lsldap Command
Purpose
Displays naming service objects from the configured LDAP directory server.
Syntax
lsldap [-a] [ entity [ entry_name | filter ] ]
Description
The lsldap command displays the naming service objects from the configured LDAP directory server. It queries the LDAP server through the secldapclntd daemon. Some or all of the objects of a particular entity can be listed by the lsldap command. By default, the lsldap command displays only the distinguished name (DN) of the returned objects. In addition, the -a flag can be used to view the attributes.
| Entity | objectClass | Default attribute name |
|---|---|---|
| aapolicies | ibm-aixAccountingAdminPolicy | ibm-aixAdminPolicyName |
| aaprojects | ibm-aixAccountingProject | ibm-aixProjectName |
| admkeystore | ibm-usrkeystore | cn |
| aixpert | ibm-aixAixpert | ibm-aixpertLabel |
| aliases | mailGroup | cn |
| auditclass | AIXAuditClassStanza | auditclassstanza |
| auditconfig | AIXAuditConfig | auditconfig |
| authorizations | ibm-authorization | cn |
| automount | automountMap nisObject | automountMapNamenisMapName |
| bootparams | bootableDevice | cn |
| domains | ibm-aixRBACdomain | ibm-aixRBACdomainName |
| domobjs | ibm-aixRBACdomainObject | ibm-aixRBACdomainObjectName |
| efscookies | ibm-efskscookies | cn |
| ethers | ieee802Device | cn |
| group | posixgroupAIXAccessGroup | cngroupname |
| grpkeystore | ibm-grpkeystore | cn |
| hosts | ipHost | cn |
| netgroup | ipNetgroup | cn |
| networks | ipNetwork | cn |
| passwd | posixAccountAIXAccount | uidusername |
| privcmds | ibm-privcmd | cn |
| privdevs | ibm-privdev | cn |
| protocols | ipProtocol | cn |
| roles | aixaccessroles | rolename |
| rpc | oncRpc | cn |
| services | ipService | cn |
| privfiles | ibm-privfile | cn |
| usrkeystore | ibm-usrkeystore | cn |
The automount entity has two object classes. The lsldap command treats automountMap with higher precedence over nisMap by always returning automountMap objects if it finds any, and returning nisMap objects only in the absence of automountMap objects.
For the passwd and
group entities, the lsldap command returns
the correct objects according to the LDAP client configuration. However,
the correct attribute name corresponding to the object classes must
be supplied for lsldap passwd attribute=value queries.
If an entity name is not specified from the command line, the lsldap command displays container entries of the entities and any other entries that are siblings of these containers. Users must have root permissions to list the container entries.
The entry_name parameter
is the name of the object to be queried. For example, if the entity
is passwd, the entry_name is the
user account name. The entry_name parameter
is equivalent to default attribute name = entry_name.
The lsldap command accepts the * wildcard
in entry_name for a substring search. All
entries are returned if entry_name is not
specified.
Instead of entry_name, a filter can also be supplied to search for entries that match certain criteria. Simple filters can be specified as attributename=attributevalue, where attributename is the LDAP attribute name.
The lsldap command prints the result to stdout. If the -a flag is not specified, lsldap prints entries that are found in the form of DNs, with each DN separated by a blank line. If the -a flag is specified, each entry is printed in the ldif format, with a blank line between entries.
Flags
| Item | Description |
|---|---|
| -a | Displays all attributes of returned objects. By default only the DN of the objects are displayed. |
Exit Status
Upon success, the lsldap command
returns 0. Upon failure, a nonzero value is returned,
with one of the following error messages that are written to stderr:
| Item | Description |
|---|---|
| EIO | Connection error. |
| EINVAL | Invalid parameters. |
| EPERM | No permission to run the operation. |
| ENOMEM | Not enough memory. |
| other errno | Other errors. |
Security
The lsldap command can be run by any user. It is owned by the root user and security group, and has access permissions of 555.
When a non-privileged user runs the lsldap –a passwd command for
a netgroup enabled LDAP module, the lsldap command does not
display the user information if the DisplayNetgroupUserInfo attribute is set to
no in the ldap.cfg file. By default, the user information is
displayed in a netgroup enabled LDAP module by running the lsldap
command irrespective of your user privileges.
When you list the passwd entity with the -a flag by root user, lsldap returns all attributes of the found users. However, when the same command is run by a nonprivileged user, lsldap returns only the same commonly readable attributes as returned by the lsuser command in addition to the object class information. For all other entities, regardless of which user runs the command the same output is generated.
Examples
- To list all entries of the host entity, enter the following command:
Information similar to the following is returned:lsldap hostsdn: cn=myhost+ipHostNumber=192.3.193.46,ou=Hosts,cn=aixdata dn: cn=starfish+ipHostNumber=192.3.193.47,ou=Hosts,cn=aixdata dn: cn=loopback+ipHostNumber=127.0.0.1,ou=Hosts,cn=aixdata - To list host
starfishand all of its attributes, enter the following command:
Information similar to the following is returned:lsldap -a hosts starfishdn: cn=starfish+ipHostNumber=192.3.193.47,ou=Hosts,cn=aixdata objectClass: top objectClass: ipHost objectClass: device ipHostNumber: 192.3.193.47 cn: loopback cn: localhost - To list users with names that begin with the letter
b, enter the following command:
Information similar to the following is returned:lsldap passwd "b*"dn: uid=bin,ou=people,cn=aixdata dn: uid=bob,ou=people,cn=aixdata - To list user
fooand its attributes, enter the following command:
Information similar to the following is returned:lsldap -a passwd foodn: uid=foo,ou=people,cn=aixdata uid: foo objectClass: account objectClass: posixAccount objectClass: shadowAccount objectClass: top cn: foo uidNumber: 259 gidNumber: 1 homeDirectory: /home/foo loginShell: /usr/bin/ksh shadowlastchange: 12740 userpassword: {crypt}rNnLQ9TAD2u/k shadowmin: 5 - To list users who run /usr/bin/ksh,
enter the following command:
Information similar to the following is returned:lsldap passwd loginshell=/usr/bin/kshdn: uid=bin,ou=people,cn=aixdata dn: uid=bob,ou=people,cn=aixdata dn: uid=foo,ou=people,cn=aixdata
Restrictions
The lsldap command relies on the secldapclntd daemon to work.
Location
/usr/sbin/lsldap