Ldapsearch -X option?

Similar Messages

• Ldapsearch -t option and "temporary files"

  The MAN page shows
  "A single -t writes retrieved non-printable values to a set of temporary files."
  I am using a single -t and the attribute I am returning shows like "cACertificate::" where the :: implies it is binary.
  But I can NEVER find where the file for the "temporary files" is created.
  Normally on Linux/Unix I would expect to find these it /tmp.
  Any ideas?
  Thanks -jim

  Ok, mkstemp (which is the C call being used underneath the ldapsearch -t and -tt switches) returns a "safe" temporary file path, which means the man page is +way wrong+ here.
  The temporary files are logged under +/var/folders/{random stuff expunged}/ldapsearch-objectClass-XXXXXX+ and which means (if you want this to go somewhere else) then you'll want to use -T /var/tmp or whatever.
  The target file locations for the various chunks are displayed when the following syntax is used:
  ldapsearch -LLL -x -h ldap.example.com -b "dc=ldap,dc=example,dc=com" -tt
  Related commands (and useful Google search targets) include:
  $ getconf DARWINUSER_CACHEDIR
  $ getconf DARWINUSER_TEMPDIR
  Whether logging a radar against the documentation is in your future or mine is an open question.

• Cn Search Problem

  I'm having a strange problem with LDAP filters. We've seen
  a few examples of this, but cannot seem to figure out what
  is causing it. Here's cut 'n' paste of the problem:
    $ ldapsearch -L -b dc=example,dc=com 'uid=paul.rose' cn  
    dn: uid=paul.rose, ou=people, dc=example,dc=com
    cn: Paul Rose
    $ ldapsearch -L -b dc=example,dc=com 'cn=paul rose' cn
    $ ldapsearch -L -b dc=example,dc=com 'cn=paul *' cn    
      [snip two other Pauls, but not "Paul Rose."]It's strange what filters work and what does not,
  Works: cn=*e
  Does not: cn=*se
  Works: cn=*s*e
  I would guess that there are "invisible" characters in the
  cn somewhere, but they are really invisible. I can't
  find any. Wouldn't the '-L' flag show that kind of stuff? Can
  anyone offer some ideas?
  Oh, BTW, Sun One Directory Server 5.2.

  Hi,
  i've the same problem but not with the cn attribute.
  I'm looking for a multivalued attribute (foo), here is some of the search :
  ./ldapsearch -p xxx -b "o=com" -D DManager -w pwd foo=*appli=sgh:role=app* => return nothing
  the same with :
  foo=*Appli=SGH:Role=AAP* => NOK
  foo=*aap* => OK
  foo=*appli=sg* => OK
  foo=*appli=sg*:role=aap* => OK
  foo=*appli=*sgh*:role=aap* => NOK
  foo=*appli=sgh*:role=aap* => NOK
  foo=*appli=sg*h:role=aap* => NOK
  foo=*appli=sg*h*:role=aap* => OK
  foo=*sgh* => NOK
  foo=*gh* => OK
  foo=*sg* => OK
  The lookthrough limit seems not to be the origin of the problem (return of foo=*sg* > return of foo=*sgh*).
  There is no problem with the case sensitive.
  As the result of all the search I think some characters were between the g and h, and/or between h and :.
  But a ldapsearch with option -L redirect to a file doesn't show any extra character (make a :set list in vi to show all characters). I see in the file :
  foo: Rty=G:Appli=SGH:Role=AAP:appli=test
  This append after the suppression of one of the attribute's value by an application.
  As well as for Paul Rose, if the application add the value before erased or another value, all work fine.
  How to explain such different responses ?
  If anyone has ideas ....

• SQL Developer 4.0 EA2 -- Cannot use OpenLDAP with LDAP connect option

  Hi,
  I've got OpenLDAP setup to work with my Oracle clients, to serve up TNS connect strings, in lieu of having tnsnames.ora files scattered about hundreds of servers.
  This is working fine with 10g/11g, both full and instant clients, no problem.
  Now, I'm trying to configure SQL Developer 4.0 EA2 working with it, as well.
  When I attempt to do so, I'm able to select the "LDAP" option in "Connection Type", and the "LDAP Server" drop down list is correctly populated with my LDAP server, from ldap.ora.
  However, when I select it, I get the following error:
  Status : Failure -[LDAP: error code 32 - No Such Object]
  Now, I've done some research, and I monitored the slapd.log file, which shows me the following:
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 fd=16 ACCEPT from IP=192.168.125.1:63781 (IP=0.0.0.0:389)
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=0 BIND dn="" method=128
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=0 RESULT tag=97 err=0 text=
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=1 SRCH base="" scope=2 deref=0 filter="(objectClass=orclContext)"
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 op=2 UNBIND
  Sep 18 02:43:35 einstein slapd[2779]: conn=1034 fd=16 closed
  Which is a lot more detail, but reflects the corresponding error code, (32 - No Such Object).
  After doing some testing with ldapsearch, I've been able to replicate what SQL Developer is doing, and get the exact same error.
  That ldapsearch command is:
  ldapsearch -h einstein -p 389 -c -x -D "" -b "" "(objectClass=orclContext)"
  Looking in the slapd.log file, I find an identical error to what is produced from SQL Developer.
  Further, the query that SQL Developer wants to do can be successfully done with the following ldapsearch:
  ldapsearch -h einstein -p 389 -c -x -D "" -b "dc=proquest,dc=com" "(objectClass=orclContext)"
  So, it seems the problem is with the fact that SQL Developer is not supplying a search base.
  I'm no LDAP expert, and I'm really not sure where to turn next....
  Is there a SQL Developer option that allows me to set that search base?  Is there a configuration I'm missing on the LDAP server configuration?
  Thanks,
  -Mark

  Well, that didn't take long.  I managed to find a solution to the problem.
  It comes down to the fact that SQL Developer doesn't supply a search base, and my LDAP server didn't have a default search base defined.
  When I edited slapd.conf (the OpenLDAP config file) and added a "defaultsearchbase" parameter, and bounced the LDAP server, everything started to work.
  I now have a working configuration with OpenLDAP and SQL Developer.
  I'll mark this discussion as closed.
  -Mark

• Avoid DN in ldapsearch Results

  Is there any way to avoid getting full dn: in ldapsearch results? I have a script to retrieve various objects but I want to avoid the dn: from the search results. I couldn't find a option with ldapsearch to avoid dn: in search results.
  If there is no option with ldapsearch, any other ideas ?

  If you can use -T to avoid wrapping long lines, you can use grep to remove the dns, like
  ldapsearch <> <> ... <> | grep -v "^dn: "

• Ldapsearch by a part of dn into memberOf

  Hello everyone,
  I had have example, which search users by a part of specified CN, "give me every user where CN start from "je"", thats work fine
  1) E:\>ldapsearch -h 172.28.38.31 -p 389 -D "cn=administrator,cn=users,dc=domain,dc=local" -w welcome_1 -s sub -b "dc=domain,dc=local" "(&(objectclass=user)(|(cn=je*)))" > out.txt
  Now im needed search users, which member of specified group, like previous example, "give me every user where MEMBEROF start/contains string "poli""... but this not work for 2, and 3 options....
  2) E:\>ldapsearch -h 172.28.38.31 -p 389 -D "cn=administrator,cn=users,dc=domain,dc=local" -w welcome_1 -s sub -b "dc=domain,dc=local" "(&(objectclass=user)(|(memberOf=CN=poli*)))" > out.txt
  3) E:\>ldapsearch -h 172.28.38.31 -p 389 -D "cn=administrator,cn=users,dc=domain,dc=local" -w welcome_1 -s sub -b "dc=domain,dc=local" "(&(objectclass=user)(|(memberOf=*poli*)))" > out.txt
  but successfully returns entries for:
  4) E:\>ldapsearch -h 172.28.38.31 -p 389 -D "cn=administrator,cn=users,dc=domain,dc=local" -w welcome_1 -s sub -b "dc=domain,dc=local" "(&(objectclass=user)(|(memberOf=CN=policy_domain,ou=groups,dc=domain,dc=local)))" > out.txt
  how i must search users with memberOf, specifing only a part of required dn?

  How about -
  ldapsearch -h 172.28.38.31 -p 389 -D "cn=administrator,cn=users,dc=domain,dc=local" -w welcome_1 -s sub -b "dc=domain,dc=local" "(&(objectclass=group)(CN=policy_domain))" member> out.txt
  -Vinod

• Ugldapusessl option in Messaging server

  I'm trying to configure an iPlanet Message store to do secure LDAP searches by setting the 'local.ugldapusessl' to 'YES' and ugldapport to 636. I have installed certs on both the directory server (iplanet DS5.1SP1) and the message store (iMS5.2). I am able to to secure ldapsearches (using -Z, -P and -K) options on the directory. However, the message store initiated searches always time out (err=85). Any clues as to what I'm missing here?
  Is there more details available on the ugldapusessl option ?
  Thanks.

  Yes the secure search has to go thru a firewall..Anyways, we were just informed by Sun support that this feature is not supported in iMS5.x yet...

• DSEE 6.3.1 - Slow ldapsearch Queries

  We've recently upgraded to Sun DSEE version 6.3.1 from SunONE Directory Services 5.1.
  We have some utilities that extract a list of all users in the LDAP repository and check certain aspects of the accounts. We recently found that the following ldapsearch query executed on a suffix containing only 5 entries took over 45 seconds to complete:
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(objectclass=*)" uid The following message was displayed in the error log:
  [12/Nov/2009:12:34:08 -0600] - WARNING<20805> - Backend Database - conn=45187 op=1 msgId=2 -  search is not indexed base='ou=people,o=test-suffix' filter='(objectClass=*)' scope='sub'Since objectclass is a system index and cannot be modified we tried wildcard searches on other known fields, such as:
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(uid=*)" uid
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(cn=*)" uid
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(dn=*)" uid
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(sn=*)" uidAll of these searches took roughly the same amount of time (~45 seconds). However, if the wildcard searches are refined slightly so they do not return all the entries in the suffix they execute instantaneously.
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(uid=A*)" uid
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(cn=A*)" uid
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(dn=A*)" uid
  ldapsearch -h policy.test.com -p 389 -D "cn=Directory Manager" -b "ou=People, o=test-suffix" -s sub "(sn=A*)" uid Also, I found some information on the referential integrity plugin and have indexed the fields used and regenerated the indexes. This did not have any effect on the performance.
  It seems that any query that will return all entries in the suffix gets the "search is not indexed" error and takes an inordinate amount of time to complete. It doesn't seem to matter which fields (indexed or not indexed) are in the query filter.
  Is this the expected behavior, or am I missing something? If so, what is the preferred method for retrieving a list of all entries in a suffix?

  Thank you guys. It does make sense that a rescan of the database is needed, although the ability to index all objectclasses and use this index in an exhaustive search would be nice.
  One more aspect though: can these searches be parallelized? I have a Niagara (Sun Fire T2000) acting as one of several DSEE 6.3 (not yet 6.3.1) servers in a group of servers balanced by a DPS. While this box can take a lot of queries at once, it seems to execute each one in a single process or LWP. Thus it takes very long to complete an exhaustive search (like 4 minutes), although it can complete over a dozen parallel searches in the same 4 minutes :)
  I tried to tweak the number of threads with dsconf set-server-prop, but it did not seem to influence anything.
  Is it possible to parallelize a single query in DSEE spreading it over several CPUs? (Maybe not in the DS instance but in DPS; I have set the balancing option to "Proportional" but it also did not seem to help spread the load over CPUs, although it does seem to contact and use several instances - "data-sources").
  Thanks,
  //Jim

• Help on ldapsearch: ldap_search: Can't connect to LDAP server  -- No error

  Hi,
  I just want to do a basic search
  ldapsearch -h "xxx" -b "dc=yyy.com" -s sub "objectclass=*"
  Here is what I got:
  ldap_search: Can't connect to the LDAP server -- No error
  Please help
  Thanks,
  Lynne

  Since you havent specified the -p (port) option, the default is taken to be 389. You might want to check that first.
  If thats fine, try to ping the host you are trying to access.
  One of the above shd solve your problem.

• Retrieve LDAP Controls using ldapsearch

  I am looking for some advice on retrieving LDAP controls using the ldapsearch tool provided with the DSRK distributed with DSEE 6.3. I am using the below string, it returns my result but not the control.
  /app/dsee6/dsrk6/bin/ldapsearch -h myhost -Z -P cert8.db -D "cn=directory manager" -w - -J 1.3.6.1.4.1.42.2.27.9.5.8:true -b ou=people,dc=local uid=user123 dn
  1.3.6.1.4.1.42.2.27.9.5.8 is the account usability control, it shows as being a supported control.
  Result
  bash-2.05# /app/dsee6/dsrk6/bin/ldapsearch -h myhost -p 636 -Z -P cert8.db -D "cn=directory manager" -w - -b ou=people,dc=local -J 1.3.6.1.4.1.42.2.27.9.5.8:true uid=user123 dn
  Enter bind password:
  version: 1
  dn: uid=user123,ou=people,dc=local
  Result with critical marked false
  bash-2.05# /app/dsee6/dsrk6/bin/ldapsearch -h myhost -p 636 -Z -P cert8.db -D "cn=directory manager" -w - -b ou=people,dc=local -J 1.3.6.1.4.1.42.2.27.9.5.8:false uid=user123 dn
  Enter bind password:
  ldap_search: Protocol error
  ldap_search: additional info: Protocol error, Account Usable control MUST be marked critical
  Edited by: nick50119 on Nov 19, 2009 7:40 PM

  From another forum for OpenLDAP I found the following:
  http://www.openldap.org/lists/openldap-software/200710/msg00041.html
  " The account usability control provides a pair of
  request and response controls that can be used to
  determine whether a user account may be used for
  authenticating to the server.
  The request control has an OID of 1.3.6.1.4.1.42.2.27.9.5.8
  and does not include a value. It should only be
  included in search request messages.
  The corresponding response control has an OID of
  1.3.6.1.4.1.42.2.27.9.5.8 (the same as the request
  control), and it will be included in any search
  result entry messages for a search request that
  includes the account usability request control.
  The value for the account usability response control
  will be encoded as follows:
  ACCOUNT_USABLE_RESPONSE ::= CHOICE {
  is_available [0] INTEGER, -- Seconds before expiration --
  is_not_available [1] MORE_INFO }
  MORE_INFO ::= SEQUENCE {
  inactive [0] BOOLEAN DEFAULT FALSE,
  reset [1] BOOLEAN DEFAULT FALSE,
  expired [2] BOOLEAN DEFAULT_FALSE,
  remaining_grace [3] INTEGER OPTIONAL,
  seconds_before_unlock [4] INTEGER OPTIONAL }
  If the user account is available, then the control
  will include the number of seconds until the user's
  password expires, or -1 if password expiration is
  not enabled. If the user's account is not available,
  then the control will provide the reason it is
  unavailable.
  "

• Multiple search using ldapsearch

  Hi
  Does anyone know how to do multiple searches using ldapsearch? There is an option of -f with ldapsearch but its not working. Can anybody give some examples of this option ?
  Thanks
  Rajeev

  You can use colon in any database item on runtime in entery query mode and it will prompt you to enter values/conditions on execute query where you can check any database item value. It will add the conditions in the where clause of the block. May be it will help in what you are looking for.

• Ldapsearch command against Directory Proxy server

  when performing an ldapsearch command against SunOne LDAP PROXY server v5.2, the following anomaly results. When the -h option is omitted, the search fails as per below:
  # ldapsearch -v -b "dc=wrs,dc=com" "uid=jgersh"
  =======
  When the -h option is used either FQ hostname or just hostname, the search is successful.
  #ldapsearch -h ala-proxyldap.wrs.com -v -b "dc=wrs,dc=com" "uid=jgersh"
  #ldapsearch -h ala-proxyldap -v -b "dc=wrs,dc=com" "uid=jgersh"

  I'm afraid I don't understand the problem. Where do you issue the ldapsearch command?
  If you use ldapsearch without -h option then it will use localhost per default, probably that's the reason?

• NSServices and optional NSStringPboardType

  I'm getting started on creating services for the Services menu and I'm trying to do something that I'm not sure is possible. I would like to create a service that will take an NSStringPboardType as an input but not require it. Specifically I'm interested in the ability to return text regardless if any was highlighted but still be able to read in text if it was selected. Can I force the services menu to enable my service for any text operation (selected or just an insertion point)?
  Mac Book Pro   Mac OS X (10.4.8)  

  Hi,
  Please go through the below link :
  Managing Directory Schema - 11g Release 2 (11.1.2)
  Mandatory/Optional attribute is specified by the objectclass class design. You can look for May/Must for optional attributes. Easier way is use ODSM if you're a starter.
  # To View Object Classes
  $ ldapsearch -h localhost -p 1389 -D "cn=Directory Manager" -j pwd-file \
    -b cn=schema -s base --dontWrap "(objectclass=*)" \
    objectClasses | grep "inetOrgPerson"
  objectClasses: ( 2.16.840.1.113730.3.2.2 NAME 'inetOrgPerson' SUP organizationalPerson
  STRUCTURAL MAY ( audio $ businessCategory $ carLicense $ departmentNumber $ displayName
  $ employeeNumber $ employeeType $ givenName $ homePhone $ homePostalAddress $ initials
  $ jpegPhoto $ labeledURI $ mail $ manager $ mobile $ o $ pager $ photo $ roomNumber
  $ secretary $ uid $ userCertificate $ x500UniqueIdentifier $ preferredLanguage
  $ userSMIMECertificate $ userPKCS12 ) X-ORIGIN 'RFC 2798' )
  Ideally for creating a default entry : MUST ( sn $ cn )
  HTH.

• Ldapsearch error

  hi friends,
  My server has linux operating system. when i was searching for peoples in directory server from my system. I got the following error
  when i typed the following command in putty
  ./ldapsearch -h"abc.sun.com" -p23244 -D"cn=Directory Manager" -wpassword -b"dc=sun,dc=com" "objectclass=*"
  Error: ldap_simple_bind: Local error. If any one know how to solve this problem let me know.
  Thanks in advance

  I am new to LDAP. I dont know about more options. Welcome! But we can't help you if you're not willing to look up the options and learn something. If you run "ldapsearch -h", it will spit out an error message and show you all the valid options it will take. One of them should be for "simple authentication".
  Also you should use quotes around your bind dn, it should be
  -D "cn=Directory Manager"
  What do your access and errors log say about this search?

• Ldapsearch with a base64 encoded filter?

  I am trying to conduct an ldapsearch on an instance with the base64 encoded value of uid.
  ldapsearch -v -T1 -e  -b "dc=example,dc=com" -p 389 -D "cn=directory manager" -j /ldap/tools/ldappwd uid=ZG1pcmFuMDLCoMKgwqDCoA==
  I have attempted many different filters with zero luck.  Some of them are:
       uid:base64=ZG1pcmFuMDLCoMKgwqDCoA==
       uid:b64value=ZG1pcmFuMDLCoMKgwqDCoA==
       uid::base64=ZG1pcmFuMDLCoMKgwqDCoA==
       uid::b64value=ZG1pcmFuMDLCoMKgwqDCoA==
       uid=[ZG1pcmFuMDLCoMKgwqDCoA==]
       uid='ZG1pcmFuMDLCoMKgwqDCoA=='
  The decoded value appears like this.
       uid=dmiran02Â Â Â Â
  I was just curious if there was a method to search on the base64 encoded value of ZG1pcmFuMDLCoMKgwqDCoA==.  Some OID value that must be specified or something?

  This is expected.
  Check out this link - http://www.ietf.org/rfc/rfc2849.txt. Please go through LDIF and LDAP Specification.
  You might need to run a script to decode the values that are base 64 encoded, and then display them in a UTF-8 locale.
  Use the -B option in ldapsearch to show  without the encoding,
  HTH.