LDAP Search / with TLS

ldap_notes.txt

### LDAP SEARCH ###

#search by user
ldapsearch -xv  -h ad1.domain.local -p 389 -b "dc=domain,dc=local" -D "[email protected]" \
-W "(&(objectClass=user)(sAMAccountName=user123))" 

#search by user but dont wrap the output
ldapsearch -x  -H ldap://ad1.domain.local -b "dc=domain,dc=local" -D "[email protected]" \
-W "(&(objectClass=user)(sAMAccountName=user123))" -o ldif-wrap=no 

#search by group
ldapsearch -xv  -h ad1.domain.local -p 389 -b "dc=domain,dc=local" -D "[email protected]" \
-W "(&(objectClass=group)(sAMAccountName=LinuxAdmins))"


#Note: -d 1 - 5 can be used to increase verbosity.

### LDAPS SEARCH ###

#Fetch the ldaps certificate from server
echo -n |openssl s_client -connect ad.domain.local:636 | \
sed -ne '/---BEGIN CERTIFICATE---/,/---END CERTIFICATE---/p' > ldapserver.pem

#ldaps search allowing the selfsigned certificate
LDAPTLS_REQCERT=allow LDAPTLS_CACERT=/root/ldapserver.pem ldapsearch -xv  -h ad1.domain.local -p 636 \
-b "dc=domain,dc=local" -D "[email protected]" -W "(&(objectClass=user)(sAMAccountName=user123))" 

#ldaps search Ignoring the selfsigned certificate
LDAPTLS_REQCERT=never ldapsearch -xv  -H  ldaps://ad1.domain.local \
-D "cn=svc_account,ou=service accounts,ou=infrastructure,dc=domain,dc=local" -b "dc=domain,dc=local" -W sAMAccountName="user123"

#ldaps search Ignoring the selfsigned certificate with debug
LDAPTLS_REQCERT=never ldapsearch -d 2 -xv  -H  ldaps://ad1.domain.local \
-D "cn=svc_account,ou=service accounts,ou=infrastructure,dc=domain,dc=local" -b "dc=domain,dc=local" -W sAMAccountName="user123"