_SEARCH_BASE" -D $LDAP_BIND_DN "(objectcategory=group)" * $LDAP_PASSWORD_ARG | grep "^dn:" | sed "s/.* CN=\([^,]*\),.*/\1/" | sort'

#list all members of the given group
#usage: ldapmembership "engineering-team"
ldapmembership() { ldapsearch -x -h $LDAP_HOST -b "$LDAP_SEARCH_BASE" -D $LDAP_BIND_DN "(&(objectcategory=user)(memberof=CN=$1,OU=Distribution Groups,$LDAP_SEARCH_BASE))" * $LDAP_PASSWORD_ARG | grep ^mailNickname: | sed "s/mailNickname: //" | tr [A-Z] [a-z] | sort }

#show the given user's entire ldap entry
#usage: ldapuser "Matt Komo"
ldapuser() { ldapsearch -x -h $LDAP_HOST -b "$LDAP_SEARCH_BASE" -D $LDAP_BIND_DN "(&(objectcategory=user)(CN=$1))" $LDAP_PASSWORD_ARG }

and here is a slightly more complicated bash script that I use to retrieve all groups that a user is a member of (including recursive groups):


#usage: ldapallgroups "Matt Komo"

echoerr() { echo "$@" 1>&2; }

while [ "$(echo $QUERY | wc -c)" -gt "6" ]; do

    LDG=$(ldapsearch -x -h $LDAP_HOST -b "$LDAP_SEARCH_BASE" -D $LDAP_BIND_DN "$QUERY" 'memberOf' $LDAP_PASSWORD_ARG | grep "^memberOf: " | sed "s/memberOf: \([^,]*\),.*/\1/")
    if [ -n "$LDG" ]; then
        echoerr "next order groups: "
        echo "$LDG"
    QUERY=$(echo "(|($LDG))" | tr "\n" "&" | sed 's/\&$//' | sed "s/\&/)(/g");
    echoerr "next query: $QUERY"