Go to main content

man pages section 1: User Commands

Exit Print View

Updated: Thursday, June 13, 2019
 
 

ldaplist(1)

Name

ldaplist - search and list naming information from an LDAP directory using the configured profile

Synopsis

/usr/bin/ldaplist [-dlv] [-h LDAP_server[:serverPort] [-M domainName] 
   [-N profileName] [-a authenticationMethod] [-P certifPath] 
   [-D bindDN] [-w bindPassword] [-j passwdFile]]
    [-C containerDN] [database [key]...]
/usr/bin/ldaplist -g
/usr/bin/ldaplist -h

Description

If the –h LDAP_server[:serverPort] option is specified, ldaplist establishes a connection to the server pointed to by the option to obtain a DUAProfile specified by the –N option. Then ldaplist lists the information from the directory described by the configuration obtained.

By default (if the –h LDAP_server[:serverPort] option is not specified), the utility searches for and lists the naming information from the LDAP directory service defined in the LDAP configuration files generated by ldapclient(8) during the client initialization phase. To use the utility in the default mode, the Oracle Solaris LDAP client must be set up in advance.

The database is either a container name or a database name as defined in nsswitch.conf(5). A container is a non-leaf entry in the Directory Information Tree (DIT) that contains naming service information. The container name is the LDAP Relative Distinguished Name (RDN) of the container relative to the defaultSearchBase as defined in the configuration files. For example, for a container named ou=people, the database name is the database specified in nsswitch.conf. This database is mapped to a container, for example, passwd maps to ou=people. If an invalid database is specified, it is mapped to a generic container, for example, nisMapName=name ).

The key is the attribute value to be searched in the database. You can specify more than one key to be searched in the same database. The key can be specified in either of two forms: attribute=value or value. In the first case, ldaplist passes the search key to the server. In the latter case, an attribute is assigned depending on how the database is specified. If the database is a container name, then the “cn” attribute type is used. If the database is a valid database name as defined in the nsswitch.conf, then a predefined attribute type is used (see table below). If the database is an invalid database name, then cn is used as the attribute type.

The ldaplist utility relies on the Schema defined in the RFC 2307bis, currently an IETF draft. The data stored on the LDAP server must be stored based on this Schema, unless the profile contains schema mapping definitions. For more information on schema mapping see ldapclient(8). The following table lists the default mapping from the database names to the container, the LDAP object class, and the attribute type used if not defined in the key.

Database     Object Class     Attribute Type    Container

aliases      mailGroup        cn                ou=Aliases
automount    nisObject        cn                automountMapName=auto_*
bootparams   bootableDevice   cn                ou=Ethers
ethers       ieee802Device    cn                ou=Ethers
group        posixgroup       cn                ou=Group
hosts        ipHost           cn                ou=Hosts
ipnodes      ipHost           cn                ou=Hosts
netgroup     ipNetgroup       cn                ou=Netgroup
netmasks     ipNetwork        ipnetworknumber   ou=Networks
networks     ipNetwork        ipnetworknumber   ou=Networks
passwd       posixAccount     uid               ou=People
protocols    ipProtocol       cn                ou=Protocols
publickey    nisKeyObject     uidnumber         ou=People
                              cn                ou=Hosts
rpc          oncRpc           cn                ou=Rpc
services     ipService        cn                ou=Services
printers     printerService   printer-uri       ou=printers
auth_attr    SolarisAuthAttr  cn                ou=SolarisAuthAttr
prof_attr    SolarisProfAttr  cn                ou=SolarisProfAttr
exec_attr    SolarisExecAttr  cn                ou=SolarisProfAttr
user_attr    SolarisUserAttr  uid               ou=People
projects     SolarisProject   SolarisProjectID  ou=projects

The following databases are available only if the system is configured with Trusted Extensions:


tnrhtp      ipTnetTemplate   ipTnetTemplateName ou=ipTnet
tnrhdb      ipTnetHost       ipTnetNumber       ou=ipTnet

  • For the automount database, auto_*, in the container column, represents auto_home, auto_direct, …

  • For the publickey database, if the key starts with a digit, it is interpreted as an uid number. If the key starts with a non-digit, it is interpreted as a host name.

The ldaplist utility supports substring search by using the wildcard “*” in the key. For example, “my*” matches any strings that starts with “my”. In some shell environments, keys containing the wildcard might need to be quoted.

If the key is not specified, all the containers in the current search baseDN is listed.

Options

The following options are supported:

–a authenticationMethod

Specifies the authentication method. The default value is what has been configured in the profile. The supported authentication methods are:


simple
sasl/CRAM-MD5
sasl/DIGEST-MD5
tls:simple
tls:sasl/CRAM-MD5
tls:sasl/DIGEST-MD5

Selecting simple causes passwords to be sent over the network in clear text. Its use is strongly discouraged.

Additionally, if the client is configured with a profile which uses no authentication, that is, either the credentialLevel attribute is set to anonymous or authenticationMethod is set to none, the user must use this option to provide an authentication method.

–C containerDN

Specifies the container DN for profile search served by the specified server. If not specified and –M is not specified, the default domain name will be used for profile search.

–d

Lists the attributes for the specified database, rather than the entries. By default, the entries are listed.

–D bindDN

Specifies an entry which has read permission to the requested database.

–g

Lists the database mapping.

–h

Lists the database mapping.

This option has been deprecated.

–h LDAP_server[:serverPort]

Specifies an address (or a name) and a port of the LDAP server from which the entries are read. The current naming service specified in the nsswitch.conf file is used. The default value for the port is 389, unless when TLS is specified in the authentication method. In this case, the default LDAP server port number is 636.

The format to specify the address and port number for an IPv6 address is:

[ipv6_addr]:port

To specify the address and port number for an IPv4 address, use the following format:

ipv4_addr:port

If the host name is specified, use the format:

host_name:port
–j passwdFile

Specifies a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file.

This option is mutually exclusive of the –w option.

–l

Lists all the attributes for each entry matching the search criteria. By default, ldaplist lists only the Distinguished Name of the entries found.

–M domainName

Specifies the name of a domain served by the specified server. If this option is not specified, the default domain name is used.

–N profileName

Specifies a DUAProfile name. A profile with such a name is supposed to exist on the server specified by –H option. The default value is default.

–p certifPath

Specifies the certificate path to the location of the certificate database. The value is the path where security database files reside. This is used for TLS support, which is specified in the authenticationMethod and serviceAuthenticationMethod attributes. The default is /var/ldap.

–w bindPassword

Password to be used for authenticating the bindDN. If this parameter is missing, the command prompts for a password. NULL passwords are not supported in LDAP.

When you use –w bind_password to specify the password to be used for authentication, the password is visible to other users of the system by means of the ps command, in script files or in shell history.

If the value of - is supplied as a password, the command prompts for a password.

–v

Sets verbose mode. The ldaplist utility also prints the filter used to search for the entry. The filter is prefixed with “+++”. Specifying additional –v options displays more detailed information.

Examples

Example 1 Listing All Entries in the Hosts Database

The following example lists all entries in the hosts database:

example% ldaplist hosts
Example 2 Listing All Entries in a Non-Standard Database ou=new

The following example lists all entries in a non-standard database:

example% ldaplist ou=new
Example 3 Finding user1 in the passwd Database

The following example finds user1 in the passwd database:

example% ldaplist passwd user1
Example 4 Finding the Entry With Service Port of 4045 in the services Database

The following example finds the entry with the service port of 4045 in the services database:

example% ldaplist services ipServicePort=4045
Example 5 Finding All Users With Username Starting with new in the passwd Database

The following example finds all users with the username starting with new in the passwd database:

example% ldaplist passwd 'new*'
Example 6 Listing the Attributes for the hosts Database

The following example lists the attributes for the hosts database:

example% ldaplist -d hosts
Example 7 Finding user1 in the passwd Database

The following example finds user1 in the passwd database. An LDAP server is specified explicitly.

example% ldaplist -H 10.10.10.10:3890 \ 
            -M another.domain.name -N special_duaprofile \
            -D "cn=directory manager" -w secret \
            user1
Example 8 Listing all the Attributes for a User

The following example lists the passwd, shadow, and user_attr attributes for user1. The unqualified user_attr entries are listed with the SolarisAttrKeyValue attribute. The qualified entries are listed on separate lines using the SolarisUserAttrEntry attribute.

example% ldaplist -l passwd user1
         dn: uid=u14,ou=users,dc=system,dc=com
         objectClass: posixAccount
         objectClass: shadowAccount
         objectClass: account
         objectClass: top
         objectClass: SolarisUserAttr
         objectClass: SolarisQualifiedUserAttr
         cn: user1   
         uidnumber: 317
         gidnumber: 10
         homedirectory: /export/home/user1
         loginshell: /usr/bin/bash
         uid: user1
         userPassword: {crypt}UP
         shadowInactive: 365
         shadowExpire: 24472
         shadowFlag: 0
         SolarisUserType: normal
         SolarisAttrKeyValue: profiles=Basic Solaris User
         SolarisUserAttrEntry: leonardo:::profiles=System Administrator
         SolarisUserAttrEntry: @mynetgroup:::\
               profiles=Network Administrator;roles=admin

Exit Status

The following exit values are returned:

0

Successfully matched some entries.

1

Successfully searched the table and no matches were found.

2

An error occurred. An error message is output.

Files

/var/ldap/ldap_client_file
/var/ldap/ldap_client_cred

Files that contain the LDAP configuration of the client. Do not manually modify these files. Their content is not guaranteed to be human readable. To update these files, use ldapclient(8)

Attributes

See attributes(7) for descriptions of the following attributes:

ATTRIBUTE TYPE
ATTRIBUTE VALUE
Availability
system/network/ldap
Interface Stability
Committed

See Also

resolv.conf(5), attributes(7), ldap(7), idsconfig(8), ldap_cachemgr(8), ldapaddent(8), ldapclient(8)

Notes

RFC 2307bis is an IETF informational document in draft stage that defines an approach for using LDAP as a naming service.

Both StartTLS and raw TLS are supported. A StartTLS request will be used on any connection not specifying port 636. For example:

-h foo:1000 -a tls:simple

...refers to a insecure open on host foo, port 1000, followed by a StartTLS request after the connection is made.