Created
March 14, 2019 15:26
-
-
Save macnotes/28c22bbc225af722664088e9035f45d6 to your computer and use it in GitHub Desktop.
Some bash command line LDAP examples
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/bash | |
#Some command line LDAP examples: | |
#used ldap utils in macOS 10.14.3 | |
#ldap test bind to check user/pass | |
#Lookup user info | |
#Check if user exists | |
# [!] Be safe... | |
# You would never want to sent these commands without SSL. Otherwise, credentials go in cleartext. | |
# Likewise, never put credentials on command line or they'll show up in process history. | |
# Use SASL/-W to get prompted, or "-y passwdfile" | |
# Use -ZZ to force STARTTLS | |
ldaphost='ad.corp.company.com' # FQDN of LDAP server | |
port='389' # Usually '389' (unsafe) or 636 (LDAPS) | |
userDN='CN=LDAP Service Account,CN=Users,DC=corp,DC=company,DC=com' | |
userPW='pwd' | |
base='CN=Users,DC=corp,DC=company,DC=com' #[-b searchbase] | |
search="sub" #[-s {base|one|sub|children}] | |
flags='' | |
flags+='-x' #-x == Use simple authentication instead of SASL. Unsafe. You would not do this IRL. | |
options='' | |
options+='nettimeout=5' # Example of using timeout option | |
# FILTER EXAMPLES: | |
# This would return every object in the search base + search level (base|one|sub|children)... | |
filter="(objectclass=*)" | |
# Setup to find a specific user... | |
searchForClass='user' | |
searchForField='sAMAccountName' | |
searchForValue='UserID' | |
filter="(&(objectClass=${searchForClass})(${searchForField}=${searchForValue}))" # Return user with this short name... | |
# -W prompt for authentication | |
set +H # Turning off history expansion in case people have exclamation marks in their passwords | |
# ######################################################## | |
# Example to return all attributes for a user: | |
# ######################################################## | |
ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" ) | |
echo "$ldif" | |
# ######################################################## | |
# Example to return the email address of a user... | |
# ######################################################## | |
returnFields='mail' | |
ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" "$returnFields" ) | |
ldif=$( echo "$ldif" | grep -E '^mail:' ) | |
arr=($ldif) | |
email=${arr[1]} | |
echo $email | |
# ######################################################## | |
# Test if user exists... | |
# ######################################################## | |
returnFields='sAMAccountName' | |
ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" "$returnFields" ) | |
ldif=$( echo "$ldif" | grep -E "^${returnFields}:" ) | |
arr=($ldif) | |
value=${arr[1]} | |
if [[ x"$value" == x"$searchForValue" ]]; then | |
echo 'I exist!' | |
else | |
echo 'I do not. ' | |
fi | |
# Another way, probs simpler... | |
# if ldapsearch -x -H "$url" -b "$basedn" uid=$i | grep uid: | awk '{print $2}' > /dev/null | |
# then... | |
# ######################################################## | |
# Test a username and password | |
# ######################################################## | |
# Try binding with the user info instead of a service acct. | |
# If you can bind, you're good. If not, you're not... | |
ldapwhoami -vvv -h "$ldaphost" -p "$port" -D "$userDN" -x -w "$userPW" | |
# If you have uid but not cn, you can't calculate DN. Could use service account to get cn for the uid, then bind on that. | |
# Example response on bad pwd... | |
# error code: 49 | |
# ldap_bind: Invalid credentials (49) | |
# additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580 | |
# echo $? | |
# ldapsearch [-n] [-c] [-u] [-v] [-t[t]] [-T path] [-F prefix] [-A] [-L[L[L]]] [-M[M]] [-S attribute] | |
# [-d debuglevel] [-f file] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost] | |
# [-p ldapport] [-b searchbase] [-s {base|one|sub|children}] [-a {never|always|search|find}] [-P {2|3}] | |
# [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-l timelimit] [-z sizelimit] [-O security-properties] [-I] | |
# [-Q] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment