1.\" $OpenBSD: ldap.1,v 1.10 2018/08/01 10:42:55 rob Exp $ 2.\" 3.\" Copyright (c) 2018 Reyk Floeter <reyk@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: August 1 2018 $ 18.Dt LDAP 1 19.Os 20.Sh NAME 21.Nm ldap 22.Nd simple LDAP client 23.Sh SYNOPSIS 24.Nm ldap 25.Cm search 26.Op Fl LvWxZ 27.Op Fl b Ar basedn 28.Op Fl c Ar CAfile 29.Op Fl D Ar binddn 30.Op Fl H Ar host 31.Op Fl l Ar timelimit 32.Op Fl s Ar scope 33.Op Fl w Ar secret 34.Op Fl y Ar secretfile 35.Op Fl z Ar sizelimit 36.Op Ar filter 37.Op Ar attributes ... 38.Sh DESCRIPTION 39The 40.Nm 41utility is a simple LDAP client. 42It queries an LDAP server to perform a command and outputs the results 43in the LDAP Data Interchange Format (LDIF). 44.Bl -tag -width Ds 45.It Cm search Ar options Oo Ar filter Oc Op Ar attributes ... 46Perform a directory search request. 47The optional 48.Ar filter 49argument specifies the LDAP filter for the directory search. 50The default is 51.Ar (objectClass=*) 52and the format must comply to the 53.Dq String Representation of Search Filters 54as described in RFC 4515. 55If one or more 56.Ar attribute 57options are specified, 58.Nm 59restricts the output to the specified attributes. 60.El 61.Pp 62The options are as follows: 63.Bl -tag -width Ds 64.It Fl b Ar basedn 65Use the specified distinguished name (dn) as the starting point for 66directory search requests. 67.It Fl c Ar CAfile 68When TLS is enabled, load the CA bundle for certificate verification 69from the specified file. 70The default is 71.Pa /etc/ssl/cert.pem . 72If the LDAP server uses a self-signed certificate, 73use a file that contains the server certificate in PEM format, e.g. 74.Pa /etc/ssl/ldapserver.example.com.crt . 75.It Fl D Ar binddn 76Use the specified distinguished name to bind to the directory. 77.It Fl H Ar host 78The hostname of the LDAP server or an LDAP URL. 79The LDAP URL is described in RFC 4516 with the following format: 80.Pp 81.Sm off 82.Op Ar protocol No :// 83.Ar host Op : Ar port 84.Oo 85.Li / Ar basedn 86.Li ?\& Ar attribute , ... 87.Li ?\& Ar scope 88.Li ?\& Ar filter 89.Oc 90.Sm on 91.Pp 92The default is 93.Ar ldap://localhost:389/ . 94Each of 95.Ar basedn , attribute , scope 96and 97.Ar filter 98may be omitted, 99but the preceding 100.Sq / 101or 102.Sq ?\& 103is required if a subsequent field is non-empty. 104.Pp 105The following protocols are supported: 106.Pp 107.Bl -tag -width "ldap+tls" -compact 108.It ldap 109Connect with TCP in plain text. 110This is the default. 111.It ldaps 112Connect with TLS. 113The default port is 636. 114.It ldap+tls 115Connect with TCP and enable TLS using the StartTLS operation. 116This is the same as the 117.Fl Z 118option. 119.It ldapi 120Connect to a UNIX-domain socket. 121The host argument is required to be a URL-encoded path, for example 122.Ar ldapi://%2fvar%2frun%2fldapi 123for 124.Pa /var/run/ldapi . 125.El 126.It Fl L 127Output the directory search result in a standards-compliant version of 128the LDAP Data Interchange Format (LDIF). 129This encodes attribute values that include non-printable or UTF-8 130characters in the Base64 format and wraps lines at a 79-character limit. 131If this option is not specified, 132.Nm 133encodes 134.Dq unsafe 135characters and newlines in a visual format using 136.Xr vis 3 137instead. 138.It Fl l Ar timelimit 139Request the server to abort the search request after 140.Ar timelimit 141seconds. 142The default value is 0 143for no limit. 144.It Fl s Ar scope 145Specify the 146.Ar scope 147to be either 148.Ic base , 149.Ic one , 150or 151.Ic sub . 152The default is 153.Ic sub 154for subtree searches. 155.It Fl v 156Product more verbose output. 157.It Fl W 158Prompt for the bind secret with echo turned off. 159.It Fl w Ar secret 160Specify the bind secret on the command line. 161.It Fl x 162Use simple authentication. 163This is the default as 164.Nm 165does not support SASL authentication. 166.It Fl y Ar secretfile 167Read the bind secret from the first line of the specified file or from 168standard input if the 169.Ar secretfile 170argument is 171.Sq - . 172The file must not be world-readable if it is a regular file. 173.It Fl Z 174Enable TLS using the StartTLS operation. 175.It Fl z Ar sizelimit 176Request the server to limit the search result to a maximum number of 177.Ar sizelimit 178entries. 179The default value is 0. 180for no limit. 181.El 182.Sh FILES 183.Bl -tag -width "/etc/ssl/cert.pemXXX" -compact 184.It Pa /etc/ssl/cert.pem 185Default CA file. 186.El 187.Sh EXAMPLES 188The following script can be used with the 189.Ar AuthorizedKeysCommand 190option of 191.Xr sshd 8 : 192.Bd -literal -offset indent 193#!/bin/sh 194ldap search -D cn=Reader,dc=example,dc=com -w mypass123 \e 195 -b ou=People,dc=example,dc=com \e 196 -H ldapserver -c /etc/ssl/ldapserver.crt -Z \e 197 "(&(objectClass=bsdAccount)(uid=$1))" sshPublicKey | \e 198 sed 's/^sshPublicKey: //p;d;' 199exit 0 200.Ed 201.Pp 202And the related configuration in 203.Xr sshd_config 5 : 204.Bd -literal -offset indent 205Match Group ldapusers 206 AuthorizedKeysCommand /etc/ssh/ldap-authorized_keys.sh 207 AuthorizedKeysCommandUser _ldap 208.Ed 209.Sh SEE ALSO 210.Xr sshd_config 5 , 211.Xr ldapd 8 , 212.Xr sshd 8 213.Sh STANDARDS 214.Rs 215.%A G. Good 216.%D June 2000 217.%R RFC 2849 218.%T The LDAP Data Interchange Format (LDIF) - Technical Specification 219.Re 220.Pp 221.Rs 222.%A M. Smith, Ed. 223.%A T. Howes 224.%D June 2006 225.%R RFC 4515 226.%T Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters 227.Re 228.Pp 229.Rs 230.%A M. Smith, Ed. 231.%A T. Howes 232.%D June 2006 233.%R RFC 4516 234.%T Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator 235.Re 236.Sh HISTORY 237The 238.Nm 239utility first appeared in 240.Ox 6.4 . 241.Sh AUTHORS 242.An -nosplit 243The 244.Nm 245utility was written by 246.An Reyk Floeter Aq Mt reyk@openbsd.org . 247.Sh CAVEATS 248SASL authentication is not supported. 249Authentication should be performed using simple authentication over a 250TLS connection. 251