LDAPsearch difficulties

UCS - Univention Corporate Server
, ,
#1

Hello,

please help me with a problem I have with ldapsearch:

In the console, using

univention-ldapsearch "(&(objectClass=person)(uid=testuser))"

fetches all data of a user.

When I replicate the request using ldapsearch, I have to use

ldapsearch -H ldaps://localhost -x -D "cn=Administrator,cn=users,dc=mydomain,dc=local" -w "secretpassword" "(&(objectClass=person)(cn=testuser))"

Notice that uid=testuser in the filter would NOT be working.

While this request works, I only get a reduced set of attributes of the user. But I do need the full set of attributes.
How must the search look like to get all the attributes via ldapsearch?

I cannot use univention-ldapsearch because I have to search from within a python script.

Kind regards,
Tom

#2

One more thing:

In the documentation I found that there are two LDAP secrets stored in files on UCS systems. These are /etc/ldap.secret (for “cn=admin,$ldap_base”) and /etc.machine.secret (for “$ldap_hostdn”) (compare: https://docs.software-univention.de/developer-reference-4.1.html#join:secret)

I tried to use the first credentials to see if this would make a difference with ldapsearch, concerning the problem described above.

To my bewilderment the call

ldapsearch -H ldaps://localhost -x -D "cn=admin,dc=mydomain,dc=local" -w "password_from_ldap.secret" "(&(objectClass=person)(cn=testuser))"

fails, throwing the error

ldap_bind: Invalid credentials (49)
additional info: 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1

while I can use the very same credentials successfully via an external tool (LDAP Admin, http://www.ldapadmin.org/)

What am I missing?

#3

Ok, well I found at least an answer to my first question, but only after ‘reverse-engineering’ the univention-ldapsearch command.

The search

univention-ldapsearch "(&(objectClass=person)(uid=testuser))"

is converted into

ldapsearch -o ldif-wrap=no -ZZ -D "cn=ucs-master,cn=dc,cn=computers,dc=mydomain,dc=local" -y /etc/machine.secret "(&(objectClass=person)(uid=testuser))"

so basically the difference is made by different access permissions.

Mastodon