If you have to discover an LDAP server, it's important to know the basics. I'll list a few important
ldapsearch
commands to get you started.
- Listing the contents of the root DSE:
ldapsearch -xLLL -H "ldaps://ldapserver.example.com/" -b "" -s base "(objectClass=*)" "+" "*"
Let's see what each of the options mean:
-xLLL
: -x
specifies to use simple authentication (instead of SASL), the three LLL
restrict the output to LDIFv1, disable comments and printing of the LDIF version (and without any -D
and -W
options this will result in an anonymous bind to the LDAP server)
-H
: specifies the URI of the LDAP server (the ldaps://ldapserver.example.com/
means an SSL connection to ldapserver.example.com using the standard 636 SSL port)
-b
: specifies the base DN for the search (for the root DSE we need an empty base DN)
-s
: specifies the search scope (for the root DSE we need a base objects search)
"(objectClass=*)"
: the search filter (where the objectClass=* value means: no filtering at all)
"+"
and "*"
: specifies the attributes to fetch ("+"
stands for all operational attributes and "*"
stands for all user attributes)
- Listing the schemas of the LDAP server:
ldapsearch -xLLL -H "ldaps://ldapserver.example.com/" -b "cn=Subschema" -s base "(objectClass=*)" "+" "*"
In the result of the first query you'll find a subschemaSubentry
attribute. In our second query we list the contents of the DN specified by this attribute.
- Listing the configuration context tree:
ldapsearch -xLLL -H "ldaps://ldapserver.example.com/" -b "cn=config" -s base -a always "(objectClass=*)" "+" "*"
In the result of the first query you'll find a configContext
attribute. In our third query we list the contents of the DN specified by this attribute.
You might get an error here since not all LDAP servers let you have a peek at the configuration context.
- Listing the contents of the default naming context:
ldapsearch -xLLL -H "ldaps://ldapserver.example.com/" -b "dc=example,dc=com" -s sub -a always "(objectClass=*)" "+" "*"
In the result of the first query you'll find a namingContexts
attribute. In our fourth query we list the contents of the DN specified by the first element of this attribute.
Note that we do a subtree search here (due to the -s sub
option) which will list the entire domain. You might not want to do this in a larger organization since it'd dump a huge amount of information that you don't necessarily need.
If your LDAP server is set up to require authentication for any of the above queries, then add
-D cn=admin,dc=example,dc=com -W
to the commands where
-D
specifies the DN of the LDAP server's admin account and
-W
asks for its password.
Recent comments
2 years 26 weeks ago
3 years 47 weeks ago
3 years 47 weeks ago
3 years 49 weeks ago
3 years 50 weeks ago
4 years 5 weeks ago
4 years 5 weeks ago
4 years 5 weeks ago
4 years 5 weeks ago
4 years 5 weeks ago