-
Notifications
You must be signed in to change notification settings - Fork 0
/
LDAP.txt
100 lines (85 loc) · 4.42 KB
/
LDAP.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
RFCs for LDAP : RFC4510~4520
================================================================================================
RFC4514, String Representation of Distinguished Names (http://tools.ietf.org/rfc/rfc4514.txt)
String X.500 AttributeType
------ --------------------------------------------
CN commonName (2.5.4.3)
L localityName (2.5.4.7)
ST stateOrProvinceName (2.5.4.8)
O organizationName (2.5.4.10)
OU organizationalUnitName (2.5.4.11)
C countryName (2.5.4.6)
STREET streetAddress (2.5.4.9)
DC domainComponent (0.9.2342.19200300.100.1.25)
UID userId (0.9.2342.19200300.100.1.1)
These attribute types are described in [RFC4519].
================================================================================================
RFC4515, String Representation of Search Filters (http://tools.ietf.org/rfc/rfc4515.txt)
filter = LPAREN filtercomp RPAREN
filtercomp = and / or / not / item
and = AMPERSAND filterlist
or = VERTBAR filterlist
not = EXCLAMATION filter
filterlist = 1*filter
item = simple / present / substring / extensible
simple = attr filtertype assertionvalue
filtertype = equal / approx / greaterorequal / lessorequal
equal = EQUALS
approx = TILDE EQUALS
greaterorequal = RANGLE EQUALS
lessorequal = LANGLE EQUALS
extensible = ( attr [dnattrs]
[matchingrule] COLON EQUALS assertionvalue )
/ ( [dnattrs]
matchingrule COLON EQUALS assertionvalue )
present = attr EQUALS ASTERISK
substring = attr EQUALS [initial] any [final]
initial = assertionvalue
any = ASTERISK *(assertionvalue ASTERISK)
final = assertionvalue
attr = attributedescription
; The attributedescription rule is defined in
; Section 2.5 of [RFC4512].
dnattrs = COLON "dn"
matchingrule = COLON oid
assertionvalue = valueencoding
; The <valueencoding> rule is used to encode an <AssertionValue>
; from Section 4.1.6 of [RFC4511].
valueencoding = 0*(normal / escaped)
normal = UTF1SUBSET / UTFMB
escaped = ESC HEX HEX
UTF1SUBSET = %x01-27 / %x2B-5B / %x5D-7F
; UTF1SUBSET excludes 0x00 (NUL), LPAREN,
; RPAREN, ASTERISK, and ESC.
EXCLAMATION = %x21 ; exclamation mark ("!")
AMPERSAND = %x26 ; ampersand (or AND symbol) ("&")
ASTERISK = %x2A ; asterisk ("*")
COLON = %x3A ; colon (":")
VERTBAR = %x7C ; vertical bar (or pipe) ("|")
TILDE = %x7E ; tilde ("~")
Examples:
(cn=Babs Jensen)
(!(cn=Tim Howes))
(&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*)))
(o=univ*of*mich*)
(seeAlso=)
test using ldapsearch:
ldapsearch -v -x -H 'ldap://excample.com:389' -D 'CN=test,OU=cloud,DC=example,DC=com' -w 'passwdtext' -b 'OU=cloud,DC=example,DC=com' '(|(mail=xxx@example.com)(mail=xxx2@example.com)' cn mail
或者
ldapsearch -v -x -H 'ldap://excample.com:389' -D 'test@example.com' -w 'passwdtext' -b 'OU=cloud,DC=example,DC=com' '(|(mail=xxx@example.com)(mail=xxx2@example.com)' cn mail
注释
ldapsearch -v # verbose mode
-x # simple authentication (other than SASL)
-H 'ldap://excample.com:389' # ldapuri (protocol + host + port)
-D 'CN=test,OU=cloud,DC=example,DC=com' # binddn
-w 'passwdtext' # password for dn
-b 'OU=cloud,DC=example,DC=com' # searchbase
'(|(mail=xxx@example.com)(mail=xxx2@example.com)' # filter
cn mail # attributes (for output, dn is always in output)
###add '-Z' when using ldapsearch, to use tls
ldapsearch -Z -v -x -H 'ldap://mail.camera360.com:389' -D 'CN=test,OU=Camera360,DC=camera360,DC=com' -w Aa654321 -b 'OU=Camera360,DC=camera360,DC=com' '(mail=liuzhaohui@camera360.com)' cn mail
## control tls certificates check
add config to ldap.conf (use `man ldap.conf` to get more details)
TLS_REQCERT never|allow|try|demand
or
export LDAPTLS_REQCERT=allow