もう何がなんだかわからないので、とりあえずメモ。。

LDAP ワード集

  • DIT = Directory Information Tree
  • DN = 識別名(Distinguished Name)
  • DC = ドメイン構成要素(domain component)
  • O = 組織名(organization)
  • OU = 組織単位(organizational unit)
  • CN = 一般名称(common name)

sample.local ドメインの場合の検索方法

# ユーザ Administrator を検索
ldapsearch -x -LLL -D "cn=Administrator,cn=Users,dc=sample,dc=local" -W -b "cn=Administrator,cn=Users,dc=sample,dc=local"
# CN Users に属するユーザを検索
ldapsearch -x -LLL -D "cn=Administrator,cn=Users,dc=sample,dc=local" -W -b "cn=Users,dc=sample,dc=local"

以下、 ldapsearch コマンドの OPTION 抜粋

 ldapsearch opens a connection to an LDAP server, binds,
 and performs a search using specified parameters.
 The filter should conform to the string representation
 for search filters as defined in RFC 4515.
 If not provided, the default filter, (objectClass=*), is used.

 If ldapsearch finds one or more entries,
 the attributes specified by attrs are returned.
 If * is listed, all user attributes are returned.
 If + is listed, all operational attributes are returned.
 If no attrs are listed, all user attributes are returned.
 If only 1.1 is listed, no attributes will be returned.

 The search results are displayed using an extended version of LDIF.
 Option -L controls the format of the output.

 -L                Search results are display in LDAP Data Interchange Format detailed in ldif(5).
                   A single -L restricts the output to LDIFv1.
                   A second -L disables comments.
                   A third -L disables printing of the LDIF version.
                   The default is to use an extended version of LDIF.
 -x                use simple authentication (as opposed to SASL)
 -H <ldapuri>      Used to specify a URI or list of URI’s to of ldap servers.
                   This can also be used to specify the protocol, server,
                   and port for queries using SSL/TLS,
                   ie: -H "ldaps://myserver.mydomain.com:636".
 -h <ldaphost>     specify host to query
 -p <port>         specify port to connect to; 389 is the default (optional)
 -b <search base>  The starting point for the search.
                   It often looks like "dc=mydomain,dc=com"
                   「ベースDN」はLDAP検索のベース(基本)となるエントリを指定
 -D <binddn>       The DN to bind to the directory.
                   In other words, the user you are authenticating with.
                   The bind DN may look like “uid=myuser,dc=mydomain,dc=com” or
                   “cn=Directory Manager”.
                   The Directory Manager is the directory’s superuser account.
 -W                Prompt for the password.
                   The password should match what is in your directory
                   for the the binddn (-D).  Mutually exclusive from -w.
 -w <password>     Specify your password on the command line.
 -s <scope>        speicfy the scope as <base|one|sub|children>.
                   Base searches just the base object, sub searches all subtrees,
                   one searches one level, and children searches just child nodes.
                   The default is sub.
 -z 0              Set the sizelimit for a search in the event the server enforces
                   a limit that’s cutting off your results.
                   Only the super user account (Directory Manager) can do this.
 -ZZ               Force use of StartTLS.

難しい。。。

参考