1.\" $OpenBSD: ldap.1,v 1.11 2021/02/10 06:52:05 jmc Exp $ 2.\" 3.\" Copyright (c) 2018 Reyk Floeter <reyk@openbsd.org> 4.\" 5.\" Permission to use, copy, modify, and distribute this software for any 6.\" purpose with or without fee is hereby granted, provided that the above 7.\" copyright notice and this permission notice appear in all copies. 8.\" 9.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16.\" 17.Dd $Mdocdate: February 10 2021 $ 18.Dt LDAP 1 19.Os 20.Sh NAME 21.Nm ldap 22.Nd simple LDAP client 23.Sh SYNOPSIS 24.Nm ldap 25.Cm search 26.Op Fl LvWxZ 27.Op Fl b Ar basedn 28.Op Fl c Ar CAfile 29.Op Fl D Ar binddn 30.Op Fl H Ar host 31.Op Fl l Ar timelimit 32.Op Fl s Ar scope 33.Op Fl w Ar secret 34.Op Fl y Ar secretfile 35.Op Fl z Ar sizelimit 36.Op Ar filter 37.Op Ar attributes ... 38.Sh DESCRIPTION 39The 40.Nm 41utility is a simple LDAP client. 42It queries an LDAP server to perform a command and outputs the results 43in the LDAP Data Interchange Format (LDIF). 44.Bl -tag -width Ds 45.It Cm search Ar options Oo Ar filter Oc Op Ar attributes ... 46Perform a directory search request. 47The optional 48.Ar filter 49argument specifies the LDAP filter for the directory search. 50The default is 51.Ar (objectClass=*) 52and the format must comply to the 53.Dq String Representation of Search Filters 54as described in RFC 4515. 55If one or more 56.Ar attribute 57options are specified, 58.Nm 59restricts the output to the specified attributes. 60.El 61.Pp 62The options are as follows: 63.Bl -tag -width Ds 64.It Fl b Ar basedn 65Use the specified distinguished name (dn) as the starting point for 66directory search requests. 67.It Fl c Ar CAfile 68When TLS is enabled, load the CA bundle for certificate verification 69from the specified file. 70The default is 71.Pa /etc/ssl/cert.pem . 72If the LDAP server uses a self-signed certificate, 73use a file that contains the server certificate in PEM format, e.g. 74.Pa /etc/ssl/ldapserver.example.com.crt . 75.It Fl D Ar binddn 76Use the specified distinguished name to bind to the directory. 77.It Fl H Ar host 78The hostname of the LDAP server or an LDAP URL. 79The LDAP URL is described in RFC 4516 with the following format: 80.Pp 81.Sm off 82.Op Ar protocol No :// 83.Ar host Op : Ar port 84.Oo 85.Li / Ar basedn 86.Li ?\& Ar attribute , ... 87.Li ?\& Ar scope 88.Li ?\& Ar filter 89.Oc 90.Sm on 91.Pp 92The default is 93.Ar ldap://localhost:389/ . 94Each of 95.Ar basedn , attribute , scope 96and 97.Ar filter 98may be omitted, 99but the preceding 100.Sq / 101or 102.Sq ?\& 103is required if a subsequent field is non-empty. 104.Pp 105The following protocols are supported: 106.Pp 107.Bl -tag -width "ldap+tls" -compact 108.It ldap 109Connect with TCP in plain text. 110This is the default. 111.It ldaps 112Connect with TLS. 113The default port is 636. 114.It ldap+tls 115Connect with TCP and enable TLS using the StartTLS operation. 116This is the same as the 117.Fl Z 118option. 119.It ldapi 120Connect to a UNIX-domain socket. 121The host argument is required to be a URL-encoded path, for example 122.Ar ldapi://%2fvar%2frun%2fldapi 123for 124.Pa /var/run/ldapi . 125.El 126.It Fl L 127Output the directory search result in a standards-compliant version of 128the LDAP Data Interchange Format (LDIF). 129This encodes attribute values that include non-printable or UTF-8 130characters in the Base64 format and wraps lines at a 79-character limit. 131If this option is not specified, 132.Nm 133encodes 134.Dq unsafe 135characters and newlines in a visual format using 136.Xr vis 3 137instead. 138.It Fl l Ar timelimit 139Request the server to abort the search request after 140.Ar timelimit 141seconds. 142The default value is 0 for no limit. 143.It Fl s Ar scope 144Specify the 145.Ar scope 146to be either 147.Ic base , 148.Ic one , 149or 150.Ic sub . 151The default is 152.Ic sub 153for subtree searches. 154.It Fl v 155Produce more verbose output. 156.It Fl W 157Prompt for the bind secret with echo turned off. 158.It Fl w Ar secret 159Specify the bind secret on the command line. 160.It Fl x 161Use simple authentication. 162This is the default as 163.Nm 164does not support SASL authentication. 165.It Fl y Ar secretfile 166Read the bind secret from the first line of the specified file or from 167standard input if the 168.Ar secretfile 169argument is 170.Sq - . 171The file must not be world-readable if it is a regular file. 172.It Fl Z 173Enable TLS using the StartTLS operation. 174.It Fl z Ar sizelimit 175Request the server to limit the search result to a maximum number of 176.Ar sizelimit 177entries. 178The default value is 0 for no limit. 179.El 180.Sh FILES 181.Bl -tag -width "/etc/ssl/cert.pemXXX" -compact 182.It Pa /etc/ssl/cert.pem 183Default CA file. 184.El 185.Sh EXAMPLES 186The following script can be used with the 187.Ar AuthorizedKeysCommand 188option of 189.Xr sshd 8 : 190.Bd -literal -offset indent 191#!/bin/sh 192ldap search -D cn=Reader,dc=example,dc=com -w mypass123 \e 193 -b ou=People,dc=example,dc=com \e 194 -H ldapserver -c /etc/ssl/ldapserver.crt -Z \e 195 "(&(objectClass=bsdAccount)(uid=$1))" sshPublicKey | \e 196 sed 's/^sshPublicKey: //p;d;' 197exit 0 198.Ed 199.Pp 200And the related configuration in 201.Xr sshd_config 5 : 202.Bd -literal -offset indent 203Match Group ldapusers 204 AuthorizedKeysCommand /etc/ssh/ldap-authorized_keys.sh 205 AuthorizedKeysCommandUser _ldap 206.Ed 207.Sh SEE ALSO 208.Xr sshd_config 5 , 209.Xr ldapd 8 , 210.Xr sshd 8 211.Sh STANDARDS 212.Rs 213.%A G. Good 214.%D June 2000 215.%R RFC 2849 216.%T The LDAP Data Interchange Format (LDIF) - Technical Specification 217.Re 218.Pp 219.Rs 220.%A M. Smith, Ed. 221.%A T. Howes 222.%D June 2006 223.%R RFC 4515 224.%T Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters 225.Re 226.Pp 227.Rs 228.%A M. Smith, Ed. 229.%A T. Howes 230.%D June 2006 231.%R RFC 4516 232.%T Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator 233.Re 234.Sh HISTORY 235The 236.Nm 237utility first appeared in 238.Ox 6.4 . 239.Sh AUTHORS 240.An -nosplit 241The 242.Nm 243utility was written by 244.An Reyk Floeter Aq Mt reyk@openbsd.org . 245.Sh CAVEATS 246SASL authentication is not supported. 247Authentication should be performed using simple authentication over a 248TLS connection. 249