At the prompt: returning a list of LDAP groups and members

This is absolutely just for me, but if you want to tag along, I’d like the company.

ldapsearch -v -x  
-H "ldaps://addcacvm1.eu.emory.edu:636" 
-b "dc=eu,dc=emory,dc=edu" 
-D USERNAME -W 
"(&(objectclass=group)(cn=G LAW *))" cn dn member 
> completegroup.ldif

So, what are we up to here? Well, we’re using the “ldapsearch” command line utility to retrieve ldap information about a set of ldap groups. The ldapsearch command is part of the “openldap-clients” package on RedHat-derived systems. If you don’t have it, you can try something like “sudo yum install openldap-clients” to install the ldapsearch utility.

Here’s what the various flags and arguments are doing:

-v : verbose output
-x: turn off SASL
-H: This is the URL for our Active Directory/LDAP server. As you can see, we’re connecting via SSL. Use the capital “-H” form when you’re using an ldap URL.
-b: this is the base of the tree that we’re searching. In this case, we’re rooting the search pretty high up the tree. Given our LDAP structure, we might also have used something like “OU=Law,dc=Eu,dc=Emory,dc=Edu” as the base of our search.
-D: the username for the query. At Emory, this is now apparently given in NETID@emory.edu form. I believe this is a fairly recent change.
-W: this will require you to enter your LDAP/AD password at the command line. It’s a nod to security. If it doesn’t bother you to save the password, you might look at -w, instead. This will allow you to supply the password as part of the command line for ldapsearch, which opens the door to using this as part of a script.

Finally, we get to the search itself. This says that we want “group” objects only and we want group objects that begin with “G LAW …” in their names. This will return all of the local groups that we’ve defined in AD, because we’ve been careful to name them all “G LAW something”. For example, the IT folks are in the group named “G LAW INFOTECH”. We are requesting three attributes from the search, the common name, distinguished name, and the member attribute from each returned entry. In the case of “G LAW INFOTECH”, we get something like this back:

# G LAW INFOTECH, Global Groups, LAW, Eu.Emory.Edu
dn: CN=G LAW INFOTECH,OU=Global Groups,OU=LAW,DC=Eu,DC=Emory,DC=Edu
cn: G LAW INFOTECH
member: CN=porthos,OU=People,DC=Eu,DC=Emory,DC=Edu
member: CN=athos,OU=People,DC=Eu,DC=Emory,DC=Edu
member: CN=aramis,OU=People,DC=Eu,DC=Emory,DC=Edu
member: CN=dartagnan,OU=People,DC=Eu,DC=Emory,DC=Edu

Results are returned in an easy to parse format called LDIF. Of course, we’re using output redirection via the “>” character to save the output in a file called “completegroup.ldif” for further processing. You could use sed or vi or something fancier, like the Python LDIF module.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s