Jump to content

Ldapsearch

From Wikitech

ldapsearch is a unix command line tool for querying an LDAP directory.

Example queries

Show a user by shell account name (laner):

ldapsearch -x uid=laner

Show a user by wiki name (underscore "_" becomes space " ") (User:Ryan_Lane):

ldapsearch -x "cn=Ryan Lane"

You can also add \* + to the above queries to return all user attributes

ldapsearch -x uid=laner \* +
ldapsearch -x "cn=Ryan Lane" \*

Alternatively you can return only the attributes you are interested in

ldapsearch -x uid=laner mail,uid
ldapsearch -x "cn=Ryan Lane" uid createTimestamp mail cn sn

Search for all users with a wikimedia.org email address

ldapsearch -x 'mail=*@wikimedia.org'

Search all users created after a specific date

ldapsearch -x "createTimestamp>=20190316100000Z" uid createTimestamp mail

Search for all users with a wikimedia.org email address created after a specific date

ldapsearch -x "(&(mail=*@wikimedia.org)(createTimestamp>=20190316100000Z))" uid createTimestamp mail cn sn

Helper aliases

When using ldapsearch from a Cloud VPS instance, these shell aliases can help make things work better:

alias ldap='ldapsearch -xLLL -P 3 -E pr=40000/noprompt -o ldif-wrap=no -b"dc=wikimedia,dc=org"'

alias un64='awk '\''BEGIN{FS=":: ";c="base64 -d"}{if(/\w+:: /) {print $2 |& c; close(c,"to"); c |& getline $2; close(c); printf("%s:: \"%s\"\n", $1, $2); next} print $0 }'\'''

The ldap alias configures ldapsearch to make paginated queries by default and to page through the results printing them all to the screen. It also disables wrapping of long output lines and sets a base for the search matching the base used for Developer accounts and other records in the LDAP directory used for authn/authz by Cloud VPS projects.

The un64 alias can be used to decode the base64 encoding used by our LDAP server when storing and returning non-ascii characters. This will most commonly be needed for cn attributes which store MediaWiki usernames containing unicode characters. These base64 encoded values will be displayed by ldapsearch with a "::" marker following the field name:

$ ldap uid=matmarex cn
dn: uid=matmarex,ou=people,dc=wikimedia,dc=org
cn:: QmFydG9zeiBEemlld2/FhHNraQ==

# pagedresults: cookie=
$  ldap uid=matmarex cn | un64
dn: uid=matmarex,ou=people,dc=wikimedia,dc=org
cn:: "Bartosz Dziewoński"

# pagedresults: cookie=