ºÚÁϺ£½Ç91Èë¿Ú

Use ldapsearch with ºÚÁϺ£½Ç91Èë¿Ú

For testing and configuration purposes, you can use the ldapsearch command with ºÚÁϺ£½Ç91Èë¿Ú's LDAP service.

Prerequisites:

  • You'll need to create an LDAP Binding User so that you can execute searches on the ºÚÁϺ£½Ç91Èë¿Ú directory, not just bind to it. For instructions, see Use Cloud LDAP.
  • ldapsearch is used via Terminal on Linux and Mac. 
  • ldapsearch will only work if users are first added to the LDAP Directory in ºÚÁϺ£½Ç91Èë¿Ú. See Use Cloud LDAP for instructions on adding users to the LDAP Directory.

Note:

In the following ldapsearch examples, you will be required to enter the LDAP binding user's password. 

List all Users in the Directory

All users in the "Users" tab are reflected into the ºÚÁϺ£½Ç91Èë¿Ú Hosted LDAP service under the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com".

Example:

ldapsearch -H ldaps://:636 -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

List All POSIX Groups in the Directory

POSIX groups are reflected into the ºÚÁϺ£½Ç91Èë¿Ú Hosted LDAP service when you create a tag or Group of Users in ºÚÁϺ£½Ç91Èë¿Ú with the "Create Linux group.." enabled in the object's details side panel. They appear under the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com". Ensure that the group is assigned to the LDAP directory before performing the search.

Example:

ldapsearch -H ldaps://:636 -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=posixGroup)"

List all Groups of Names in the Directory

Groups of names (LDAP objectClass: groupOfNames) can be found in the ºÚÁϺ£½Ç91Èë¿Ú Hosted LDAP service in the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com".

Example:

ldapsearch -H ldaps://:636 -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=groupOfNames)"

Using LDAP versus LDAPS (StartTLS – port 389)

As you will note in the above examples, we have provided various methods of executing an ldapsearch using SSL on port 636. You may execute requests similar to the examples above when connecting via StartTLS, with the exception that you will want to have the -ZZ flag set. When you give ldapsearch the -ZZ flag, you are asking it to use "in-band" SSL/TLS by using the StartTLS command.

Example:

ldapsearch -H ldap://:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"

Testing Client Authentication 

ldapwhoami -H "ldaps://" -D "uid=UID_TO_TEST,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -x -W

Troubleshooting: ldapsearch Can’t Contact LDAP Server

When your server's CA root certificates do not contain our CA, your ldapsearch will refuse to connect to ºÚÁϺ£½Ç91Èë¿Ú because it cannot verify that our certificate was created by a trusted third party, resulting in the following error message:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

When this happens, you may be able to correct it by doing the following:

CentOS/RedHat/Amazon Linux

  1. Edit /etc/openldap/ldap.conf
  2. Replace any lines that start with TLS_CACERT with the following:

TLS_CACERT /etc/ssl/certs/ca-bundle.crt

Ubuntu
The following command may correct the issue:
update-ca-certificates
MacOS
On macOS, no additional CAs are required, so all certs are already in place.

Back to Top

List IconIn this Article

Notebook IconLearn More

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case