LDAP search Command

aka. Sanity check that ldap is working for a user

Syntax

ldapsearch -x -H "ldap://ip_addr:port" -D "ldapuser@foo.bar" -W -b "dc=domain,dc=org" "(sAMAccountName=ldap_user)"

Example

ldapsearch -x -H "ldap://x.x.x.x:3268" -D "ldapuser@mikelivolsi.com" -W -b "dc=mikelivolsi,dc=com" "(sAMAccountName=foobar_user)"

Better Example

ldapsearch \
  -H ldap://x.x.x.x:3268 \
  -x \
  -D "username@domain.org" \
  -W \
  -b "dc=mla,dc=org" \
  "(userPrincipalName=foo@bar.com)" \
cn

Explanation

  1. H is the ldap/ad server
  2. D is the username used to authenticate (signing onto the server)
  3. b is the tree structure
  4. userPrincipalName is the field you want to authenticate against
  5. cn is the field you want returned.

In the example above, you can switch “userPrincipalName” with “mail” to search on emails. If you don't want a specific field returned, you can omit 'cn', and/or specify more fields like

cn mail userPrincipalName sAMAccountName objectClass