The ldapsearch utility is one of the important tools for the administrator of the LDAP (Lightweight Directory Access Protocol) server. It allows you to get any data that is available in the LDAP directory. Currently the most common LDAP implementations are OpenLDAP and Microsoft Active Directory.
The ldapsearch utility currently is mainly used in Linux systems. The Ldapsearch.exe utility was available in Windows 2000, but in Windows Server 2003 it was superseded by the dsquery tool. However, even now you can use the Ldapsearch tool on Windows—all you need to do is download and install the OpenLDAP client for Windows (by default the ldapsearch is located in the C:\OpenLDAP\bin directory).
Consider the syntax of the ldapsearch tool:
ldapsearch [options] [filter] [attributes]
- -n — display actions that will be performed, but not run them;
- -v — verbose, detailed operation mode;
- -A — display attributes only, without values;
- -L (-LL, -LLL) — output format (-L – LDIFv1, -LL – disable comments display, -LLL — disable LDIF version display).
- -x — use plain authentication, not SASL;
- -D — use the username to connect to the server;
- -w [password] — specify password in the command prompt when running LDAP query;
- -h — LDAP server address;
- -p — LDAP server port;
- -b — search start directory;
- -s[base|one|sub] — searchScope:
- -l — timelimit at the search time;
- -z — sizelimit on the data size in the search query result;
- -Z — use TLS.
Let’s try to use the ldapsearch utility in Linux Debian to test connectivity to an Active Directory domain controller (target LDAP server).
AD domain settings:
- AD domain name — theitbros.com;
- FQDN name of the domain controller — dc1.theitbros.com;
- The AD username that is used to connect to the LDAP: TestLDAPConnUsr and its password — P@ssw0r6;
First of all, make sure that the OpenLDAP client is installed on your system:
dpkg -l | grep ldap
Check for the LDAP account ADUser1 in the container with the DN name “OU=Users,OU=London,OU=UK,DC=theitbros,DC=com”.
An LDAP server typically accepts incoming connections on port 389 using TCP or UDP protocols. LDAP servers with SSL use port 636.
To check the LDAP connection (TCP port 389), run the command:
ldapsearch -v -x -D "TestLDAPConnUsr@theitbros.com" -w "P@ssw0r6" -b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" -H "ldap://dc1.theitbros.com" sAMAccountName= ADUser1
In this case, the user credentials of ADUser1 are transferred over the network in a clear text form, which is not secure.
You can connect to the LDAP that use the SSL certificate over the protected LDAPS protocol (TCP port 636). To do this, create a file with root certificates of your domain CA in PEM format and Base-64 encoded (for example /etc/ssl/cert/itbroscert.pam) and specify the path to this file in the OpenLDAP client configuration file (/etc/ldap/ldap.conf or /etc/openldap/ldap.conf),
Now execute the LDAPS query:
ldapsearch -v -x -D "TestLDAPConnUsr@theitbros.com" -w "P@ssw0r6"
-b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" -H "ldaps://dc1.theitbros.com" sAMAccountName= ADUser1
If you entered an incorrect username or password to connect to LDAP, the utility will return:
ldap_bind: Invalid credentials (49) additional info: Simple Bind Failed: NT_STATUS_LOGON_FAILURE
You can list all users in a specific LDAP directory:
ldapsearch -xLLL -D "TestLDAPConnUsr@theitbros.com" -w "P@ssw0r6" -H "ldaps://dc1.theitbros.com" -b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com"
To search by username:
ldapsearch -W -x --"TestLDAPConnUsr@theitbros.com" -b "OU=Users,OU=London,OU=UK,DC=theitbros,DC=com" "(uid=user1)"
To display all user accounts except disabled users, use the command:
ldapsearch -x -D "TestLDAPConnUsr@theitbros.com" -b "dc=example,dc=com-H "ldaps://dc1.theitbros.com" -W '(&(proxyAddresses=smtp*)(!(userAccountControl:1.2.840.113518.104.22.1683:=2)))'