20111102 ldapsearch over ldaps - plembo/onemoretech GitHub Wiki

title: ldapsearch over ldaps link: https://onemoretech.wordpress.com/2011/11/02/ldapsearch-over-ldaps/ author: lembobro description: post_id: 1461 created: 2011/11/02 12:30:05 created_gmt: 2011/11/02 16:30:05 comment_status: closed post_name: ldapsearch-over-ldaps status: publish post_type: post

ldapsearch over ldaps

Just a brief note because I needed this syntax today and couldn't recall it.

ldapsearch -x -H ldaps://ldap.example.com -b "" -s base "objectclass=*"

This will either return the root DSE (directory Server Entry -- the logical top of the LDAP tree) for the directory... or it won't :-) Most directories make the root DSE accessible to anyone, so there should not be an authentication problem. Here's what the top of a clean response looks like:

ldap_initialize( ldaps://ldap.example.com )
filter: objectclass=*
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base  with scope baseObject
# filter: objectclass=*
# requesting: ALL
#
#
dn:
objectClass: top
namingContexts: cn=changelog
namingContexts: dc=example,dc=com
namingContexts: o=NetscapeRoot
supportedExtension: 2.16.840.1.113730.3.5.7
supportedExtension: 2.16.840.1.113730.3.5.8
supportedExtension: 2.16.840.1.113730.3.5.3
supportedExtension: 2.16.840.1.113730.3.5.5
supportedExtension: 2.16.840.1.113730.3.5.6
supportedExtension: 2.16.840.1.113730.3.5.4

If you get something like this:

ldap_initialize( ldaps://testoid.example.com )
ldap_bind: Can't contact LDAP server (-1)
        additional info: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

then you're probably going against an OID (Oracle Internet Directory) node or nodes, which doesn't "play by the rules" that the rest of the LDAP universe does. When it comes to OID, you're basically going to be restricted to using Oracle's proprietary tools to test this (for example, their ldapbind utility). Heaven help you if you're trying to integrate with other LDAP-aware applications or devices that don't have a specific "Do it Larry's way" setting. Note: The ldap-ping.pl and Net::LDAPS perl module (which ldap-ping.pl uses) are able to handle Oracle's special way of doing things and so may be helpful tools to have alongside Oracle's. Of course the only drawback is that to run these perl based tools you'll need to have all the prerequisite modules installed.

Copyright 2004-2019 Phil Lembo