Technical Tip: Lookup a user in LDAP from CLI
Description
Scope
Version: 8.x
Solution
Use one of the following commands:
This article explains how to use the appliance CLI to obtain information about a user in LDAP (such as group membership).
Scope
Version: 8.x
Solution
Login to the appliance CLI as root.
LDAP format
Use one of the following commands:
ldapsearch -h <IP of Directory> -x -b "<search branch>" -D "<username>" -w "<password>" "(&(objectclass=user)(sAMAccountName=<UserID>))"
ldapsearch -H ldap://<Name of Directory> -x -D "<username>" -b "<search branch>" "(&(objectclass=user)(sAMAccountName=<UserID>))" -w '<password>' -a always -d 5
Replace with the appropriate values:
IP of Directory = IP referenced in Administration UI under System > Settings > Authentication > LDAP
Search branch = search branch used to locate user account under System > Settings > Authentication > LDAP
Username = username used by the appliance to connect with the directory under System > Settings > Authentication > LDAP
Password = password used by the appliance to connect with the directory under System > Settings > Authentication > LDAP
UserID = sAMAccountName of the user
Example:
ldapsearch -h 192.168.34.3 -x -b "DC=sldomain,DC=network" -D "administrator@sldomain.network" -w "mypassword" "(&(objectclass=user)(sAMAccountName=jsmith))"
LDAPs Format
LDAPTLS_REQCERT=never ldapsearch -H ldaps://<Name of Directory> -x -D "<username>" -b "<search branch>" "(&(objectclass=user)(sAMAccountName=<UserID>))" -w '<password>' -a always -d 5
-a deref one of never (default), always, search, or find
-d set LDAP debugging level to `level' - 5 is suggested
-x Simple authentication
-D binddn bind DN
-b basedn base dn for search
-W prompt for bind password
LDAPTLS_REQCERT=never does not validate a cert use if AD has a self-signed cert
Example
LDAPTLS_REQCERT=never ldapsearch -H ldaps://WIN-QSH73DPRRK6.SupportLAB.fortinac.com -d 5 -x -D "ouradmin@SupportLAB.fortinac.com" -b "DC=SupportLAB,DC=fortinac,DC=com" "(&(objectclass=user)(sAMAccountName=jsmith))" -w 'PASSWORD'
-a deref one of never (default), always, search, or find
-d set LDAP debugging level to `level' - 5 is suggested
-x Simple authentication
-D binddn bind DN
-b basedn base dn for search
-W prompt for bind password
LDAPTLS_REQCERT=never does not validate a cert use if AD has a self-signed cert
Example
LDAPTLS_REQCERT=never ldapsearch -H ldaps://WIN-QSH73DPRRK6.SupportLAB.fortinac.com -d 5 -x -D "ouradmin@SupportLAB.fortinac.com" -b "DC=SupportLAB,DC=fortinac,DC=com" "(&(objectclass=user)(sAMAccountName=jsmith))" -w 'PASSWORD'