2 minute read

This post is an update on my previous post Using Python LDAP but instead of using python-ldap, I’ll be using ldapsearch.

This post will include ldapsearch examples for four operations:

Searching for a user by email (or any attribute)

To start, we will find a user by email. The important part is search filter at the end. It can be email, name, phone number. Just know that certain attributes are unique (like email) whereas some are not (like name).

ldapsearch -x -H ldap://server.example.com:389 -b "ou=server,o=example.com" "(mail=stevemar@example.com)"

The output will look like this, take note of the full dn that was returned.

# 123456789, ca, server, example.com
dn: uid=123456789,c=ca,ou=server,o=example.com
objectClass: Person
uid: 123456789
mail: stevemar@example.com
name: Steve Martinelli
jobResponsibilities: Developer

Finding groups that a user is a member of

Next up, finding groups that a user is a member of. There are three important things to note here.

  1. You’ll be switching the search base from the user tree to group one (see the different -b option).
  2. The search filter will be an & of groupOfUniqueNames and where the uniquemember is the full DN of a user.
  3. We need to pass in an attribute to return (in this case, cn), otherwise this query will time-out as the call will attempt to get all information about the groups (including sub-groups).
ldapsearch -x -H ldap://server.example.com:389 -b "ou=memberlist,ou=groups,o=example.com" "(&(objectClass=groupOfUniqueNames)(uniquemember=uid=123456789,c=ca,ou=server,o=example.com))" cn

This output will look like this:

# devteam, memberlist, groups, example.com
dn: cn=devteam,ou=memberlist,ou=groups,o=example.com
cn: devteam

# prodteam, memberlist, groups, example.com
dn: cn=prodteam,ou=memberlist,ou=groups,o=example.com
cn: prodteam

Finding members of a group

Next is finding members of a group, it’s pretty similar to the previous one. We’ll use the same three important points:

  1. Use the group tree: ou=memberlist,ou=groups,o=example.com.
  2. The search filter is an & of groupOfUniqueNames and the cn of a group.
  3. The attribute we’ll specify is uniqueMember, again so we don’t timeout trying to get all attributes and sub-groups.
ldapsearch -x -H ldap://server.example.com:389 -b "ou=memberlist,ou=groups,o=example.com" "(&(objectClass=groupOfUniqueNames)(cn=devteam))" uniqueMember

The output will look like this:

# devteam, memberlist, groups, example.com
dn: cn=devteam,ou=memberlist,ou=groups,o=example.com
uniqueMember: uid=123456789,c=us,ou=server,o=example.com
uniqueMember: uid=111222333,c=us,ou=server,o=example.com
uniqueMember: uid=444555666,c=us,ou=server,o=example.com

Looking up a user based on DN

To look up a specific user, when we have their DN (a group member for instance) involves one important change. We change the search base from the to their user DN and filter on *, for instance:

ldapsearch -x -H ldap://server.example.com:389 -b "uid=111222333,c=us,ou=server,o=example.com" "(objectClass=*)"

The output will look like our first example:

# 111222333, ca, server, example.com
dn: uid=111222333,c=ca,ou=server,o=example.com
objectClass: Person
uid: 111222333
mail: lskywalker@example.com
name: Luke Skywalker
jobResponsibilities: Jedi

Updated: