Directory ( LDAP )
1. DNvs. RDN
DN is globally unique
RDN : unique under same parent. RDN is typically a unique identifier ( id or uid ) attribute for an entry. DN = RDN + Path to Parent
3. Starter Query
dirsrv]# ldapsearch -x -h <host> -D '<UserDN>' -w password -b '<BaseDN>' '(&(uid=91203074))' uid cn
4. At times when you execute a query which may result in large result set and if nsslapd-sizelimit is set to smaller value , it wont return any results. This limit is set is /etc/dirsrv/slapd-{ServerName}/dse.ldif.
5. To find the number of entries under a DN
ldapsearch -u -D "cn=Directory Manager" -h ldapserver -p 389 -b "ou=myou,c=myc,o=myo" -w password -s base "(objectclass=*)" numsubordinates
6. To add an aci
./ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password --filename ~/aci.ldif
aci.ldif
----------
dn: c=myc,o=myo
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "give all users full rights"; allow(all) userdn = "ldap:///uid=*,o=myo";)
-------------------
7. To run a LDIF file
( ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w password --filename ~/ua.ldif )
7.1 LDIF file to replace an attribute value
newvalue.ldif
---------------------
dn: spsid=myid,o=myo
changetype: modify
replace: attrname
attrname: 2
--------------------
At times there is minor difference in the syntax depending upon the directory implementation.
8. Nice articles on OpenDJ
https://idmdude.com/2014/01/01/opendj-indexes-explained/
https://onemoretech.wordpress.com/2012/03/29/opendj-cheat-sheet/
8. How to see the replication status
$dsreplication status -h localhost -p 4444 -I admin -w password -X -n
9. To reinitialize a db on one node from another node
dsreplication initialize --baseDN "ou=example,o=com" --adminUID admin --adminPassword password --hostSource <sourceHostIP> --portSource 4444 --hostDestination <destHostIP> --portDestination 4444 --trustAll
10. To check the status of indices
/opt/opendj/bin/dsconfig list-local-db-indexes -h localhost -p 4444 -D "cn=directory manager" -w password -X -n --backend-name <backendname>
11. To check settings in (OpenDJ)
dsconfig get-global-configuration-prop -h localhost -p 4444 -w password -X -n
12. To rebuild idex while opendj is online
./rebuild-index -p 4444 -X -w password -b <baseDN> -i iplanet-am-user-federation-info-key -i sun-fm-saml2-nameid-infokey -i memberof
To do the same when dj is offline , just remove port and password.
13. In OpenDJ following query will result in unindexed search if there is no ordering index on modifyTimestamp.
ldapsearch -h localhost -p 1389 -D "bindDN" -w password -b "baseDN" "(&(&(modifyTimestamp>=20160808050000Z)(modifyTimestamp<=20160815050000Z))(objectClass=user))"
14. To get the count of entries under an ou ( at east wors on OpenDJ ).
ldapsearch -h localhost -p 1389 -D "bindDN" -w password -b "basedDN" -s base '(objectclass=*)' numsubordinates
15. If an attribute has multiple types of indices and you want to remove one type of index.
To see what index properties can be set , use this command
dsconfig get-local-db-index-prop --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name <backendName> --index-name <attributename> --trustAll
16. To get global properties on opendj
dsconfig get-global-configuration-prop -p 4444 -X -n -h localhost -D "cn=Directory Manager" -w password
17. To get individual user limits, query the operational attribute names ( ds-rlim-size-limit, ds-rlim-time-limit ) on individual user entry.
18. To verify if an index is good
verify-index -b "baseDN"
19. To rebuild all degraded indices
rebuild-index --rebuildDegraded -h localhost -p 4444 -D "cn=Directory Manager" -w password -b "baseDN" -X
20. To drop a particular index
dsconfig delete-local-db-index --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name <backend> --index-name <indexname> -X -n
21. To get backend properties
./dsconfig -p 4444 -h localhost -D "cn=Directory Manager" -w password get-backend-prop --backend-name <backend> - X
22. How to create a user which has privilege to do unindexed searches
dn: uid=testuser,ou=example,o=com
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
uid: testuser
cn: Test
sn: User
givenName: Test
uid: testuser
userPassword: password
dn: o=com
changetype: modify
add: aci
aci: (target="ldap:///o=com")
(version 3.0; acl "Allow reporting permissions";
allow(search, read) userdn="ldap:///uid=testuser,ou=example,o=com";)
dn: uid=testuser,ou=example,o=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: unindexed-search
~
DN is globally unique
RDN : unique under same parent. RDN is typically a unique identifier ( id or uid ) attribute for an entry. DN = RDN + Path to Parent
2. ldap errorcode=10
I was having connection to read replica and was trying to update an attribute in LDAP was resulting in this error.
3. Starter Query
dirsrv]# ldapsearch -x -h <host> -D '<UserDN>' -w password -b '<BaseDN>' '(&(uid=91203074))' uid cn
4. At times when you execute a query which may result in large result set and if nsslapd-sizelimit is set to smaller value , it wont return any results. This limit is set is /etc/dirsrv/slapd-{ServerName}/dse.ldif.
5. To find the number of entries under a DN
ldapsearch -u -D "cn=Directory Manager" -h ldapserver -p 389 -b "ou=myou,c=myc,o=myo" -w password -s base "(objectclass=*)" numsubordinates
6. To add an aci
./ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password --filename ~/aci.ldif
aci.ldif
----------
dn: c=myc,o=myo
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "give all users full rights"; allow(all) userdn = "ldap:///uid=*,o=myo";)
-------------------
7. To run a LDIF file
( ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w password --filename ~/ua.ldif )
7.1 LDIF file to replace an attribute value
newvalue.ldif
---------------------
dn: spsid=myid,o=myo
changetype: modify
replace: attrname
attrname: 2
--------------------
At times there is minor difference in the syntax depending upon the directory implementation.
8. Nice articles on OpenDJ
https://idmdude.com/2014/01/01/opendj-indexes-explained/
https://onemoretech.wordpress.com/2012/03/29/opendj-cheat-sheet/
8. How to see the replication status
$dsreplication status -h localhost -p 4444 -I admin -w password -X -n
9. To reinitialize a db on one node from another node
dsreplication initialize --baseDN "ou=example,o=com" --adminUID admin --adminPassword password --hostSource <sourceHostIP> --portSource 4444 --hostDestination <destHostIP> --portDestination 4444 --trustAll
10. To check the status of indices
/opt/opendj/bin/dsconfig list-local-db-indexes -h localhost -p 4444 -D "cn=directory manager" -w password -X -n --backend-name <backendname>
11. To check settings in (OpenDJ)
dsconfig get-global-configuration-prop -h localhost -p 4444 -w password -X -n
12. To rebuild idex while opendj is online
./rebuild-index -p 4444 -X -w password -b <baseDN> -i iplanet-am-user-federation-info-key -i sun-fm-saml2-nameid-infokey -i memberof
To do the same when dj is offline , just remove port and password.
13. In OpenDJ following query will result in unindexed search if there is no ordering index on modifyTimestamp.
ldapsearch -h localhost -p 1389 -D "bindDN" -w password -b "baseDN" "(&(&(modifyTimestamp>=20160808050000Z)(modifyTimestamp<=20160815050000Z))(objectClass=user))"
14. To get the count of entries under an ou ( at east wors on OpenDJ ).
ldapsearch -h localhost -p 1389 -D "bindDN" -w password -b "basedDN" -s base '(objectclass=*)' numsubordinates
15. If an attribute has multiple types of indices and you want to remove one type of index.
dsconfig
set-local-db-index-prop --port 4444 --hostname localhost --bindDN 'cn=Directory
Manager' -w password --backend-name <backendName> --index-name <attributeName> --remove
index-type:ordering –trustAll
To see what index properties can be set , use this command
dsconfig get-local-db-index-prop --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name <backendName> --index-name <attributename> --trustAll
16. To get global properties on opendj
dsconfig get-global-configuration-prop -p 4444 -X -n -h localhost -D "cn=Directory Manager" -w password
17. To get individual user limits, query the operational attribute names ( ds-rlim-size-limit, ds-rlim-time-limit ) on individual user entry.
18. To verify if an index is good
verify-index -b "baseDN"
19. To rebuild all degraded indices
rebuild-index --rebuildDegraded -h localhost -p 4444 -D "cn=Directory Manager" -w password -b "baseDN" -X
20. To drop a particular index
dsconfig delete-local-db-index --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name <backend> --index-name <indexname> -X -n
21. To get backend properties
./dsconfig -p 4444 -h localhost -D "cn=Directory Manager" -w password get-backend-prop --backend-name <backend> - X
22. How to create a user which has privilege to do unindexed searches
dn: uid=testuser,ou=example,o=com
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
uid: testuser
cn: Test
sn: User
givenName: Test
uid: testuser
userPassword: password
dn: o=com
changetype: modify
add: aci
aci: (target="ldap:///o=com")
(version 3.0; acl "Allow reporting permissions";
allow(search, read) userdn="ldap:///uid=testuser,ou=example,o=com";)
dn: uid=testuser,ou=example,o=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: unindexed-search
~
Comments
Post a Comment