macnotes/ldapsearch_tests.sh

## ldapsearch_tests.sh
#!/bin/bash
#Some command line LDAP examples:
#used ldap utils in macOS 10.14.3
#ldap test bind to check user/pass
#Lookup user info
#Check if user exists

# [!] Be safe...
# You would never want to sent these commands without SSL. Otherwise, credentials go in cleartext.
# Likewise, never put credentials on command line or they'll show up in process history.
# Use SASL/-W to get prompted, or "-y passwdfile"
# Use -ZZ to force STARTTLS

ldaphost='ad.corp.company.com'  # FQDN of LDAP server
port='389'											# Usually '389' (unsafe) or 636 (LDAPS)
userDN='CN=LDAP Service Account,CN=Users,DC=corp,DC=company,DC=com'
userPW='pwd'

base='CN=Users,DC=corp,DC=company,DC=com'	#[-b searchbase]
search="sub"  									#[-s {base|one|sub|children}]

flags=''
flags+='-x'     								#-x == Use simple authentication instead of SASL. Unsafe. You would not do this IRL.

options=''
options+='nettimeout=5'					# Example of using timeout option


# FILTER EXAMPLES:

# This would return every object in the search base + search level (base|one|sub|children)...
filter="(objectclass=*)"

# Setup to find a specific user...
searchForClass='user'
searchForField='sAMAccountName'
searchForValue='UserID'
filter="(&(objectClass=${searchForClass})(${searchForField}=${searchForValue}))"  # Return user with this short name...

# -W prompt for authentication

set +H			# Turning off history expansion in case people have exclamation marks in their passwords

# ########################################################
# Example to return all attributes for a user:
# ########################################################
ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" )
echo "$ldif"

# ########################################################
# Example to return the email address of a user...
# ########################################################
returnFields='mail'
ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" "$returnFields" )
ldif=$( echo "$ldif" | grep -E '^mail:' )
arr=($ldif)
email=${arr[1]}
echo $email

# ########################################################
# Test if user exists...
# ########################################################
returnFields='sAMAccountName'
ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" "$returnFields" )
ldif=$( echo "$ldif" | grep -E "^${returnFields}:" )
arr=($ldif)
value=${arr[1]}
if [[ x"$value" == x"$searchForValue" ]]; then
	echo 'I exist!'
else
	echo 'I do not. '
fi
# Another way, probs simpler...
# if ldapsearch -x -H "$url" -b "$basedn" uid=$i | grep uid: | awk '{print $2}' > /dev/null
# then...


# ########################################################
# Test a username and password
# ########################################################
# Try binding with the user info instead of a service acct.
# If you can bind, you're good. If not, you're not...
ldapwhoami -vvv -h "$ldaphost" -p "$port" -D "$userDN" -x -w "$userPW"
# If you have uid but not cn, you can't calculate DN. Could use service account to get cn for the uid, then bind on that.
# Example response on bad pwd...
# error code: 49
# ldap_bind: Invalid credentials (49)
# 	additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
# echo $?


# ldapsearch  [-n]  [-c]  [-u]  [-v]  [-t[t]]  [-T path]  [-F prefix] [-A] [-L[L[L]]] [-M[M]] [-S attribute]
#        [-d debuglevel] [-f file] [-x] [-D binddn] [-W]  [-w passwd]  [-y passwdfile]  [-H ldapuri]  [-h ldaphost]
#        [-p ldapport]   [-b searchbase]  [-s {base|one|sub|children}]  [-a {never|always|search|find}]  [-P {2|3}]
#        [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-l timelimit] [-z sizelimit] [-O security-properties]  [-I]
#        [-Q] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]
	#!/bin/bash
	#Some command line LDAP examples:
	#used ldap utils in macOS 10.14.3
	#ldap test bind to check user/pass
	#Lookup user info
	#Check if user exists

	# [!] Be safe...
	# You would never want to sent these commands without SSL. Otherwise, credentials go in cleartext.
	# Likewise, never put credentials on command line or they'll show up in process history.
	# Use SASL/-W to get prompted, or "-y passwdfile"
	# Use -ZZ to force STARTTLS

	ldaphost='ad.corp.company.com' # FQDN of LDAP server
	port='389' # Usually '389' (unsafe) or 636 (LDAPS)
	userDN='CN=LDAP Service Account,CN=Users,DC=corp,DC=company,DC=com'
	userPW='pwd'

	base='CN=Users,DC=corp,DC=company,DC=com' #[-b searchbase]
	search="sub" #[-s {base\|one\|sub\|children}]

	flags=''
	flags+='-x' #-x == Use simple authentication instead of SASL. Unsafe. You would not do this IRL.

	options=''
	options+='nettimeout=5' # Example of using timeout option


	# FILTER EXAMPLES:

	# This would return every object in the search base + search level (base\|one\|sub\|children)...
	filter="(objectclass=*)"

	# Setup to find a specific user...
	searchForClass='user'
	searchForField='sAMAccountName'
	searchForValue='UserID'
	filter="(&(objectClass=${searchForClass})(${searchForField}=${searchForValue}))" # Return user with this short name...

	# -W prompt for authentication

	set +H # Turning off history expansion in case people have exclamation marks in their passwords

	# ########################################################
	# Example to return all attributes for a user:
	# ########################################################
	ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" )
	echo "$ldif"

	# ########################################################
	# Example to return the email address of a user...
	# ########################################################
	returnFields='mail'
	ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" "$returnFields" )
	ldif=$( echo "$ldif" \| grep -E '^mail:' )
	arr=($ldif)
	email=${arr[1]}
	echo $email

	# ########################################################
	# Test if user exists...
	# ########################################################
	returnFields='sAMAccountName'
	ldif=$( ldapsearch -LLL -h "$ldaphost" -p "$port" -D "$userDN" -w "$userPW" -b "$base" -s "$search" -o "$options" $flags "$filter" "$returnFields" )
	ldif=$( echo "$ldif" \| grep -E "^${returnFields}:" )
	arr=($ldif)
	value=${arr[1]}
	if [[ x"$value" == x"$searchForValue" ]]; then
	echo 'I exist!'
	else
	echo 'I do not. '
	fi
	# Another way, probs simpler...
	# if ldapsearch -x -H "$url" -b "$basedn" uid=$i \| grep uid: \| awk '{print $2}' > /dev/null
	# then...


	# ########################################################
	# Test a username and password
	# ########################################################
	# Try binding with the user info instead of a service acct.
	# If you can bind, you're good. If not, you're not...
	ldapwhoami -vvv -h "$ldaphost" -p "$port" -D "$userDN" -x -w "$userPW"
	# If you have uid but not cn, you can't calculate DN. Could use service account to get cn for the uid, then bind on that.
	# Example response on bad pwd...
	# error code: 49
	# ldap_bind: Invalid credentials (49)
	# additional info: 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580
	# echo $?


	# ldapsearch [-n] [-c] [-u] [-v] [-t[t]] [-T path] [-F prefix] [-A] [-L[L[L]]] [-M[M]] [-S attribute]
	# [-d debuglevel] [-f file] [-x] [-D binddn] [-W] [-w passwd] [-y passwdfile] [-H ldapuri] [-h ldaphost]
	# [-p ldapport] [-b searchbase] [-s {base\|one\|sub\|children}] [-a {never\|always\|search\|find}] [-P {2\|3}]
	# [-e [!]ext[=extparam]] [-E [!]ext[=extparam]] [-l timelimit] [-z sizelimit] [-O security-properties] [-I]
	# [-Q] [-U authcid] [-R realm] [-X authzid] [-Y mech] [-Z[Z]] filter [attrs...]