For testing and configuration purposes, you can use the ldapsearch command with ºÚÁϺ£½Ç91Èë¿Ú's LDAP service.
Prerequisites:
- You'll need to create an LDAP Binding User so that you can execute searches on the ºÚÁϺ£½Ç91Èë¿Ú directory, not just bind to it. For instructions, see Use Cloud LDAP.
- ldapsearch is used via Terminal on Linux and Mac.
- ldapsearch will only work if users are first added to the LDAP Directory in ºÚÁϺ£½Ç91Èë¿Ú. See Use Cloud LDAP for instructions on adding users to the LDAP Directory.
In the following ldapsearch examples, you will be required to enter the LDAP binding user's password.
List all Users in the Directory
All users in the "Users" tab are reflected into the ºÚÁϺ£½Ç91Èë¿Ú Hosted LDAP service under the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com".
Example:
ldapsearch -H ldaps://:636 -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
List All POSIX Groups in the Directory
POSIX groups are reflected into the ºÚÁϺ£½Ç91Èë¿Ú Hosted LDAP service when you create a tag or Group of Users in ºÚÁϺ£½Ç91Èë¿Ú with the "Create Linux group.." enabled in the object's details side panel. They appear under the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com". Ensure that the group is assigned to the LDAP directory before performing the search.
Example:
ldapsearch -H ldaps://:636 -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=posixGroup)"
List all Groups of Names in the Directory
Groups of names (LDAP objectClass: groupOfNames) can be found in the ºÚÁϺ£½Ç91Èë¿Ú Hosted LDAP service in the OU "ou=Users,o=<your-organization-id>,dc=jumpcloud;dc=com".
Example:
ldapsearch -H ldaps://:636 -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=groupOfNames)"
Using LDAP versus LDAPS (StartTLS – port 389)
As you will note in the above examples, we have provided various methods of executing an ldapsearch using SSL on port 636. You may execute requests similar to the examples above when connecting via StartTLS, with the exception that you will want to have the -ZZ flag set. When you give ldapsearch the -ZZ flag, you are asking it to use "in-band" SSL/TLS by using the StartTLS command.
Example:
ldapsearch -H ldap://:389 -ZZ -x -b "ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -D "uid=<LDAP-binding-username>,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -W "(objectClass=inetOrgPerson)"
Testing Client Authentication
ldapwhoami -H "ldaps://" -D "uid=UID_TO_TEST,ou=Users,o=YOUR_ORG_ID,dc=jumpcloud,dc=com" -x -W
Troubleshooting: ldapsearch Can’t Contact LDAP Server
When your server's CA root certificates do not contain our CA, your ldapsearch will refuse to connect to ºÚÁϺ£½Ç91Èë¿Ú because it cannot verify that our certificate was created by a trusted third party, resulting in the following error message:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
When this happens, you may be able to correct it by doing the following:
CentOS/RedHat/Amazon Linux
- Edit
/etc/openldap/ldap.conf
- Replace any lines that start with
TLS_CACERT
with the following:
TLS_CACERT /etc/ssl/certs/ca-bundle.crt
Ubuntu
The following command may correct the issue:update-ca-certificates
MacOS
On macOS, no additional CAs are required, so all certs are already in place.