LDAP client usage (210.3)

Candidates should be able to perform queries and updates to an LDAP client.

Key Knowledge Areas

LDAP utilities for data management and queries

Change user passwords

Querying the LDAP directory

Key files, terms and utilities include:

LDAP Filters

What is it?

LDAP stands for Lightweight Directory Access Protocol. As the name suggests, it is a lighter version of DAP, which stands for the Directory Access Protocol that is defined by the X.500 standard. For more information on X.500, please read RFC 2116 .

The reason for a lightweight version is that DAP was rather heavy on processor load, thereby asking for more than the processors could provide at the time. LDAP is described in RFC 2251 .

The LDAP project was started at the University of Michigan , but, as can be read on their site, is no longer maintained there. For current information, the University of Michigan site points visitors to the OpenLDAP site instead.

The type of information best suited for storage in a directory is information with a low mutation grade. The reason for this is that directories can not compete with RDBM systems because they are only optimized for read access. So then, what do we store in a directory? Typically, LDAP directories contain employee data such as surname, christian name, address, phone number, department, social security number, E-mail address. Alternatively, directories might store newsletters for everyone to read, description of company policies and procedures, templates supporting the house style of documents.

LDAP Filters

Table 10.4. 

Equality = Creates a filter which requires a field to have a given value.
Presence * Wildcard to represent that a field can equal anything except NULL.
Substring =string* string Returns entries containing attributes containing the specified substring.
Parentheses ()Separates filters to allow other logical operators to function.
And &Joins filters together. All conditions in the series must be true.
Or | Joins filters together. At least one condition in the series must be true.
Not ! Excludes all objects that match the filter.
Approximate ~= Returns entries containing the specified attribute with a value that is approximately equal to the value specified in the search filter.
Greater than or equal to >= Returns entries containing attributes that are greater than or equal to the specified value.
Less than or equal to<= Returns entries containing attributes that are less than or equal to the specified value.


ldapsearch is a shell-accessible interface to the ldap_search(3) library call. ldapsearch opens a connection to an LDAP server, binds, and performs a search using specified parameters. The filter should conform to the string representation for search filters as defined in RFC 2254 .


ldapsearch -h myhost -p 389 -s base -b "ou=people,dc=example,dc=com" "objectclass=*"

This command searches the directory server myhost, located at port 389. The scope of the search (-s) is base, and the part of the directory searched is the base DN (-b) designated. The search filter "objectclass=*" means that values for all of the entry's object classes are returned. No attributes are returned because they have not been requested. The example assumes anonymous authentication because authentication options are not specified.


ldappasswd - change the password of an LDAP entry

ldappasswd is a tool to set the password of an LDAP user. ldappasswd uses the LDAPv3 Password Modify ( RFC 3062 ) extended operation.

ldappasswd sets the password associated with the user (or an optionally specified user). If the new password is not specified on the command line and the user doesn't enable prompting, the server will be requested to generate a password for the user.


ldappasswd -x -h localhost -D "cn=root,dc=example,dc=com" -s secretpassword -W uid=admin,ou=users,ou=horde,dc=example,dc=com

Set the password for uid=admin,ou=users,ou=horde,dc=example,dc=com on localhost.


ldapadd - LDAP add entry tool

ldapadd is implemented as a hard link to the ldapmodify tool. When invoked as ldapadd the -a (add new entry) flag is turned on automatically.

Option: ldapmodify -a

-a Adds new entries. The default for ldapmodify is to modify existing entries. If invoked as ldapadd, this option is always set.


ldapadd -h myhost -p 389 -D "cn=orcladmin" -w welcome -f jhay.ldif

Using this command, user orcladmin authenticates to the directory myhost, located at port 389. The command then opens the file jhay.ldif and adds its contents to the directory. The file might, for example, add the entry uid=jhay,cn=Human Resources,cn=example,dc=com and its object classes and attributes.


ldapdelete - LDAP delete entry tool

ldapdelete is a shell-accessible interface to the ldap_delete_ext(3) library call.

ldapdelete opens a connection to an LDAP server, binds, and deletes one or more entries. If one or more DN arguments are provided, entries with those Distinguished Names are deleted.


ldapdelete -h myhost -p 389 -D "cn=orcladmin" -w welcome \ "uid=hricard,ou=sales,ou=people,dc=example,dc=com"

This command authenticates user orcladmin to the directory myhost, using the password welcome. Then it deletes the entry uid=hricard,ou=sales,ou=people,dc=example,dc=com.

More on LDAP

If you would like to read more about LDAP, this section points you to a few sources of information:

Copyright Snow B.V. The Netherlands