simple wrapper around ldapsearch(1) for easy command-line AD/LDAP queries
This script wraps the OpenLDAP ldapsearch(1) utility, allowing simple command-line AD/LDAP queries without having to remember the various arguments/options to ldapsearch
.
ldaps <filter> [ attribute1, ... ]
This will search your configured LDAP server (see installation below) using the given filter and will return the specified attributes. If no attributes are specified, all attributes are returned.
To handle the common case of searching by Active Directory username, specifying a single word will be treated as a search against the sAMAccountName
field. For example, the following command would search using the LDAP filter (sAMAccountName=zackse)
and return the displayName
attribute.
ldaps zackse displayName
- OpenLDAP clients
- Debian/Ubuntu:
ldap-utils
- Red Hat/CentOS/Fedora:
openldap-clients
- OS X: installed by default
- Debian/Ubuntu:
- Perl
If you install the bash completion script (see installation below), you can tab-complete usernames and attributes. For example, this would provide completions for usernames starting with zack
:
ldaps zack<TAB>
If you are searching on a username, you can tab-complete attribute names:
$ ldaps zackse sam<TAB>
samaccountname samaccounttype
Find a mobile number:
ldaps zackse mobile
Create a shell function to display members in the specified group:
members() {
ldaps "$1" | grep ^member: | cut -c9-
}
Now you can issue members engineering_team
to get a list of people in that
group.
Search for Jack Tors:
ldaps 'cn=jack tors'
Copy ldaps into a directory in your PATH. For example:
cp ldaps ~/bin/
chmod 755 ~/bin/ldaps
Create a config file:
mkdir -p ~/.config/ldaps
cp sample_rc ~/.config/ldaps/rc
chmod 600 ~/.config/ldaps/rc
$EDITOR ~/.config/ldaps/rc
...
Optional: add tab completion!
cp ldaps_completion /etc/bash_completion.d/
source /etc/bash_completion.d/ldaps_completion
This script requires credentials for an account with read access to your AD/LDAP server. If you do not want to save the credentials in a config file (~/.config/ldaps/rc
), you can set them in your environment. This isn't necessarily more secure, but it is an alternate approach if you don't want the credentials in persistent storage.
For example, if you prefer to omit the password from the config file, you could set it in your environment and make it available to ldaps
:
read -s LDAP_BIND_PW
(type in your password here, it will not be displayed while you are typing)
export LDAP_BIND_PW