The ldapsearch command used to query the required information from LDAP databases. The ldapsearch command can be used on many occasions with different filter statement. Various ldapsearch command examples and use cases with advanced options discussed here.

Note: Replace the password ($PASS) and ROOTDN with your server values. You may need to specify LDAP URI and authentication methods depend upon configuration. Here i am working from LDAP server.

Filter user with UID

Look for the users with given UID value. This command list the users whoever UID set to 20005.

#ldapsearch -xw $PASS -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com  uidnumber=20005 -LLL

Filter user with NAME & Mail

View the user profile by search using their login name and email id. This command get us user who have login id “kanna” and mail id set to “kanna@sunt.com”

#ldapsearch -xw $PASS -LLL -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com "(&(uid=kanna)(mail=kanna@sunt.com))"

Global list of users with email id

This command looks for the users who are set with valid email id across LDAP directory. Then list the usernames with email ids.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com -LLL "(&(objectclass=posixaccount)(mail=*))" mail
dn: uid=emp7,ou=people,dc=sunt,dc=com
mail: emp7@rhel4.sunt.com
mail: emp7@rhel2.sunt.com
mail: personalbox@gmail.com

dn: uid=kanna,ou=people,dc=sunt,dc=com
mail: kanna@sunt.com

List the users from one OU

This command gets us the list of users exists in OU named “vend”.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com -LLL '(&(objectclass=posixaccount)(ou:dn:=vend))' dn

Using exclamation (!) symbol this output can be inverted.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com -LLL '(&(objectclass=posixaccount)(!(ou:dn:=vend)))' dn

This command gets us the lists of users exist in whole LDAP directory. But safely ignore users from OU named “vend”.

Note: You may need to use single quote (‘) around control statement to avoid exclamation symbol (!) being substitute by shell.

Advanced filtering – Search extension

Using “–E” option of ldapsearch command the output can be filtered twice. It is sequential filtering. This option called as search extension.

List of users set with personal mail id

From previous output found that few users set with both personal and official mail ids. Using advanced filter option list the users whoever set with personal (“gmail.com”) mail id.

# ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com -LLL "(&(objectclass=posixaccount)(mail=*))" -E mv="(mail=*gmail.com)"
dn: uid=emp7,ou=people,dc=sunt,dc=com
mail: personalbox@gmail.com

dn: uid=kanna,ou=people,dc=sunt,dc=com

The “mv” switch with in search extension called as “matched value filter”.

User operational attributes

Add plus “+” at end of command to view any user operational (read-only) attributes such as pwdchangedtime, pwdaccountlockedtime, pwdhistory, etc. This page elaborate in details about operational attributes.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b ou=people,dc=sunt,dc=com –LLL uid=kanna +

dn: uid=kanna,ou=people,dc=sunt,dc=com
structuralObjectClass: inetOrgPerson
entryUUID: 743ef80c-14d5-1036-91b0-67719630ec10
creatorsName: cn=manager,dc=sunt,dc=com
createTimestamp: 20160922055922Z
entryCSN: 20160922055922.824870Z#000000#000#000000
modifiersName: cn=manager,dc=sunt,dc=com
modifyTimestamp: 20160922055922Z
entryDN: uid=kanna,ou=people,dc=sunt,dc=com
subschemaSubentry: cn=Subschema
hasSubordinates: FALSE

View last password changed time of user

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b ou=people,dc=sunt,dc=com –LLL uid=kanna pwdchangedtime
pwdChangedTime: 20160922060449Z

The alphabet “Z” at the end means time represented in UTC. The last password changed time in YYYYMMDDHHMMSS format.

View user account lock status

Use this command identify whether user account locked or not. If the “pwdaccountlockedtime” attribute value is set then user is locked. Further login not allowed.

# ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b ou=people,dc=sunt,dc=com –LLL uid=kanna pwdchangedtime  pwdaccountlockedtime

dn: uid=kanna,ou=people,dc=sunt,dc=com
pwdChangedTime: 20160922060449Z
pwdAccountLockedTime: 20160922062218Z

This command does not return “pwdaccountlockedtime” value if the account does not locked.

Global list of the locked users

Use this command to retrieve the list of users whoever account in locked across whole LDAP directory.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -b dc=sunt,dc=com -LLL "(&(objectclass=posixaccount)(pwdaccountlockedtime=*))" dn

LDAP server supported SASL mechanisms

This command lists the supported SASL mechanisms by LDAP server.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com -LLL -s base -b "" supportedsaslmechanisms

Any one of the supported SASL mechanisms used to connect with LDAP server from clients. For example if server supports “EXTERNAL” mechanisms this command should work.

#ldapsearch -w $PASS -D cn=manager,dc=sunt,dc=com –LLL –Y EXTERNAL –b dc=sunt,dc=com  ‘(objectclass=posixaccount)’ dn

The above ldapsearch command examples are mostly used by me on various occasions. Thought of documenting here will help other geeks. Please post your comments if any.