Reputation: 477
How to use ldapsearch on a Domain Name instead of a specific host
I have a bash script that runs ldapsearch with no problems except it points to a DC that is sometimes not available.
The script uses a -h (for host) option to point to a specific Domain Controller (DC). I would like to point to the domain name instead so that it will still execute in case that particular DC is down.
Example
In our environment, we have 20 DC's under my.company.com. So my ldapsearch query uses the the 1st DC in Bldg 1 with the following option which works:
-H ldaps://bldg1dc01.my.company.com:636
If bldg1dc01 is down, the script will not execute. So I'd like to point the script to something like:
-H ldaps://my.company.com:636
But when I do that, I get:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
What is the syntax to query the domain name (my.company.com) instead of the specific DC, that way my script works even if that DC is down?
Upvotes: 0
Views: 3153
Answers (1)
Reputation: 1815
EDIT :
After further researches, I looked at the ldapsearch command as I did not know the possibility to provide multiple URI.
The man states (for the ldap-utils package command) :
Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception, if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
So there is the possibility to use DNS result to make the ldapsearch.
Example with google.com :
# dig -t srv _ldaps._tcp.google.com +short
5 0 636 ldap.google.com.
So if I do the search with (escaping the URI) :
# ldapsearch -H ldaps:///dc%3Dgoogle%2Cdc%3Dcom -v
ldap_initialize( ldaps://ldap.google.com:636 )
^C
So the command is able to look for DNS SRV records
My bad asserting what I believed was the only way to do it without further research
Not relevant, but the informations could be used in case no DNS reccords is available
There is no problem with your syntax. This is a misunderstanding of what the ldapsearch does and what LDAP is.
LDAP is a protocol, ldapsearch command is a client which communicates implementing this protocol.
It is the same as saying I try to connect to https://my.company.com on port 443 and it doesn't work, but when I do it on https://web01.my.company.com it works.
You need to have something listening on port 443 on my.company.com and load-balances/proxies the requests.
It is the same for LDAP.
Upvotes: 1
Related Questions
- How to get a list with all the hosts connected to a domain? (CentOS 6.5)
- ldap search filter to check if any user exists under specific domain
- Domain Name and DC in LDAP
- LDAP search for multiple complete DNs?
- Search across all subdomains in a ldapContext in Java
- bash ldap search - variable as filter
- Bash script to search for LDAP entries
- LDAP : exclude a domain from search query
- bash script extract domain name for LDAP
- ldap - get searchbase from the domain, is it right?