Ldapsearch
ldapsearch is a unix command line tool for querying an LDAP directory.
Example queries
Show a user by shell account name (laner):
ldapsearch -x uid=laner
Show a user by wiki name (underscore "_" becomes space " ") (User:Ryan_Lane):
ldapsearch -x "cn=Ryan Lane"
You can also add \* +
to the above queries to return all user attributes
ldapsearch -x uid=laner \* +
ldapsearch -x "cn=Ryan Lane" \*
Alternatively you can return only the attributes you are interested in
ldapsearch -x uid=laner mail,uid
ldapsearch -x "cn=Ryan Lane" uid createTimestamp mail cn sn
Search for all users with a wikimedia.org email address
ldapsearch -x 'mail=*@wikimedia.org'
Search all users created after a specific date
ldapsearch -x "createTimestamp>=20190316100000Z" uid createTimestamp mail
Search for all users with a wikimedia.org email address created after a specific date
ldapsearch -x "(&(mail=*@wikimedia.org)(createTimestamp>=20190316100000Z))" uid createTimestamp mail cn sn
Helper aliases
When using ldapsearch from a Cloud VPS instance, these shell aliases can help make things work better:
alias ldap='ldapsearch -xLLL -P 3 -E pr=40000/noprompt -o ldif-wrap=no -b"dc=wikimedia,dc=org"'
alias un64='awk '\''BEGIN{FS=":: ";c="base64 -d"}{if(/\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s:: \"%s\"\n", $1, $2); next} print $0 }'\'''
The ldap
alias configures ldapsearch to make paginated queries by default and to page through the results printing them all to the screen. It also disables wrapping of long output lines and sets a base for the search matching the base used for Developer accounts and other records in the LDAP directory used for authn/authz by Cloud VPS projects.
The un64
alias can be used to decode the base64 encoding used by our LDAP server when storing and returning non-ascii characters. This will most commonly be needed for cn attributes which store MediaWiki usernames containing unicode characters. These base64 encoded values will be displayed by ldapsearch with a "::" marker following the field name:
$ ldap uid=matmarex cn
dn: uid=matmarex,ou=people,dc=wikimedia,dc=org
cn:: QmFydG9zeiBEemlld2/FhHNraQ==
# pagedresults: cookie=
$ ldap uid=matmarex cn | un64
dn: uid=matmarex,ou=people,dc=wikimedia,dc=org
cn:: "Bartosz Dziewoński"
# pagedresults: cookie=