Mac OS X Server

Querying ldapsearch

Need to perform lookups on Open Directory from Linux? Need to determine a search base to use an LDAP plug-in for a third party with Active Directory? Determining the layout of a directory service can be important for a number of tasks. Most of these have to do with connecting systems of different platforms with one another.

In OS X, there are a number of tools that will look up directory service information. Most are based on ldapsearch. Using ldapsearch, you can determine whether a search base is good, whether a directory service responds to a given request and validate some assumptions you may have about an LDAP environment. Let’s take a basic task: searching Open Directory for the diradmin account; the attribute would be uid. Then let’s say that odm.krypted.com is your Open Directory master (the hostname of your server is defined using the -h option) and that the search base used the default setting (the base is defined using the -b option), which would be dc=odm,dc=krypted,dc=com. Your query using ldapsearch would be:

ldapsearch -h odm.krypted.com -x -b "dc=odm,dc=krypted,dc=com" "uid=diradmin"

The response is going to let you know that uid diradmin exists in cn=users. The final option for the above command is the attribute within Open Directory that you are searching for. Let’s say you wanted to limit your search to users in the users cn:

ldapsearch -h odm.krypted.com -x -b "cn=users,dc=odm,dc=krypted,dc=com" "uid=diradmin"

You can also search for items in a different cn. Let’s look in computers for any computer with a specific MAC address:

ldapsearch -h odm.krypted.com -x -b "cn=computers,dc=odm,dc=krypted,dc=com" "macAddress=00:00:00:00:00:00"

Or Hostname:

ldapsearch -h odm.krypted.com -x -b "cn=computers,dc=odm,dc=krypted,dc=com" "Hostname=someclient.krypted.com"

When I’m troubleshooting latency issues, I’ll often automate a query for a known element from within a directory service and use the -l option, specifying as the parameter for that option a number of seconds for a search to be able to complete. It’s a quick and dirty latency check (you could also time a query). Also, if you aren’t running LDAP on the default port (389) then you can specify a port using the -p option. The -x option sorts results on servers. If the server is fairly taxed it might be better to have a client sort the results, but if not then it’s always going to be faster to sort server-side. You can use the -z option to limit the number of results to a finite set. Finally, you can choose to export results into LDIF. Using one -L uses LDIF v1, two (-LL) uses LDIF and disables comments while 3 (-LLL) also disable the version of LDIF being printed, meaning the results can be piped into an actual LDIF file:

ldapsearch -LLL -h ldap://odm.krypted.com -b "cn=users,dc=odm,dc=krypted,dc=com" > kryptedusers.ldif