Kueri LDAP (FreeIPA) - integrasi¶
Penggunaanldapsearch¶
usage: ldapsearch [options] [filter [attributes...]]
where:
filter RFC 4515 compliant LDAP search filter
attributes whitespace-separated list of attribute descriptions
which may include:
1.1 no attributes
* all user attributes
+ all operational attributes
Search options:
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-c continuous operation mode (do not stop on errors)
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
!dontUseCopy (Don't Use Copy)
[!]mv=<filter> (RFC 3876 matched values filter)
[!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
(RFC 2891 server side sorting)
[!]subentries[=true|false] (RFC 3672 subentries)
[!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(ldapv3-vlv-09 virtual list views)
[!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
[!]<oid>[=:<b64value>] (generic control; no response handling)
-f file read operations from `file'
-F prefix URL prefix for files (default: file:///var/folders/f4/hxprdny171xcxd6crclwv5q40000gn/T//)
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /var/folders/f4/hxprdny171xcxd6crclwv5q40000gn/T/)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldap.conf¶
URI ldap://host.sub.domain.tld
BASE dc=sub,dc=domain,dc=tld
TLS_CACERT /etc/ipa/ca.crt
Perintah-perintah ldapsearch¶
dasar¶
parameter-parameter yang dapat digunakan¶
ldapsearch \
-x \ # Simple authentication
-u \ # include User Friendly entry names in the output
-n \ # show what would be done but don't actually do it
-v \ # run in verbose mode (diagnostics to standard output)
-L \ # print responses in LDIFv1 format
-ZZ \ # require successful response
-H ldap://host.sub.domain.tld \ # URI yang akan digunakan. Gabungan protokol, nama host, dan porta yang digunakan
-b 'dc=sub,dc=domain,dc=tld' \ # BaseDN yang digunakan
-D "uid=system,cn=sysaccounts,cn=etc,dc=sub,dc=domain,dc=tld" #BindDN otentikasi pengguna yang dapat melakukan kueri \
kueri anonim¶
ldapsearch -xvuL -H ldap://host.sub.domain.tld:389 -x -b "dc=sub,dc=domain,dc=tld"
mengunci kueri anonim¶
melalui host jalankan
ldapmodify -x -D 'cn=Directory Manager' -W
Enter LDAP Password:
dn: cn=config
changetype: modify
replace: nsslapd-allow-anonymous-access
nsslapd-allow-anonymous-access: rootdse
<blank line>
^D
restart-dirsrv
rujukan¶
- http://www-public.imtbs-tsp.eu/~gardie/LDAP-en/Scenarios/simple-anonymous.html
- https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/disabling-anon-binds.html
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/identity_management_guide/disabling-anon-binds
akun system¶
ldapsearch -xvuL \
-H ldap://host.sub.domain.tld:389 \
-b "dc=sub,dc=domain,dc=tld" \
-D 'cn=Directory Manager' \
-W
kueri dasar¶
ldapsearch -v -x -L \
-H ldap://host.sub.domain.tld:389 \
-b 'dc=sub,dc=domain,dc=tld' \
-D "uid=binduser,cn=sysaccounts,cn=etc,dc=sub,dc=domain,dc=tld" \
-W
-d level (level=numeric) & -u¶
ldapsearch -v -x -L -u \
-H ldap://host.sub.domain.tld:389 \
-b 'cn=directoryuser,cn=users,cn=accounts,dc=sub,dc=domain,dc=tld' \
-D "uid=binduser,cn=sysaccounts,cn=etc,dc=sub,dc=domain,dc=tld" \
-d 1 \
-W
ldapsearch -v -x -L \
-H ldap://host.sub.domain.tld:389 \
-b 'cn=directorygroup,cn=groups,cn=accounts,dc=sub,dc=domain,dc=tld' \
-D "uid=binduser,cn=sysaccounts,cn=etc,dc=sub,dc=domain,dc=tld" \
-W "(&(objectClass=person)(uid=%uid))"