LDAPLIST(1) User Commands LDAPLIST(1)
NAME
ldaplist - search and list naming information from an LDAP directory
using the configured profile
SYNOPSIS
/usr/bin/ldaplist [
-dlv] [
-h LDAP_server[
:serverPort] [
-M domainName]
[
-N profileName] [
-a authenticationMethod] [
-P certifPath]
[
-D bindDN] [
-w bindPassword] [
-j passwdFile]]
[
database [
key]...]
/usr/bin/ldaplist -g /usr/bin/ldaplist -hDESCRIPTION
If the
-h LDAP_server[:serverPort] option is specified,
ldaplist establishes a connection to the server pointed to by the option to obtain
a
DUAProfile specified by the
-N option. Then
ldaplist lists the
information from the directory described by the configuration obtained.
By default (if the
-h LDAP_server[:serverPort] option is not specified),
the utility searches for and lists the naming information from the LDAP
directory service defined in the LDAP configuration files generated by
ldapclient(8) during the client initialization phase. To use the utility
in the default mode, the Solaris LDAP client must be set up in advance.
The database is either a container name or a database name as defined in
nsswitch.conf(5). A container is a non-leaf entry in the Directory
Information Tree (DIT) that contains naming service information. The
container name is the LDAP Relative Distinguished Name (RDN) of the
container relative to the
defaultSearchBase as defined in the
configuration files. For example, for a container named
ou=people, the
database name is the database specified in
nsswitch.conf. This database
is mapped to a container, for example,
passwd maps to
ou=people. If an
invalid database is specified, it is mapped to a generic container, for
example,
nisMapName=name).
The key is the attribute value to be searched in the database. You can
specify more than one key to be searched in the same database. The key
can be specified in either of two forms:
attribute=
value or
value. In the
first case,
ldaplist passes the search key to the server. In the latter
case, an attribute is assigned depending on how the database is
specified. If the database is a container name, then the "
cn" attribute
type is used. If the database is a valid database name as defined in the
nsswitch.conf, then a predefined attribute type is used (see table
below). If the database is an invalid database name, then
cn is used as
the attribute type.
The
ldaplist utility relies on the Schema defined in the
RFC 2307bis,
currently an IETF draft. The data stored on the LDAP server must be
stored based on this Schema, unless the profile contains schema mapping
definitions. For more information on schema mapping see
ldapclient(8).
The following table lists the default mapping from the database names to
the container, the LDAP object class, and the attribute type used if not
defined in the key.
Database Object Class Attribute Type Container
aliases mailGroup cn ou=Aliases
automount nisObject cn automountMapName=auto_*
bootparams bootableDevice cn ou=Ethers
ethers ieee802Device cn ou=Ethers
group posixgroup cn ou=Group
hosts ipHost cn ou=Hosts
ipnodes ipHost cn ou=Hosts
netgroup ipNetgroup cn ou=Netgroup
netmasks ipNetwork ipnetworknumber ou=Networks
networks ipNetwork ipnetworknumber ou=Networks
passwd posixAccount uid ou=People
protocols ipProtocol cn ou=Protocols
publickey nisKeyObject uidnumber ou=People
cn ou=Hosts
rpc oncRpc cn ou=Rpc
services ipService cn ou=Services
printers printerService printer-uri ou=printers
auth_attr SolarisAuthAttr nameT ou=SolarisAuthAttr
prof_attr SolarisProfAttr nameT ou=SolarisProfAttr
exec_attr SolarisExecAttr nameT ou=SolarisProfAttr
user_attr SolarisUserAttr uidT ou=people
projects SolarisProject SolarisProjectID ou=projects
The following databases are available only if the system is configured
with Trusted Extensions:
tnrhtp ipTnetTemplate ipTnetTemplateName ou=ipTnet
tnrhdb ipTnetHost ipTnetNumber ou=ipTnet
o For the
automount database,
auto_*, in the container column,
represents
auto_home,
auto_direct, ...
o For the
publickey database, if the key starts with a digit, it
is interpreted as an uid number. If the key starts with a non-
digit, it is interpreted as a host name.
The
ldaplist utility supports substring search by using the wildcard "
*"
in the key. For example, "
my*" matches any strings that starts with "
my".
In some shell environments, keys containing the wildcard might need to be
quoted.
If the key is not specified, all the containers in the current search
baseDN is listed.
OPTIONS
The following options are supported:
-a authenticationMethod Specifies the authentication method. The default value is what has
been configured in the profile. The supported authentication methods
are:
simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5
Selecting
simple causes passwords to be sent over the network in
clear text. Its use is strongly discouraged.
Additionally, if the client is configured with a profile which uses
no authentication, that is, either the
credentialLevel attribute is
set to
anonymous or
authenticationMethod is set to
none, the user
must use this option to provide an authentication method.
-d Lists the attributes for the specified database, rather than the
entries. By default, the entries are listed.
-D bindDN Specifies an entry which has read permission to the requested
database.
-g Lists the database mapping.
-h Lists the database mapping.
This option has been deprecated.
-h LDAP_server[:serverPort] Specifies an address (or a name) and a port of the LDAP server from
which the entries are read. The current naming service specified in
the
nsswitch.conf file is used. The default value for the port is
389, unless when TLS is specified in the authentication method. In
this case, the default LDAP server port number is
636.
-j passwdFile Specifies a file containing the password for the bind DN or the
password for the SSL client's key database. To protect the password,
use this option in scripts and place the password in a secure file.
This option is mutually exclusive of the
-w option.
-l Lists all the attributes for each entry matching the search criteria.
By default,
ldaplist lists only the Distinguished Name of the entries
found.
-M domainName Specifies the name of a domain served by the specified server. If
this option is not specified, the default domain name is used.
-N profileName Specifies a DUAProfile name. A profile with such a name is supposed
to exist on the server specified by
-H option. The default value is
default.
-p certifPath Specifies the certificate path to the location of the certificate
database. The value is the path where security database files reside.
This is used for TLS support, which is specified in the
authenticationMethod and
serviceAuthenticationMethod attributes. The
default is
/var/ldap.
-w bindPassword Password to be used for authenticating the
bindDN. If this parameter
is missing, the command prompts for a password. NULL passwords are
not supported in LDAP.
When you use
-w bind_password to specify the password to be used for
authentication, the password is visible to other users of the system
by means of the
ps command, in script files or in shell history.
If the value of
- is supplied as a password, the command prompts for
a password.
-v Sets verbose mode. The
ldaplist utility also prints the filter used
to search for the entry. The filter is prefixed with "
+++".
EXAMPLES
Example 1: Listing All Entries in the Hosts Database
The following example lists all entries in the
hosts database:
example%
ldaplist hosts Example 2: Listing All Entries in a Non-Standard Database ou=new
The following example lists all entries in a non-standard database:
example%
ldaplist ou=new Example 3: Finding user1 in the passwd Database
The following example finds
user1 in the
passwd database:
example%
ldaplist passwd user1 Example 4: Finding the Entry With Service Port of 4045 in the services
Database
The following example finds the entry with the service port of
4045 in
the
services database:
example%
ldaplist services ipServicePort=4045 Example 5: Finding All Users With Username Starting with new in the passwd
Database
The following example finds all users with the username starting with
new in the
passwd database:
example%
ldaplist passwd 'new*' Example 6: Listing the Attributes for the hosts Database
The following example lists the attributes for the
hosts database:
example%
ldaplist -d hosts Example 7: Finding user1 in the passwd Database
The following example finds
user1 in the
passwd database. An LDAP server
is specified explicitly.
example%
ldaplist -H 10.10.10.10:3890 \ -M another.domain.name -N special_duaprofile \ -D "cn=directory manager" -w secret \ user1EXIT STATUS
The following exit values are returned:
0 Successfully matched some entries.
1 Successfully searched the table and no matches were found.
2 An error occurred. An error message is output.
FILES
/var/ldap/ldap_client_file /var/ldap/ldap_client_cred Files that contain the LDAP configuration
of the client. Do not manually modify these
files. Their content is not guaranteed to
be human readable. To update these files,
use
ldapclient(8)ATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Committed |
+--------------------+-----------------+
SEE ALSO
ldap(1),
ldapadd(1),
ldapdelete(1),
ldapmodify(1),
ldapmodrdn(1),
ldapsearch(1),
resolv.conf(5),
attributes(7),
idsconfig(8),
ldap_cachemgr(8),
ldapaddent(8),
ldapclient(8)NOTES
RFC 2307bis is an IETF informational document in draft stage that defines
an approach for using
LDAP as a naming service.
Currently StartTLS is not supported by
libldap.so.5, therefore the port
number provided refers to the port used during a TLS open, versus the
port used as part of a StartTLS sequence. For example,
-h foo:1000 -a tls:simple, refers to a raw TLS open on host
foo, port 1000, not a open,
StartTLS sequence on an unsecured port 1000. If port 1000 is unsecured
the connection is not made.
May 13, 2017
LDAPLIST(1)