LDAP as in OpenLDAP’s ldapsearch command


This weird ldapsearch command syntax

I, for one, never remember how to use ldapsearch (and similar commands). The man doesn’t have a clear example and Google searches aren’t always to the point.. well!

Find all members of group posix_sysadmins (or any other group)

This outputs the ‘memberUid’ attribute from users in ‘posix_sysadmins’ while logging in as kang@example.com. This assumes an OU ‘groups’ (which is generally default...).

ldapsearch -h ldap.example.com -x -D "mail=kang@example.com,o=com,dc=example" -W  -b 'cn=posix_sysadmins,ou=groups,dc=example' 'memberUid'

Filter valid acccounts in ldap

This outputs a list of “non-disabled” accounts. Note that in this case this is a custom attribute. This whos the syntax for queries where you want to exclude a match. Turns out using ‘!=’ operator would have been way too logical :)

ldapsearch -h ldap.example.com -x -D "mail=kang@example.com,o=com,dc=example" -W -b dc=example "(mail=*)" dn "(!(employeeType=DISABLED))"