Ldap – Using a file to store an ldapsearch query

ldap

I have to query attributes for about 10 000 users. I have an ldapsearch query that works for a single user. Here is the releveant part, where I search for the objectGUID attribute of user abc123 :

ldapsearch -h somehost.com -D "CN=valid_user,DC=valid_everything" -q -b "OU=valid_ou,DC=valid_dc" -s sub "cn=abc123" -L objectGUID

I would like to put all my queries in a file, and use the -f myqueries.txt option. Since this query will be carried out over SSL, I would like to avoid the 10k SSL negotiations I would get if I was to run 10k separate ldapsearch.

I tried with a file that looks like this :

(cn=abc123)
(cn=lmn456)
(cn=xyz789)

With this modified command line :

ldapsearch -v -h somehost.com -D "CN=valid_user,DC=valid_everything" -q -b "OU=valid_ou,DC=valid_dc" -s sub -f myqueries.txt -L objectGUID

But I always get an Bad search filter error.

I was not able to determine what version of ldapsearch this is. It is running on a custom Linux distribution.

How can I use the -f option to make ldapsearch use queries read from a file ?

Best Answer

File should look like this:

abc123
lmn456
xyz789

and command like this:

ldapsearch -v -h somehost.com -D "CN=valid_user,DC=valid_everything" -q -b "OU=valid_ou,DC=valid_dc" -s sub -f myqueries.txt "(cn=%s)" -L objectGUID

File given after -f can only holds parameters of query, not the query.

Related Solutions

Ldap – Listing group members using ldapsearch

I work with LDAP, but not that specific brand of server.

First thing I'd try is a search on users pulling all of their attributes instead of restricting it the way your example does.

ldapsearch -xLLL -H ldap://server.domain.net \
    -b "cn=users,dc=server,dc=domain,dc=net" uid=username1 \* +

Often there's a "memberOf" attribute on the user that lists the group name or group DN for groups that a user is in, kept in sync with the information in the group. If that's there, that is the easiest way to do what you want.

The * will grab all user attributes (the default behavior) and the + will grab all operational attributes (special attributes).

Ldapsearch against Active Directory fails authentication + search params wrong

Well, there are a few things that could be wrong with this:

You are specifying simple authentication, but you are not providing a password and you are not telling ldapsearch either to collect a password from the command line. Does the user John_Marshall not have a password? If he does have one, it has to be provided somehow. Either specify -w <passsword> or -W (to enter a password at a prompt).
Is the users binddn really cn=John_Marshall,dc=Americas? In our AD, just as an example, my own binddn would be "dn: CN=Wolfgang Schulze-Zachau,CN=Users,DC=aminocom,DC=com", i.e. there is no underscore between first name and surname
A binddn of "cn=John_Marshall,dc=Americas" is possible, but looks a bit short to me. Of course, this all depends on how your AD is configured. Can you verify that this really is the DN for that user? When you look at AD Users and Computers, what is the complete list of tree items leading to that user?
If you don't specify a filter, you'll get a list of all items that are in the searchbase. That could be a very long list.

OP Edit:

The correct incantation that worked was:

[John_Marshall@WN7-BG3YSM1 ~]$ ldapsearch -x -h <new_ip_addr> \
-D "Americas\John_Marshall" -W \
-b "cn=John_Marshall,ou=users,ou=austin,dc=amer,dc=MyComanyName,dc=com" \
mail telephonenumber ""

Best Answer

Related Solutions

Ldap – Listing group members using ldapsearch

Ldapsearch against Active Directory fails authentication + search params wrong

OP Edit:

Related Topic