Question

I’ve been advised to use ldapsearch for LDAP enumeration, but I’m new to this tool. Could anyone walk me through the steps for using ldapsearch to query an LDAP directory for user and group information? I’d like to understand both the basic syntax and any advanced options that might enhance my searches.

If there are practical examples of ldapsearch usage or commands for gathering key user attributes, I’d appreciate the insights.

Answer 1

LDAP enumeration with ldapsearch facilitates the collection of data on users, groups, and directory items. This brief tutorial on ldapsearch covers both the fundamental syntax and more complex settings. Make sure you have the necessary rights to query the LDAP directory and that ldapsearch is installed on your computer.

Basic Syntax

The basic syntax of ldapsearch is as follows:

ldapsearch [options] filter [attributes]

• options: Various flags that modify the behavior of the search (e.g., specifying the LDAP server, authentication, search scope).
• filter: A query to narrow down the results (e.g., searching for a specific user or group).
• attributes: The specific attributes you want to retrieve from the matching entries (e.g., cn, mail, memberOf).

Basic Example

Search for all users with their common name (cn) and email (mail) attributes:

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" "(objectClass=person)" cn mail

-x: Use simple authentication instead of SASL.
-h ldap.example.com: Specify the LDAP server hostname.
-b "dc=example,dc=com": Set the base distinguished name (DN) for the search.
(objectClass=person): Filter to find entries of type "person", which typically represents users.
cn mail: Retrieve the cn (common name) and mail attributes.

Advanced Options and Examples

1. Authentication

• Simple Authentication

ldapsearch -x -D "cn=admin,dc=example,dc=com" -w password -h ldap.example.com -b "dc=example,dc=com" "(objectClass=*)"

-D: Specify the bind DN.
-w password: Provide the password for the bind DN.

• Using SSL/TLS (LDAPS)

ldapsearch -x -H ldaps://ldap.example.com:636 -D "cn=admin,dc=example,dc=com" -w password -b "dc=example,dc=com" "(objectClass=*)"

2. Search Scope

• Base (default): Searches only the specified base DN.

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" -s base "(objectClass=*)"

• One Level

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" -s one "(objectClass=*)"

Searches one level below the base DN.

• Subtree (default if not specified)

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" -s sub "(objectClass=*)"

Searches the base DN and all entries below it.

3. Filtering

• Find a Specific User by Common Name

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" "(cn=John Doe)"

• Find All Members of a Group (Assuming the member attribute is used to list group members)

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" "(cn=MyGroup)" member

• Find Users with a Specific Attribute Value:

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" "(mail=*example.com)" cn mail

4. Attribute Selection

• Retrieve All Attributes

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" "(objectClass=person)" "*"

• Retrieve Specific Attributes:

ldapsearch -x -h ldap.example.com -b "dc=example,dc=com" "(objectClass=person)" cn sn mail