How do I query the available base DNs in an OpenLDAP server?

9

3

If I have multiple branches in my directory (e.g. dc=me,dc=org; dc=you,dc=org; dc=them,dc=org) then how can I query the directory to give me a list of these available base DNs?

Is this a question of access rights, or do I have to give an argument to ldapsearch?

Basically I want an ldapsearch query that will return a list of DNs that I can then use as a -b argument to ldapsearch.

Iain Conochie

Posted 2014-04-12T08:16:29.317

Reputation: 155

Answers

11

Many servers expose such parameters as attributes of the "root DSE" entry (null DN), accessible without any authentication. The available base DNs are listed by the namingContexts attribute. (Some servers also list additional sysadmin-only DNs in configContext.)

Note that you must use base as the search scope when retrieving the rootDSE entry.

Also note that many servers classify rootDSE contents as "operational" attributes and might not return them in a wildcard search. You should request the attributes you want by name, or specify wildcards for both normal (*) and operational (+) attributes.

$ ldapsearch -b "" -s base namingContexts

dn:
namingContexts: dc=example,dc=org
namingContexts: dc=nullroute,dc=eu,dc=org

$ ldapsearch -b "" -s base \* +

dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=example,dc=org
namingContexts: dc=nullroute,dc=eu,dc=org
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
[...]

user1686

Posted 2014-04-12T08:16:29.317

Reputation: 283 655

You may want to see also this post https://serverfault.com/questions/40138/retrieve-operational-attributes-from-openldap to understand the + flag.

– MUY Belgium – 2019-08-29T11:32:47.577