LDAP Search Criteria

Fall 2004Rev. 2

LDAP Searches

• Can be performed on• Single directory entry• Contents of a single container• Entire subtree

• Required information is server, port, and starting point for search (search base)

• Everything else is optional

LDAP Search Syntax

• Nine parts to a LDAP search (we only will talk about 7 in class)• [baseObject]• [scope]• [sizeLimit]• [timeLimit]• [filter]• [attributes]

[baseObject]

• LDAP Distinguished Name (DN)

• Where to start the search

• RFC 2253

[scope]

• How far the search will look into the directory• baseObject - the DN specified only• singleLevel - the immediate subordinates

of DN (not including baseObject)• wholeSubtree - everything below DN,

including baseObject

[sizeLimit]

• Restrict number of entries returned by search results

• Setting to 0 (zero) means no limitations

• Valid entries have positive value

• Note: Most servers restrict returns to ~1500 entries to prevent DOS attacks, no matter what the client specifies

[timeLimit]

• Number of seconds to allow for completion of search

• Value of 0 (zero) is unlimited time

• Valid entries have positive value

• Note: Most servers have a max search timeout value configured to prevent DOS, no matter what the client specifies

[filters]

• The filter gives more specific search requirements

• The matching rules are used• Also can use and (&), or (|), not (!)• Equality(=), Less than (<=), Greater than (>=),

Approximate (~=), substring (*)• Examples

• ‘(|(cn=j)(sn=d))’ [or]• ‘(!(cn=j*))’ [not]• ‘(&(cn=j*)(cn=d*))’ [and]

[filters]

• Examples• ‘(cn=jdoe)’ [equality]• ‘(cn=*doe*)’ [substring]• ‘(sn>=Doe)’ [Greater than]• ‘(sn<=Doe)’ [Less than]• ‘(sn~=Doe)’ [Approximate]

[attributes]

• Specifies what attributes should be returned to the client

• NULL and * return all attributes

ldapsearch

• Command line tool with OpenLDAP

• Usage and manual ‘man ldapsearch’

• Example:• ldapsearch -h www.nldap.com -b "ou=user, o=novell" -x -W '(cn=j*)' cn

ldapsearch Common Switches

• “-h” - hostname or ip address

• “-b” - search base (where you want to search)

• “-D” - bind name (login to server)

• “-x” - simple authentication

• “-W” - prompt for password

• “-s” - scope (sub, base, one)

ldapsearch

• ldapsearch [options] [filter [attributes]]• [options]

• -h www.nldap.com -b “ou=users,o=novell” -x -W

• [filter]• ‘(cn=j*)’

• [attributes]• cn

Example ldapsearch

• ldapsearch -h www.nldap.com -b "ou=user, o=novell" -x -W '(cn=j*)' cn• ldapsearch -h www.nldap.com -b "ou=user, o=novell" -x -W '(&(cn=j*)(sn=d*))' cn

sn• ldapsearch -h www.nldap.com -b "ou=user, o=novell" -x -W '(&(cn=j*)(sn=d*))'

securityEquals• ldapsearch -h www.nldap.com -b "ou=user, o=novell" -x -W '(sn>=zimmer)' cn sn• ldapsearch -h www.nldap.com -b "ou=user, o=novell" -x -W '(sn~=Smyth)' cn sn

LDAP URLs

• Originally defined by UMich

• Original RFC 1959

• Current RFC 2255 (updated for LDAPv3)

Format of LDAP URL

• Basic Form• ldap://[hostport]/[dn]

• Six parts of LDAP URL• hostport• dn• attributes• scope• filter• extensions

• Not all parts are required

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• ldap://• Scheme prefix• Denotes which protocol to use when

handling this URL

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• [hostport]• Specifies LDAP server to contact• What port to contact the server• Default port is 389

• Separated from ldap server with a “:”• Acme.com:389

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• [/dn]• Distinguished name of object to search• DN constructed according to RFC 2253

section 3• cn=jdoe,ou=engr,dc=acme,dc=com

• ldap://acme.com/cn=jdoe,ou=engr,dc=acme,dc=com• ldap://acme.com/ou=engr,dc=acme,dc=com

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• [?[attributes]]• What attributes should be returned• Default (no options) is all attributes

• ldap://acme.com/cn=jdoe,ou=engr,dc=acme,dc=com?sn• ldap://acme.com/ou=engr,dc=acme,dc=com?cn

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• [?[scope]]• Range to search in the directory• Three options

• base - specified object only• one - single level of directory below specified

object• sub - entire subtree below specified object

• ldap://acme.com/cn=jdoe,ou=engr,dc=acme,dc=com?sn?base• ldap://acme.com/ou=engr,dc=acme,dc=com?cn?sub

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• [?[filter]]• Search filter to apply to search• Default (option omitted is ‘(objectClass=*)’

• ldap://acme.com/ou=engr,dc=acme,dc=com?cn?sub?(cn=jdoe)• ldap://acme.com/ou=engr,dc=acme,dc=com?cn?sub?(cn=j*)

ldap://[hostport][/dn[?[attributes][?[scope][?[filter][?[extensions]]]]]]

• [?[extensions]]• Type=value format• Usually used for directory specific

operations

• ldap://acme.com/ou=engr,dc=acme,dc=com?cn?sub??foo=bar