Tribblix: manual page: ldaplist.1

LDAPLIST(1) User Commands LDAPLIST(1)

NAME

ldaplist - search and list naming information from an LDAP directory
using the configured profile

SYNOPSIS

/usr/bin/ldaplist [-dlv] [-h LDAP_server[:serverPort] [-M domainName]
[-N profileName] [-a authenticationMethod] [-P certifPath]
[-D bindDN] [-w bindPassword] [-j passwdFile]]
[database [key]...]

/usr/bin/ldaplist -g

/usr/bin/ldaplist -h

DESCRIPTION

If the -h LDAP_server[:serverPort] option is specified, ldaplist
establishes a connection to the server pointed to by the option to
obtain a DUAProfile specified by the -N option. Then ldaplist lists
the information from the directory described by the configuration
obtained.

By default (if the -h LDAP_server[:serverPort] option is not
specified), the utility searches for and lists the naming information
from the LDAP directory service defined in the LDAP configuration
files generated by ldapclient(8) during the client initialization
phase. To use the utility in the default mode, the Solaris LDAP
client must be set up in advance.

The database is either a container name or a database name as defined
in nsswitch.conf(5). A container is a non-leaf entry in the Directory
Information Tree (DIT) that contains naming service information. The
container name is the LDAP Relative Distinguished Name (RDN) of the
container relative to the defaultSearchBase as defined in the
configuration files. For example, for a container named ou=people,
the database name is the database specified in nsswitch.conf. This
database is mapped to a container, for example, passwd maps to
ou=people. If an invalid database is specified, it is mapped to a
generic container, for example, nisMapName=name).

The key is the attribute value to be searched in the database. You
can specify more than one key to be searched in the same database.
The key can be specified in either of two forms: attribute=value or
value. In the first case, ldaplist passes the search key to the
server. In the latter case, an attribute is assigned depending on how
the database is specified. If the database is a container name, then
the "cn" attribute type is used. If the database is a valid database
name as defined in the nsswitch.conf, then a predefined attribute
type is used (see table below). If the database is an invalid
database name, then cn is used as the attribute type.

The ldaplist utility relies on the Schema defined in the RFC 2307bis,
currently an IETF draft. The data stored on the LDAP server must be
stored based on this Schema, unless the profile contains schema
mapping definitions. For more information on schema mapping see
ldapclient(8). The following table lists the default mapping from
the database names to the container, the LDAP object class, and the
attribute type used if not defined in the key.

Database Object Class Attribute Type Container

aliases mailGroup cn ou=Aliases
automount nisObject cn automountMapName=auto_*
bootparams bootableDevice cn ou=Ethers
ethers ieee802Device cn ou=Ethers
group posixgroup cn ou=Group
hosts ipHost cn ou=Hosts
ipnodes ipHost cn ou=Hosts
netgroup ipNetgroup cn ou=Netgroup
netmasks ipNetwork ipnetworknumber ou=Networks
networks ipNetwork ipnetworknumber ou=Networks
passwd posixAccount uid ou=People
protocols ipProtocol cn ou=Protocols
publickey nisKeyObject uidnumber ou=People
cn ou=Hosts
rpc oncRpc cn ou=Rpc
services ipService cn ou=Services
printers printerService printer-uri ou=printers
auth_attr SolarisAuthAttr nameT ou=SolarisAuthAttr
prof_attr SolarisProfAttr nameT ou=SolarisProfAttr
exec_attr SolarisExecAttr nameT ou=SolarisProfAttr
user_attr SolarisUserAttr uidT ou=people
projects SolarisProject SolarisProjectID ou=projects

The following databases are available only if the system is
configured with Trusted Extensions:

tnrhtp ipTnetTemplate ipTnetTemplateName ou=ipTnet
tnrhdb ipTnetHost ipTnetNumber ou=ipTnet

o For the automount database, auto_*, in the container
column, represents auto_home, auto_direct, ...

o For the publickey database, if the key starts with a
digit, it is interpreted as an uid number. If the key
starts with a non-digit, it is interpreted as a host name.

The ldaplist utility supports substring search by using the wildcard
"*" in the key. For example, "my*" matches any strings that starts
with "my". In some shell environments, keys containing the wildcard
might need to be quoted.

If the key is not specified, all the containers in the current search
baseDN is listed.

OPTIONS

The following options are supported:

-a authenticationMethod

Specifies the authentication method. The default value is what
has been configured in the profile. The supported authentication
methods are:

simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5

Selecting simple causes passwords to be sent over the network in
clear text. Its use is strongly discouraged.

Additionally, if the client is configured with a profile which
uses no authentication, that is, either the credentialLevel
attribute is set to anonymous or authenticationMethod is set to
none, the user must use this option to provide an authentication
method.

-d

Lists the attributes for the specified database, rather than the
entries. By default, the entries are listed.

-D bindDN

Specifies an entry which has read permission to the requested
database.

-g

Lists the database mapping.

-h

Lists the database mapping.

This option has been deprecated.

-h LDAP_server[:serverPort]

Specifies an address (or a name) and a port of the LDAP server
from which the entries are read. The current naming service
specified in the nsswitch.conf file is used. The default value
for the port is 389, unless when TLS is specified in the
authentication method. In this case, the default LDAP server port
number is 636.

-j passwdFile

Specifies a file containing the password for the bind DN or the
password for the SSL client's key database. To protect the
password, use this option in scripts and place the password in a
secure file.

This option is mutually exclusive of the -w option.

-l

Lists all the attributes for each entry matching the search
criteria. By default, ldaplist lists only the Distinguished Name
of the entries found.

-M domainName

Specifies the name of a domain served by the specified server. If
this option is not specified, the default domain name is used.

-N profileName

Specifies a DUAProfile name. A profile with such a name is
supposed to exist on the server specified by -H option. The
default value is default.

-p certifPath

Specifies the certificate path to the location of the certificate
database. The value is the path where security database files
reside. This is used for TLS support, which is specified in the
authenticationMethod and serviceAuthenticationMethod attributes.
The default is /var/ldap.

-w bindPassword

Password to be used for authenticating the bindDN. If this
parameter is missing, the command prompts for a password. NULL
passwords are not supported in LDAP.

When you use -w bind_password to specify the password to be used
for authentication, the password is visible to other users of the
system by means of the ps command, in script files or in shell
history.

If the value of - is supplied as a password, the command prompts
for a password.

-v

Sets verbose mode. The ldaplist utility also prints the filter
used to search for the entry. The filter is prefixed with "+++".

EXAMPLES

Example 1: Listing All Entries in the Hosts Database

The following example lists all entries in the hosts database:

example% ldaplist hosts

Example 2: Listing All Entries in a Non-Standard Database ou=new

The following example lists all entries in a non-standard database:

example% ldaplist ou=new

Example 3: Finding user1 in the passwd Database

The following example finds user1 in the passwd database:

example% ldaplist passwd user1

Example 4: Finding the Entry With Service Port of 4045 in the services

Database

The following example finds the entry with the service port of 4045
in the services database:

example% ldaplist services ipServicePort=4045

Example 5: Finding All Users With Username Starting with new in the

passwd Database

The following example finds all users with the username starting with
new in the passwd database:

example% ldaplist passwd 'new*'

Example 6: Listing the Attributes for the hosts Database

The following example lists the attributes for the hosts database:

example% ldaplist -d hosts

Example 7: Finding user1 in the passwd Database

The following example finds user1 in the passwd database. An LDAP
server is specified explicitly.

example% ldaplist -H 10.10.10.10:3890 \
-M another.domain.name -N special_duaprofile \
-D "cn=directory manager" -w secret \
user1

EXIT STATUS

The following exit values are returned:

0
Successfully matched some entries.

1
Successfully searched the table and no matches were found.

2
An error occurred. An error message is output.

FILES

/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred
Files that contain the LDAP
configuration of the client. Do not
manually modify these files. Their
content is not guaranteed to be human
readable. To update these files, use
ldapclient(8)

ATTRIBUTES

NOTES

RFC 2307bis is an IETF informational document in draft stage that
defines an approach for using LDAP as a naming service.

Currently StartTLS is not supported by libldap.so.5, therefore the
port number provided refers to the port used during a TLS open,
versus the port used as part of a StartTLS sequence. For example, -h
foo:1000 -a tls:simple, refers to a raw TLS open on host foo, port
1000, not a open, StartTLS sequence on an unsecured port 1000. If
port 1000 is unsecured the connection is not made.

May 13, 2017 LDAPLIST(1)