Sys Admin Pocket Survival Guide - LDAP
Home Solaris HP-UX AIX
This page is far from publishable state right now. I am just writting random notes and using it as bookmarks for now. Will work more on it once I am finished with my current LDAP project. The LDAP books review toward the end would be more readable :)

LDAP

LDAP gotchas

Smart Referals.
Probably want to stay away from them from NIS migration perspective. Linux is probably the only platform that supports it. AIX will traverse them and loop thru the many servers set by the smart referals and cause huge delays in telnet session connection, automount maps retrieval, and make machine extremely sluggish. Solaris, it is a bit better. It still crosses the smart referal servers more often than needed, resulting in delayed performance. Even when profile is set that it should not follow the smart referals, it doesn't honor it. Performance is acceptable if smart referals is a must. But even then, I don't see automount maps referals to function correctly. HP-UX. Don't know if it cause problem yet, but it doesn't provide the correct function of retrieving data from the smart referal automount maps.

LDAP command

ldapsearch

Query ldap directory server info, output in LDIF format.
Sample ldap search commands...
solaris 10 argument structure:
ldapsearch -b SearchBase [options] FILTER [attributes]
	[options]
	-h ldaphost	# ldap server to connect to, default to localhost
	-D bindDN	# user used to connect to LDAP, default to anonymous
	-d n		# debug level, bits flags. 
	-e 		# minimizes base-64 encoding (like tab!)
	-T		# don't fold/wrap lines.  ldiff treat lines starting with space as
			# continuation of previous line, def width is 80 chars.
	-L		# ...
	[attributes]
	select the addributes to list.  Default to all, but can limit to display only a certain ones, eg:
	dn 		# list only the dn entry
	dn cn		# list both dn and cn entries, nothing else.
<!-- --> 

ldapsearch -b "dc=unixville,dc=com" -h ldapsvr "uidNumber=5001" 
ldapsearch -b "dc=unixville,dc=com" -h ldapsvr "gidNumber=5001" 
	# find entry with a given uid or gid number.
ldapsearch -b "dc=unixville,dc=com" -h ldapsvr "uid=tin*" dn cn uidNumber
	# find all username starting with tin, display only the fields dn, cn, uidNumber.
ldapsearch -b "ou=us,dc=unixville,dc=com" -h ldapsvr "givenName=*tin*" dn givenName uidNumber
	# find all user real name containing tin anywhere, case insensitive
ldapsearch -b "ou=us,dc=unixville,dc=com" -h ldapsvr -D "cn=Directory Manager" "givenName=tin" userPassword
	# certain attributes such as shadow password can only be retrieved by
	# priviledged user.
	# Finally, some info is only available on the Directory Server (eg via
	# export) but not as ldapsearch at all.  eg attributes for Person entry: 
	# creatorsName, modifiersName, modifyTimestamp, nsUniqueId




ldapsearch -b "cn=config" -h ldapsvr -D "cn=Directory Manager" "objectClass=*"
	# retrieve config info, objectClass=* serve as wildcart for "all"
ldapsearch -b "cn=config" -h ldapsvr -D "cn=Directory Manager" "objectClass=*" | grep  passwordStorageScheme
	# grep for the password encryption scheme (crypt, ssha, etc).  
	# aix 5.3 only supports crypt
	# solaris and linux support both crypt, ssha.

ldapsearch  -b "cn=schema" -h ldapsvr -D "cn=Directory Manager" "objectClass=*" 
	# retrieve all info on the schema of the directory tree

ldapsearch -h ldapsvr  -b "o=NetscapeRoot" -D "cn=directory manager" "objectClass=*" 
	# retrieve fedora directory server internal config info
	# NetscapeRoot cuz fedora/redhat ds is based off the old netscape directory server 

ldapsearch -h ldapsvr -L -b automountMapName=auto_master,l=sf,l=ca,c=us,dc=element50,dc=com objectclass=*
	# something similar to "ypcat auto.master"

ldapsearch -h ldapsvr -T -b automountMapName=auto_home,ou=us,dc=unixville,dc=com  objectClass=*  dn                   | grep -v ^$ 
ldapsearch -h ldapsvr -T -b "ou=us,dc=unixville,dc=com"                          automountkey=*  automountInformation | grep home
	# list automount maps entries for auto_home, similar to "ypcat auto.home"

ldapsearch -h ldapsvr -T -b dc=unixville,dc=com  automountkey=/home
	# find out where /home is refered and how it is defined (auto.master, auto_master, which domain/ou)

AIX
ldapsearch in /usr/ldap/bin
Linux native
Parameters used by /usr/bin/ldapsearch from the opendap-client rpm: 
ldapsearch [options] FILTER [attributes]
	[options]
	-x 		= no SASL (option not in Solaris)
 	-b SearchBase	# specify the starting point where search will begin.  Typically root.
	-h ldaphost	# ldap server to connect to, default to localhost
	-D bindDN	# user used to connect to LDAP, default to anonymous
	-d n		# debug level, bits flags. 

           <------------- options --------------->   <-required FILTER->  [attt]
ldapsearch -b "dc=hybridauto,dc=com" -h ldap007 -x   nsds5ReplConflict=*    dn    | grep -v ^#
	# find all entries with replication conflict problem, 
	# where dn is has nsuniqueid appended to it.  eg:
	# nsuniqueid=f0b6791e-1dd111b2-80dba88a-997d0000+uid=duptest,ou=people,dc=hybridauto,dc=com

FEDORA-DS
Parameters used by /opt/fedora-ds/shared/bin/ldapsearch installed by the RedHat/Fedora DS:
Some strange Linux machines default ldapsearch
ldapsearch -x -ZZ -s "dc=unixville,dc=com" -b ""
	-x 	= no SASL
	-ZZ	= use TLS
	-s 	= search base

ldapadd

ldapadd will add info to the directory server, erroring out if the entry already exist (as defined by the dn). Must be done when the Directory Server is running, live. (ldif2db will overwrite, see below).
FEDORA-DS
ldapadd -x -W -c -D "cn=Directory Manager" -h ldapsvr -f data.ldif
	ldapadd is really "ldapmodify -a", so it share the same options, see below
Sample data.ldif file used to add a user, automount map, ... 

# add a user 
dn: uid=tin,ou=Peop