我们正在使用FreeIPA / IDM,并且可以使用以下方法对此进行身份验证:
$ ldapsearch -h idm-01a.somednsdom.com \
-D 'uid=<my username>,cn=users,cn=accounts,dc=somedcdom,dc=com' \
-o ldif-wrap=no \
-b 'cn=accounts,dc=somedcdom,dc=com' \
-W uid=<my username>
说明
- 这将返回有关
uid=<my username>
uid=<my username>
是过滤器(符合RFC 4515的LDAP搜索过滤器)
- 的
uid=<my username>
是查询/过滤器执行
o ldif-wrap=no
禁用结果包装
- 该
-W
部队ldapsearch
的绑定专有名称查询密码uid=<my username>,cn=users,cn=accounts,dc=somedcdom,dc=com
当提示您输入该用户的密码时,提示将如下所示:
Enter LDAP Password:
推荐人
有关ldapsearch
联机帮助页和CLI帮助的参考:
-D binddn
Use the Distinguished Name binddn to bind to the LDAP directory.
For SASL binds, the server is expected to ignore this value.
-b searchbase
Use searchbase as the starting point for the search instead of the
default.
-W Prompt for simple authentication. This is used instead of specifying
the password on the command line.
-o <opt>[=<optparam] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
完整的例子
$ ldapsearch -h idm-01a.somednsdom.com \
-D 'uid=joeuser,cn=users,cn=accounts,dc=somedcdom,dc=com' \
-o ldif-wrap=no \
-b 'cn=accounts,dc=somedcdom,dc=com' \
-W uid=joeuser
# extended LDIF
#
# LDAPv3
# base <cn=accounts,dc=somedcdom,dc=com> with scope subtree
# filter: uid=joeuser
# requesting: ALL
#
# joeuser, users, accounts, somedcdom.com
dn: uid=joeuser,cn=users,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=sysadmin,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=sudorules,cn=sudo,dc=somedcdom,dc=com
memberOf: cn=eng-systems,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=hbac,dc=somedcdom,dc=com
memberOf: cn=admins,cn=groups,cn=accounts,dc=somedcdom,dc=com
memberOf: ipaUniqueID=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXXXXXX,cn=sudorules,cn=sudo,dc=somedcdom,dc=com
memberOf: cn=User Administrator,cn=roles,cn=accounts,dc=somedcdom,dc=com
memberOf: cn=User Administrators,cn=privileges,cn=pbac,dc=somedcdom,dc=com
memberOf: cn=System: Add User to default group,cn=permissions,cn=pbac,dc=somedcdom,dc=com
...
...
krbLoginFailedCount: 0
krbLastFailedAuth: 20190320223946Z
loginShell: /bin/bash
krbExtraData:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
krbPasswordExpiration: 20190829144625Z
krbLastPwdChange: 20190302144625Z
krbLastAdminUnlock: 20190111080021Z
ipaSshPubKey: ssh-rsa A....XXXXXXXXXXXX...jelByox0PM5Q== joeuser@somednsdom.com
mepManagedEntry: cn=joeuser,cn=groups,cn=accounts,dc=somedcdom,dc=com
displayName: Joe User
uid: joeuser
krbCanonicalName: joeuser@SOMEDCDOM.COM
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
initials: JU
gecos: Joe User
sn: Mingolelli
homeDirectory: /home/joeuser
mail: joeuser@somednsdom.com
krbPrincipalName: joeuser@SOMEDCDOM.COM
givenName: Joe
cn: Joe User
ipaUniqueID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX
uidNumber: 900000000
gidNumber: 900000000
krbPwdPolicyReference: cn=admins,cn=SOMEDCDOM.COM,cn=kerberos,dc=somedcdom,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
/etc/openldap/ldap.conf
即以下代码应该可以工作:ldapsearch -x -D“ <bind dn>” -W <查询>