Voir :
Scripts :
Interface Web de changement de MDP compte utilisateur :
Voir PhpLDAPadmin
apt-get install cockpit-389-ds
Interface WebUI
Si accès console sur le serveur :
slapcat |grep uidNumber |awk '{print $2}' |sort -n slapcat |grep gidNumber |awk '{print $2}' |sort -n
Sinon : Find max uidNumber on LDAP
Dans mon cas ça n'a pas fonctionné.
ldapsearch -H ldaps://your-ldap-domain -D "cn=Manager,dc=domain,dc=com" -W | awk '/uidNumber: / {print $2}' | sort | tail -n 1
Source : https://www.dynobin.com/linux-find-max-uidnumber-on-ldap/
ldapsearch -x -b "dc=acme,dc=fr" '(&(objectclass=shadowaccount)(shadowexpire=0))' uid
curl -u USERNAME 'ldap://192.168.0.66/CN=Users,DC=training,DC=local?sAMAccountName?sub?(ObjectClass=*)'
$ curl "ldap://localhost:1389/dc=example,dc=com?homephone?sub?cn=*amar" \
-u "cn=directory manager"
Enter host password for user 'cn=directory manager':
DN: uid=mathieu,ou=People,dc=example,dc=com
homephone: +1 225 216 5900
ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" |egrep -5 -i --color openstack ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' uid ldapsearch -x -LLL -H ldap://192.168.20.153:389 -D "admin" -w 'P@ssw0rd' -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' sAMAccountName
Afficher les membres d'un groupe CN
ldapsearch -x -LLL -D "admin" -y ~/.ldap_pass -b "CN=groupe1,OU=Ressources Exchange,DC=acme,DC=fr" member
Autre
ldapsearch -h ldap.acme.fr -D "admin@acme.local" -W -b "ou=04 - Direction technique,ou=Paris,dc=acme,dc=local" "(&(objectclass=user))" \ -s sub "(&(objectCategory=person)(objectClass=user)(sAMAccountName=*)(OU=Paris,OU=Groups,DC=acme,DC=local))" mail
BASE dc=acme,dc=fr URI ldap://192.168.20.153 SIZELIMIT 2000
echo -n P@ssw0rd > ~/.ldap_pass chmod 600 !$ ldapsearch -x -LLL -D "admin" -y ~/.ldap_pass -b "dc=acme,dc=fr" '(memberOf=CN=Openstack,OU=Groupes,dc=acme,dc=fr)' cn
Cherche le login d'un utilisateur
#echo |ldapsearch -E pr=1000 -D "admin" -y ~/.ldap_pass sAMAccountName |egrep -i marley echo |ldapsearch -LLL -o ldif-wrap=no -D "admin" -y ~/.ldap_pass sAMAccountName=marley sAMAccountName # MARLEY Robert, Utilisateurs, SERVICE_INFRA dn: CN=MARLEY Robert,OU=Utilisateurs,OU=SERVICE_INFRA sAMAccountName: MARLEY
No wrap
-o ldif-wrap=no
export KRB5CCNAME=/var/lib/sss/db/ccache_ACME.LOCAL ldapsearch -H ldap://srv_ldap.acme.local -Y GSSAPI -N -b "DC=ACME,DC=SVC" "(sAMAccountName=user_01)" mail description 2>/dev/null | grep "dn:\|description:\|mail:"
nisNetgroupTriple correspond aux utilisateurs
memberNisNetgroup correspond aux autres netgroups
Netgroup
Voir http://articles.mongueurs.net/magazines/linuxmag67.html
netgroup: ldap
getent netgroup sysadmin getent netgroup $(hostname -s)
ipa netgroup-add --desc="Netgroup description" --nisdomain="example.com" example-netgroup ipa netgroup-add-member --users=user_name --groups=group_name --hosts=host_name \ --hostgroups=host_group_name --netgroups=netgroup_name group_nameame ipa netgroup-add-member --users={user1;user2,user3} \ --groups={group1,group2} example-group
nisNetgroupTriple: This can be used to describe a user (,bobby,example.com) or a machine name (shellserver1,,example.com). This attribute can have multiple values. memberNisNetgroup: This is a very powerful attribute. It is used to merge the attribute values of another netgroup into the current one by simply listing the name (cn) of the merging netgroup. This attribute can have multiple values as well.
+ : @QAUsers@@QASystems : 10. + : root : LOCAL + : @Admins : 10. - : ALL : ALL
account required pam_access.so accessfile=/etc/security/access.netgroup.conf
https://support.hpe.com/hpesc/public/docDisplay?docId=c02058091&docLocale=en_US
+:root:ALL +:admin:ALL +:@srv1:ALL -:ALL:ALL
Dans notre exemple “srv1” correspond au hostname simple hostname -s de notre serveur
openldap sizelimit. Can't receive more than 500 entries
Solution -E pr=1000
Ou
SIZELIMIT 2000