LDAP介紹
LDAP概述
??LDAP是輕量目錄訪問協(xié)議,(LDAP, Lightweight Directory Access Protocol)LDAP是用于訪問目錄服務(wù)(特別是基于X.500的目錄服務(wù))倒庵,LDAP在TCP/IP或其他面向連接的傳輸服務(wù)上運(yùn)行褒墨。LDAP是IETF標(biāo)準(zhǔn)的跟蹤協(xié)議。
??LDAP是目錄非關(guān)系型的擎宝,不存儲BLOB郁妈,讀寫是非對稱的,讀方便认臊,寫麻煩圃庭,適合于查詢搜索。LDAP不支持?jǐn)?shù)據(jù)庫的事務(wù)和回滾機(jī)制失晴。
??LDAP支持負(fù)載的查詢過濾器,使用樹狀結(jié)構(gòu)拘央,類似于互聯(lián)網(wǎng)域名涂屁、公司組織結(jié)構(gòu)、文件的目錄結(jié)構(gòu)等灰伟。
LDAP優(yōu)勢
- 讀寫效率高:可以將LDAP看作是對讀操作進(jìn)行優(yōu)化的一種"樹狀數(shù)據(jù)庫"拆又,在讀寫比例大于7:1時儒旬,LDAP性能表現(xiàn)很好,比較適合身份認(rèn)證帖族。
- 開放的標(biāo)準(zhǔn)協(xié)議:不同于SQL數(shù)據(jù)庫栈源,LDAP客戶端是跨平臺的,對幾乎所有的程序語言都是標(biāo)準(zhǔn)的API接口竖般。
- 強(qiáng)認(rèn)證方式:具有很高的安全級別甚垦,在國際化方面,LDAP使用UTF-8編碼存儲各種語言的字符涣雕。
- OpenLDAP實現(xiàn)開源:開源軟件OpenLDAP包括了很多新功能艰亮,最輕便且消耗系統(tǒng)資源最少,可以基于OpenLDAP進(jìn)行開發(fā)新功能挣郭。
- 靈活添加數(shù)據(jù)類型:LDAP根據(jù)schema的內(nèi)容定義各種屬性之間的從屬關(guān)系以及匹配模式迄埃。在關(guān)系型數(shù)據(jù)庫中若要為用戶添加一個屬性,需要在表中增加一個字段兑障,如果已有的數(shù)據(jù)表中增加一個字段侄非,需要更改表的結(jié)構(gòu),變更比較困難流译。而LDAP只需要在schema中加入新的屬性彩库,屬性的增加不會影響性能。
- 樹狀結(jié)構(gòu)的數(shù)據(jù)存儲:LDAP底層是B/B+樹數(shù)據(jù)結(jié)構(gòu)先蒋,整棵樹的任何一個分支都可以單獨(dú)放在一個服務(wù)器中進(jìn)行分布式管理骇钦,這不僅有利于做服務(wù)器的負(fù)載均衡,也便于跨地域的服務(wù)器部署竞漾。在查詢負(fù)載大或者企業(yè)在不同區(qū)域都設(shè)有分公司時進(jìn)行部署突出優(yōu)勢眯搭。
LDAP的主要應(yīng)用場景
- 機(jī)器認(rèn)證
- 用戶認(rèn)證
- 用戶/系統(tǒng)組
- 地址簿
- 組織代表
- 資產(chǎn)追蹤
- 電話信息存儲
- 用戶資源管理
- 電子郵件地址查詢
- 應(yīng)用配置存儲
LDAP工作方式
??LDAP是無狀態(tài)的客戶端-服務(wù)器的工作模式,一臺或多臺包含了由目錄信息樹組成數(shù)據(jù)的LDAP服務(wù)器业岁×巯桑客戶端連接到服務(wù)器并詢問一個問題,服務(wù)器以一個答案或者指針(客戶端可以獲取其他信息的指針笔时,通常是另一個LDAP服務(wù)器)進(jìn)行響應(yīng)棍好。無論客戶端連接了哪一臺LDAP服務(wù)器,都是看到的相同目錄視圖允耿。
LDAP基本術(shù)語
Directory 目錄
??Directory 目錄是用于存放信息的單元借笙,基于域的命名。
Entry條目
??Entry是目錄管理的對象较锡,是LDAP最基本的單元业稼,類似于數(shù)據(jù)庫中的每一條record記錄。對LDAP的增刪改查都是以Entry為基本單元進(jìn)行操作的蚂蕴。
??每個Entry都有一個唯一的標(biāo)識(DN低散,Distinguished Name)俯邓,DN在語法上是由多個相對的標(biāo)識名注冊,之間由逗號隔開熔号,如du:cn=Manager,dc=hadoop,dc=apache,dc=org稽鞭,通過這種層次型語法結(jié)構(gòu),可以很方便表示出條目在LDAP目錄樹中的位置引镊。
Attribute屬性
??每個條目都有很多的Attribute屬性朦蕴,比如個人信息類有姓名、地址祠乃、郵箱等屬性梦重,每個屬性都有名稱以及對應(yīng)的值,每個屬性值可以是單個亮瓷,也可以是多個克伊。一些常見的屬性如下:
| 屬性 | 別名 | 說明 |
|---|---|---|
| cn | common name | 通常指一個對象的名稱 |
| dn | distinguished name | 唯一標(biāo)識名娇未,類似于絕對路徑吟吝,每個對象都有一個唯一標(biāo)識名厕九,如cn=Manager,dc=hadoop,dc=apache,dc=org |
| rdn | relative distinguished name | 相對標(biāo)識名,類似于相對路徑除师,如cn=Manager |
| dc | domain component | 通常指定一個域名沛膳,比如org.apache.hadoop寫成dc=hadoop,dc=apache,dc=org |
| ou | organizationl unit | 指定一個組織單元的名稱,如ou=groups |
| sn | sur name | 通常指一個人的姓氏汛聚,比如sn:Chen |
AttributeType屬性類型
??每個屬性多有唯一的屬性類型锹安,屬性類型是約定屬性值的數(shù)據(jù)格式以及語法類型,屬性類型約定屬性值可以有多少個并約定屬性查詢時的匹配規(guī)則倚舀、排序叹哭、大小寫等規(guī)則。
ObjectClass對象類
??ObjectClass對象類是屬性的集合痕貌,可以將多個屬性封裝成一個對象风罩,比如人員信息這個對象類,包含了姓名舵稠,地址超升,電話等屬性,學(xué)生是人員信息的繼承類哺徊,除了上面的幾個屬性室琢,還可以有額外的學(xué)校、年級唉工、班級等屬性研乒。
??通過對象類可以方便的定義條目Entry類型,每個條目可以繼承多個對象類淋硝,從而獲得多個屬性雹熬。
Schema模式
??對象類、屬性類型谣膳、語法分別約定了條目竿报、屬性、值继谚,這些構(gòu)成了模式烈菌,模式中的每個元素都有唯一的oid編號。
LDIF:LDAP Interchange Format
??在RFC2849中定義的標(biāo)準(zhǔn)花履,用于規(guī)范LDAP的配置和目錄內(nèi)容等詳細(xì)信息的保存芽世,我們一般可以使用.ldif結(jié)尾的文件進(jìn)行LDAP相關(guān)配置和目錄內(nèi)容的增刪改查。
LDAP目錄樹
LDAP中诡壁,目錄條目以分層的樹狀結(jié)構(gòu)排列济瓢。
傳統(tǒng)指定方式
??傳統(tǒng)意義上,這種結(jié)構(gòu)反映的是地理或者組織邊界妹卿,代表國家的條目是在樹的頂部顯示旺矾,在國家下面是代表州和國家組織的條目。在他們下面可能是代表組織單位夺克、人員箕宙、打印機(jī)、文檔條目铺纽。
在這里插入圖片描述
網(wǎng)絡(luò)指定方式
??LDAP的樹狀結(jié)構(gòu)也可以是基于網(wǎng)絡(luò)域名來排列柬帕,這種命名方式因為DNS定位服務(wù)目錄而流行。
在這里插入圖片描述
LDAP常用命令介紹
常用參數(shù)說明
- -f:
-f file.ldif狡门,從文件file.ldif中讀取操作陷寝。 - -x:簡單認(rèn)證。
- -D:
-D binddn融撞,綁定DN盼铁。 - -H:
-H URI,通過LDAP統(tǒng)一的資源標(biāo)識符尝偎。 - -h:
-h host饶火,LDAP服務(wù)器的ip或者h(yuǎn)ostname。 - -W:提示綁定密碼致扯,即不在命令上寫密碼肤寝,如
ldapadd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -W。 - -w:
-w passwd抖僵,需要在命令上指定密碼進(jìn)行簡單認(rèn)證鲤看,如ldapadd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456。 - -p:
-p port耍群,LDAP服務(wù)器的端口义桂。 - -v:顯示運(yùn)行詳情找筝。
ldapadd命令
為LDAP服務(wù)器增加或修改條目Entry。
如:ldapadd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -W -f init.ldif
ldapdelete命令
從LDAP服務(wù)器刪除條目Entry慷吊。
如:ldapdelete -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456 -h 172.0.0.1 "uid=hdfstest,ou=hadoop,dc=apache,dc=org"
ldapmodify命令
為LDAP服務(wù)器增加或修改條目Entry袖裕。可以使用.ldif文件
如:ldapmodify -a -H ldap://172.0.0.1:389 -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456 -f modifybarbara.ldif
ldapmodrdn命令
修改條目名稱溉瓶,重命名急鳄。即修改dn。
如:ldapmodrdn -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 "uid=hdfstest,ou=hadoop,dc=apache,dc=org" "uid=hivetest"
ldapsearch命令
從LDAP服務(wù)器中搜索條目堰酿。
如:ldapsearch -x -h 172.0.0.1 -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w 123456
ldappasswd命令
為LDAP服務(wù)器更改密碼疾宏。
- -S:交互式提示用戶輸入新密碼
- -s password:指定新密碼,明文的触创,不建議使用
- -a oldpasswd :指定舊密碼坎藐,自動生成新密碼
- -A :提示輸入舊密碼,自動生成新密碼
1)-S 交互式提示用戶輸入新密
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "cn=guolitao,ou=mysql,ou=研發(fā)中心,dc=hadoop,dc=apache,dc=org" -S
2)-s 指定新密碼嗅榕,明文的顺饮,不建議使用
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "uid=zhan_z,ou=運(yùn)維部,ou=研發(fā)中心,dc=hadoop,dc=apache,dc=org" -s 123456
3)-a 指定舊密碼,自動隨機(jī)生成新密碼
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "uid=zhan_z,ou=運(yùn)維部,ou=研發(fā)中心,dc=hadoop,dc=apache,dc=org" -a 123456
4)-A 提示輸入舊密碼凌那,自動隨機(jī)生成新密碼
ldappasswd -x -D "cn=Manager,dc=hadoop,dc=apache,dc=org" -w123456 -h172.0.0.1 "uid=zhan_z,ou=運(yùn)維部,ou=研發(fā)中心,dc=hadoop,dc=apache,dc=org" -A
附錄:LDAP命令參數(shù)詳解
ldapadd命令
$ ldapadd --help
Add or modify entries from an LDAP server
usage: ldapadd [options]
The list of desired operations are read from stdin or from the file
specified by "-f file".
Add or modify options:
-a add values (default)
-c continuous operation mode (do not stop on errors)
-E [!]ext=extparam modify extensions (! indicate s criticality)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-S file write skipped modifications to `file'
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapdelete命令
$ ldapdelete --help
Delete entries from an LDAP server
usage: ldapdelete [options] [dn]...
dn: list of DNs to delete. If not given, it will be readed from stdin
or from the file specified with "-f file".
Delete Options:
-c continuous operation mode (do not stop on errors)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-r delete recursively
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapmodify命令
$ ldapmodify --help
Add or modify entries from an LDAP server
usage: ldapmodify [options]
The list of desired operations are read from stdin or from the file
specified by "-f file".
Add or modify options:
-a add values (default is to replace)
-c continuous operation mode (do not stop on errors)
-E [!]ext=extparam modify extensions (! indicate s criticality)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-S file write skipped modifications to `file'
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapmodrdn命令
$ ldapmodrdn --help
Rename LDAP entries
usage: ldapmodrdn [options] [dn rdn]
dn rdn: If given, rdn will replace the RDN of the entry specified by DN
If not given, the list of modifications is read from stdin or
from the file specified by "-f file" (see man page).
Rename options:
-c continuous operation mode (do not stop on errors)
-f file read operations from `file'
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-r remove old RDN
-s newsup new superior entry
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapsearch命令
$ ldapsearch -help
usage: ldapsearch [options] [filter [attributes...]]
Search options:
-a deref one of never (default), always, search, or find
-A retrieve attribute names only (no values)
-b basedn base dn for search
-c continuous operation mode (do not stop on errors)
-E [!]<ext>[=<extparam>] search extensions (! indicates criticality)
[!]domainScope (domain scope)
!dontUseCopy (Don't Use Copy)
[!]mv=<filter> (RFC 3876 matched values filter)
[!]pr=<size>[/prompt|noprompt] (RFC 2696 paged results/prompt)
[!]sss=[-]<attr[:OID]>[/[-]<attr[:OID]>...]
(RFC 2891 server side sorting)
[!]subentries[=true|false] (RFC 3672 subentries)
[!]sync=ro[/<cookie>] (RFC 4533 LDAP Sync refreshOnly)
rp[/<cookie>][/<slimit>] (refreshAndPersist)
[!]vlv=<before>/<after>(/<offset>/<count>|:<value>)
(ldapv3-vlv-09 virtual list views)
[!]deref=derefAttr:attr[,...][;derefAttr:attr[,...][;...]]
[!]<oid>[=:<b64value>] (generic control; no response handling)
-f file read operations from `file'
-F prefix URL prefix for files (default: file:///tmp/)
-l limit time limit (in seconds, or "none" or "max") for search
-L print responses in LDIFv1 format
-LL print responses in LDIF format without comments
-LLL print responses in LDIF format without comments
and version
-M enable Manage DSA IT control (-MM to make critical)
-P version protocol version (default: 3)
-s scope one of base, one, sub or children (search scope)
-S attr sort the results by attribute `attr'
-t write binary values to files in temporary directory
-tt write all values to files in temporary directory
-T path write files to directory specified by path (default: /tmp)
-u include User Friendly entry names in the output
-z limit size limit (in entries, or "none" or "max") for search
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldappasswd命令
$ ldappasswd --help
Change password of an LDAP user
usage: ldappasswd [options] [user]
user: the authentication identity, commonly a DN
Password change options:
-a secret old password
-A prompt for old password
-t file read file for old password
-s secret new password
-S prompt for new password
-T file read file for new password
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
ldapwhoami命令
$ ldapwhoami --help
Issue LDAP Who am I? operation to request user's authzid
usage: ldapwhoami [options]
Common options:
-d level set LDAP debugging level to `level'
-D binddn bind DN
-e [!]<ext>[=<extparam>] general extensions (! indicates criticality)
[!]assert=<filter> (RFC 4528; a RFC 4515 Filter string)
[!]authzid=<authzid> (RFC 4370; "dn:<dn>" or "u:<user>")
[!]chaining[=<resolveBehavior>[/<continuationBehavior>]]
one of "chainingPreferred", "chainingRequired",
"referralsPreferred", "referralsRequired"
[!]manageDSAit (RFC 3296)
[!]noop
ppolicy
[!]postread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]preread[=<attrs>] (RFC 4527; comma-separated attr list)
[!]relax
[!]sessiontracking
abandon, cancel, ignore (SIGINT sends abandon/cancel,
or ignores response; if critical, doesn't wait for SIGINT.
not really controls)
-h host LDAP server
-H URI LDAP Uniform Resource Identifier(s)
-I use SASL Interactive mode
-n show what would be done but don't actually do it
-N do not use reverse DNS to canonicalize SASL host name
-O props SASL security properties
-o <opt>[=<optparam>] general options
nettimeout=<timeout> (in seconds, or "none" or "max")
ldif-wrap=<width> (in columns, or "no" for no wrapping)
-p port port on LDAP server
-Q use SASL Quiet mode
-R realm SASL realm
-U authcid SASL authentication identity
-v run in verbose mode (diagnostics to standard output)
-V print version info (-VV only)
-w passwd bind password (for simple authentication)
-W prompt for bind password
-x Simple authentication
-X authzid SASL authorization identity ("dn:<dn>" or "u:<user>")
-y file Read password from file
-Y mech SASL mechanism
-Z Start TLS request (-ZZ to require successful response)
參考
openldap文檔
