3. Querying Oak LDAP with the ldap* Command-Line Utilities

The instructions in this section assume that you have configured your system according to Common Client Configuration.

ldapsearch and ldapcompare, part of the OpenLDAP client tools, may be used to perform initial testing of access to the LDAP service. In Debian, they are contained in the ldap-utils package.

Assuming you have the keytab of the principal allowed access to the LDAP service accessible, you can do:

$ export KRB5CCNAME=<PATH_TO_CREDENTIALS_CACHE>
$ kinit -k -t <PATH_TO_KEYTAB> <PRINCIPAL_NAME>
$ ldapsearch -H ldaps://ldap.oak.ox.ac.uk \
    -b ou=people,dc=oak,dc=ox,dc=ac,dc=uk \
    '(sn=<your surname>)'
This should return results including (assuming the principal in question is permitted access to view your record) information about you and other people with your surname.

    ldapcompare -H ldaps://ldap.oak.ox.ac.uk \
    oakPrimaryPersonID=<yourpersonid (from above)>,ou=people,dc=oak,dc=ox,dc=ac,dc=uk \
    eduPersonOrgUnitDN:oakUnitCode=oucs,ou=units,dc=oak,dc=ox,dc=ac,dc=uk
This will return the string "TRUE" or "FALSE" depending on whether you have an affiliation with the unit (in this case oucs).

We recommend that you ensure that you can perform the above steps successfully on your server using the keytab/principal registered for access before going any further.

Up: Contents Previous: 2. Common Client Configuration Next: 4. Querying Oak LDAP from mod_webauthldap